Five Considerations on Service Providers' Privacy and Security

Understanding who you share data with and how they will utilize and protect it has never been more critical. Privacy and security continue to be a top priority for regulators around the world and organizations are advised to stay abreast and take appropriate measures to comply. There is growing awareness that the weakest link may be organizations’ service providers (or vendors) that have access to their environment, and may be collecting, processing and storing protected personal information on organizations’ behalf. Due to COVID-19 and other macro-economic trends, the number of service providers utilized by organizations continues to grow. Below are key considerations when considering privacy, security and your service providers.

Privacy and Security Risks Are a Growing Concern in Organizations’ Service Provider Management Program

Privacy and security concerns are considered top priority in an organization’s service provider risk management program. According to Kroll’s 2019/20 Global Fraud and Risk Report 73% of executives identified reputational damages caused by third parties as a risk priority and nearly 30% reported that third-party incidents significantly affected their organization in the last year.¹  

Privacy regulators are requiring more action by companies when it comes to their service providers. Both the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) and the subsequent California Privacy Rights Act (CPRA) make it clear that an organization is fully responsible for the service providers within their supply chains and the onus is on those organizations to ensure compliance.² Many companies don’t appreciate the significance of this mandate and have taken little to no steps to ensure their compliance and minimized this risk.

Cyber Security of Your Service Providers Must Be Addressed Under Many Regulations

Cyber security regulators, such as the New York State Department of Financial Services, SEC, CFTC and HIPAA specifically require organizations to have a program that mandates service providers meet specific security controls. This challenge, which increases exponentially for each service provider that has access to protected personal information under an organization’s control, requires a certain level of expertise beyond what many internal IT departments can handle. Identifying, validating and analyzing service providers’ cyber security posture is no longer a luxury, but a necessity.

Privacy Focused Regulations Are Also Sounding the Alarm

An effective privacy program cannot exist without information security. While many privacy regulations do not require specific technical security controls, they require organizations to implement and maintain “reasonable” security measures to protect against foreseeable risk and ensure service providers that handle protected personal information meet them as well. May U.S. states and countries around the world have begun considering laws like GDPR and CCPA and adopting similar language, increasing the need for organizations to act.

Failure Has a Real Cost and Is Expensive

Fines for violating privacy regulations are increasing. In a 12-month period, European regulators issued over $190 million in fines to companies who have violated GDPR.³ Some of these fines have been issued in part due to the failure of the service provider, such as in the case of Ticketmaster when a third-party application was given access to protected data.⁴

The above list is not exhaustive. But it is a good starting point. Organizations are advised to conduct a thorough service provider risk assessment to identify and classify their service providers according to the security and privacy risks they pose to the organization and take real and concrete steps to minimize these risks. We predict that the regulatory interest in privacy and information security will not subside any time soon and the changes for organizations will only continue to grow.

Sources
¹https://www.kroll.com/en/insights/publications/global-fraud-and-risk-report-2019
²https://www.law.com/legaltechnews/2021/01/21/ccpa-service provider-management-potential-gaps-in-your-privacy-compliance-strategy/
³https://www.bankinfosecurity.com/privacy-fines-total-gdpr-sanctions-reach-331-million-a-15790
⁴https://www.forbes.com/sites/carlypage/2020/11/13/ticketmaster-hit-with-125-million-gdpr-fine-over-2018-data-breach/?sh=181caf124455