This blog is the second in a series exploring how organizations can prevent or mitigate the severity of a third-party data breach or cyber exploit by implementing a variety of cybersecurity risk management controls, such as assessing compliance with regulations, vetting third-party security practices, and establishing data breach and cyber exploit incident response procedures. While the complexity of cyber risks intensifies, together with an increasingly challenging privacy and security regulatory environment, the overall maturity of third-party risk management programs is barely keeping up. Resource constraints, a lack of standardization of risk assessment processes and the difficulty of determining the “source of truth” of data held by third parties continue to dog many organizations.
Part 2 – Enforcing Penalties for Third Parties’ Noncompliance With Security Requirements
In Part 1 of this series, we discussed ways in which organizations can ensure compliance with data protection and privacy regulations by their vendors and other third parties providing critical infrastructure or operational support or having access to personal and other sensitive information, such as financial, health and other regulated data (Sensitive Data). But while it’s one thing to conduct risk assessments and monitor your third parties for data privacy and security risks, how should organizations handle a third party’s violations of or noncompliance with the organizations’ standards?
Organizations should develop a set of prescriptive information security requirements, controls and processes (Requirements) with which they expect third parties accessing, storing, processing, using and/or transferring Sensitive Data to comply. These Requirements should closely align with the organization’s own internal information security policies to ensure that consistent treatment is afforded to Sensitive Data handled by the organization’s third parties. The Requirements should be included in the service contracts with third parties as specific obligations for the third parties to follow.
In many cases, a third party might object to the contractual obligation to comply with the Requirements, arguing that it cannot modify its existing set of information security policies, which may vary from the organization’s Requirements. The third party might either respond with its own set of policies to include in the service contract or otherwise reject including any specific controls or requirements. Organizations should develop policies to determine when and in what circumstances third parties’ exceptions to inclusion of Requirements are acceptable.
Service contracts with third parties should also include:
- Obligations for the third party to comply with applicable international, federal, and/or state data privacy and security laws and regulations
- Enhanced liability and indemnities for violations of privacy and security laws as well as for data security breaches
- The organization’s ability to conduct regular assessments or audits of the third party’s information security program and controls
- Obligations of the third party to promptly notify the organization in the event of an actual or suspected breach of security of any system, website, database, equipment, or storage medium or facility controlled by the third party or the third party’s subcontractors
- Specific steps the third party must follow in the event of a security breach, including remediation steps and the provision of information associated with the breach to permit the organization to comply with any legally required notifications or other actions
- The third party’s commitment to cooperate with the organization’s inquiries regarding security vulnerabilities identified through the organization’s use of any third-party security monitoring tools, and to provide periodic updates and evidence of remediation of security issues identified during previous assessments
- The right for the organization to terminate the service contract or seek financial remedies in the event the third party fails to comply with required security requirements
The creation of these contractual obligations typically entails the participation of an organization’s legal, information security and compliance departments as well as the business unit or division requiring the product or service from the third parties. Additionally, organizations need to determine which department is ultimately responsible for the enforcement of penalties for the third party’s noncompliance with the security requirements. However, in many cases, the applicable business unit or division dealing directly with the third party might be reluctant to penalize or terminate the relationship with the third party for noncompliance if the third party is providing a critical service for which there are no viable alternatives. Resolving these sticky issues can be a difficult process, but it can be mitigated by a defined, risk-based approach that describes the specific situations and use cases under which an organization will accept noncompliance by a third party.
Part 3 of this blog series will examine procedures for the evaluation and vetting of third parties’ data security practices.
For more information on developing third-party privacy and cyber-risk management policies and contractual provisions for data security and privacy compliance, contact the author.