It’s rare for an organization to not use at least one third party – whether it’s Microsoft, Salesforce or your lawyers. Sharing information with any third party increases the risk that something might go wrong either through their mishandling of your information or by that third party themselves being the victim of a cyber-attack.
Pointing the finger at a third party when a customer asks why the personal information they trusted you with is now published online won’t address their concerns or rebuild their trust.
Of course, we all try and make sure we check out vendors first, usually by getting them to complete a vendor security and privacy questionnaire and covering their responsibilities in the contract.
But, given the significant reputational and legal risk of sharing data with third parties, it’s essential to consider all the ways to reduce the risk and fallout from a third party mishandling the data your organisation shared.
Here are some tips for some ways to manage your vendors:
It’s surprising how many organisations don’t have a record of their key vendors. The 2022 Risk Recon Report by the Ponemon Institute revealed that few organisations maintain a register with details about the data shared with third parties, including data that flows to those parties. This approach makes it challenging, if not impossible, for organisations to manage their privacy risk or control access to customers’ personal information
A key part of any effective vendor management program is knowing who your vendors are. Ideally, this list is populated automatically as engagements are managed via your procurement processes. But sometimes these processes are bypassed, or you may have existing arrangements that need to be identified and coordinated.
Other information that you should consider including in your Vendor inventory:
Data breaches are becoming increasingly common. In fact, 59% of organisations surveyed for the 2022 Risk Recon Report by the Ponemon Institute had experienced a data breach caused by a third (or nth) party.
So, even if you take significant steps to reduce the risk of your third-party vendors experiencing a data breach, it may still occur. And your organisation may be held liable for personal information breached in a third-party data breach. So, it’s not sufficient to leave the management of a data breach to the third party.
You should work with the third party to coordinate a response that minimises the potential and actual harm to the individuals whose data has been impacted. This includes your organisations and all those people whose data you’ve shared with the vendor.
Your data breach management plan and how that involves your vendors should be laid out in advance.
It should also be tested, either independently or as part of your own incident response testing exercises.
Your critical third-party service providers are key partners and should be involved in the planning and testing of your incident response and disaster recovery efforts.
You should thoroughly vet your third-party vendors before sharing data with them. But it’s not unheard of for privacy hygiene to slip – or for companies to fall behind best practices in the ever-changing privacy landscape.
Accordingly, it’s important to conduct regular reviews or audits of your third-party vendor’s privacy and security practices during the term of your engagement. This should be allowed as part of your contract and included as part of your vendor management program.
Track their external certifications (has their ISO 27001 certification been renewed? Is a new SOC 2 Type 2 report available). Re-send your vendor questionnaire and ask for confirmation that nothing has changed. Ask for current audit reports.
Suppose (or when) your organisation’s regular audits of your third-party vendor’s privacy practices expose the mishandling of data or other poor privacy habits.
Depending on your existing relationship and plans with the vendor, some steps you might take to resolve their poor privacy practices include:
This might be a good time for you to pull out the contract and check what the allows you to do.
Your third-party vendors should disclose any additional parties that will gain access to the personal information you share with it. These terms should be included in your contract. If they aren’t, you should renegotiate the terms as soon as possible.
And if your third-party vendor is already sharing the data you provided, you should ask that they stop immediately until you’ve assessed the level of protection the nth parties’ assign to the data.
If you discover that your third-party vendor is sharing data in breach of the terms of your contract, you should carefully consider whether the relationship is worth continuing. If not, you should review the termination clauses in your contract to see what options are available to you.
Privacy 108 works with organisations to create more privacy-focused third-party agreements. Our experienced team is happy to liaise with third-party providers to assess their privacy protections and will review your terms of service to ensure that the data shared with a third party is adequately protected.
If you need assistance protecting the personal information you have collected, reach out:
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
