Since the launch of the EU’s General Data Protection Regulation (GDPR) in 2018, corporate legal teams that are governed by the regulation have experienced a mixed bag of results in attempting to comply. For example, one survey indicates that more than half of GDPR-relevant companies failed to address consumer requests for their data—a key feature of new privacy regulations—within the required one-month timeframe, and another 80% of companies lamented that GDPR implementation was more difficult than other privacy or security requirements.
Meanwhile, the U.S.’s flagship data privacy law, the California Consumer Privacy Act (CCPA), is set to go into full effect on July 1—and an increasing number of Chief Legal Officers (60%) say that data privacy poses the biggest legal challenge to their organization.
But, as some companies are finding out, compliance with data privacy regulations often stretches beyond the consumer rights provisions that tend to receive the most attention. Earlier this year, online retailer Hanna Andersson suffered a data breach via its third-party e-commerce partner Salesforce. The class-action lawsuit that resulted is the first under the CCPA’s data breach provisions, which places damages of up to $750 per data subject; Hanna Andersson estimated that up to 10,000 individuals may have been affected by the breach.
Why Vendors Are Often a ‘Hidden Risk’
It’s not difficult to see how the financial impact of a breach regulated by the CCPA (or GDPR, which allows fines of up to 20 million euros, or 4% of annual revenue) can quickly become an untenable risk for any business. But the Hanna Andersson case was not special: In March, General Electric suffered a data breach via a Canon business subsidiary. T-Mobile also suffered a breach in March originating from a third-party email vendor.
In fact, by some estimates, organizations may be more at risk of an indirect data breach than a direct one; a Ponemon Institute study found that 61% of companies surveyed found that they had experienced a data breach due to lax third-party cybersecurity. What’s worse: 66% of the companies that were breached didn’t have an inventory of which vendors and other third-parties had access to their data.
Susanna McDonald, VP and Chief Legal Officer at the Association of Corporate Counsel (ACC), didn’t have this data handy years ago when she began to realize that third-party access to sensitive organizational data was a growing concern for many global corporations.
“One of the things that I had to stress to my team was to look at third-parties in a very different, holistic way,” says Susanna. “Maybe we’re using a third-party database system—that’s one type of third-party. But then we also outsource some aspects of our services to other vendors, which is another type of third-party. So you have to think along multiple lines to determine whether you’re sharing and storing data, and how much, with vendors that have access to sensitive areas of your organization.”
Statistics from 2019 indicate a staggering year for third-party data breaches: the number of records exposed skyrocketed 273% year-over-year to 4.8 billion. On average, 13 million records were exposed during each third-party data breach, making it easily the worst year ever on record.
Perhaps worse, a third-party breach costs, on average, twice as much as a normal breach. When taking into account the impact to brand reputation, loss in business, and possible decreases in stock share value, the overall cost of failing to effectively vet and evaluate third parties comes to about $13 million. There are also continuing regulatory requirements for incident and breach notification—an entirely different set of rules and headaches for many companies that don’t have technology and automated processes to assist in complying with those regulations.
“Seeing what your vendors have access to will open your eyes to a lot that’s going on out there,” said McDonald.
Opening the ‘Black Box’ of Vendor Risk
To help determine the level of risk any organization is exposed to, General Counsel and Chief Legal Officers—along with Chief Privacy and Information Security Officers—must uncover answers to the following five questions:
- Who are our vendors?
- Which ones touch our data?
- What specific data do they have access to?
- Which vendors are relevant to privacy regulations?
- How are they protecting our data?
Because vendor risk is sometimes an afterthought, organizations don’t often keep an up-to-date list of their vendors. But that’s a critical step in opening the “black box” of risks that vendors present to your organization—whether via outside regulatory rules or internal business requirements.
“These [regulatory] schemes are incredibly complicated,” says McDonald. “The variety of schemes that we’re having to comply with are incredibly complicated. You have dozens, if not hundreds of vendors that you need to evaluate. And it’s really hard to gauge what is too risky versus what is an acceptable level of risk. So it’s really important that you do a full-circle review for how your data is not only being stored but also being utilized.”
Measuring the Benefits of Vendor Risk Services
McDonald says the ACC recommends a routine assessment of your third-parties, at least on a yearly basis, to expose and address weaknesses in how your business information is being managed.
“When we implemented the Vendor Risk Service (VRS) system in our process, we overhauled not just our contract review process, but went all the way back to the RFP process,” Susanna explains. “We have the VRS system implemented during the RFP process for the final candidates. And it also has to include a preliminary contract for us to review, along with the results of the VRS process matrix, so we can consider that information when we make the decision for which vendor we’re going to go with.”
Susanna says that these changes have given them a glimpse into their vendors, and helped provide a catalog of information needed for data mapping—which ultimately streamlines other processes in her department.
“Can you imagine going through an entire RFP, then getting the contract and then trying to negotiate the privacy and security issues, only to find out that they fail your requirements? And that’s basically what happens a lot of times.”
Robert Grosvenor, managing director at Alvarez & Marsal (UK), agrees that it’s an eye-opening experience—but it’s a process best managed at the start of contractual agreement.
“It’s about understanding your GDPR or data privacy compliance journey and level of maturity,” Grosvenor said during an Exterro webcast in May. “There are a lot of very good tools out there that can support that. But if you don’t understand what it is you’re buying—the services you’re getting up-front in the contract, the data that’s linked through to that—it’s very difficult to retrofit a vendor risk assessment.”
To Protect Your Organization, Seek ‘Reasonable’ Third-Party Security Measures
It’s important to note that there’s simply no such thing as infallible security. Regardless of how much a company spends, they cannot ensure that data will not be breached. Therefore, courts look for repeatable, consistent, and “reasonable” security processes and measures. Do you have a consistent, documented process for evaluating risks based on recognized legal frameworks? This helps mitigate the fallout should a breach occur.
Deleting data in accordance with regulations and industry best practices is a critical aspect of reasonable security, because if you don’t store the information, your vendors won’t have access to it and you can’t suffer a breach from it. This is a core component of reasonable security measures and is in total control by the organization.
In other words, data you don’t have can’t be breached. And not deleting legacy data will always draw a negligence claim when a breach occurs.
In the meantime, as more GCs, CLOs, CISOs, and CPOs begin to implement security measures that mitigate the risks that third parties represent, we’re likely to see many more high-profile data breach cases and lawsuits. Taking reasonable security measures today can help prevent your organization from becoming tomorrow’s headline.