While working with vendors and third parties is an inherent part of doing business and they provide tremendous value and opportunity – vendors also present significant risks. These risks are of growing concern, particularly when it comes to data privacy and security. Forrester states, “The repercussions of security incidents across the value chain, as well as the EU General Data Protection Regulation’s (GDPR’s) more stringent compliance requirements, make managing third-party risk a top priority for S&R [security and risk] pros.”1
And you don’t have to look far to find examples in the news of data breaches that vendors caused. Forrester research also found, as shown in the below Figure 1, that third-party attack or incident caused 21% of confirmed security breaches in 2018.2
Additionally, the cost of data breaches is estimated by Ponemon to be between $750,000 and $35 million3 with the global average cost in 2018 at $3.86 million and increasing each year.4 On top of the monetary costs for fines related to a breach, it’s important to consider other critical factors in calculating the true cost of a breach. For example, these may include damage to the company’s brand, loss of trust with customers and potential lawsuits and regulatory actions following breaches.
In addition, privacy laws and regulations have specific provisions that address vendors and extend companies’ data privacy obligations throughout their supply chains. Whether you are focused on GDPR, the California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), EU Privacy Shield or a combination of different frameworks, one of the most important components of your privacy and security risk management program is to understand how your vendors are handling your data and whether they too can maintain compliance.
The privacy experts at TrustArc recommend that you expand your vendor management approach to address privacy and security. It’s important that your vendors:
- Demonstrate privacy and data protection awareness from the beginning of the relationship
- Complete privacy and security assessments
- Comply with regulatory and internal privacy and security governance
- Implement and maintain terms of a Data Processing Agreement (DPA)
In addition, the TrustArc Vendor Risk Management solution provides a centralized place and method to collect, maintain and track critical data for ongoing vendor management. The solution, powered by the TrustArc Platform, enables companies to assess vendors, evaluate and monitor vendor risk, track vendor status and report on key compliance metrics. Our experienced privacy consultants are available to help you understand your regulatory environment and risks; design your vendor management program; define your risk scoring model and vendor prioritization; develop policies and procedures and more.
To learn more about how to minimize vendor risk, vendor management best practices and how to build a successful vendor management program read our Vendor Risk Management Guide.
To learn more about the TrustArc Vendor Risk Management solution, visit www.trustarc.com/products/vendor-risk-management/
 Manage Third-Party Risk to Achieve and Maintain GDPR Compliance. Forrester. April 2018.
 The State Of Data Security And Privacy: 2018 To 2019. Forrester. December 2018.
 Royal, K. Third-Party Vendor Management Means Managing Your own Risk. iapp.org.
 Shepard, Sydny. The Average Cost of a Data Breach. Security Today. July 17, 2018.
As part of the TrustArc Privacy Insight Series, Director of Consulting at TrustArc, Paul Iagnocco, presented “Managing Risk & Easing the Pain of Vendor Management”. This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.
In this webinar, Paul discussed methods and challenges companies face when accessing and evaluating vendors under regulations such as the GDPR, CCPA, Privacy Shield and HIPAA. Under each of these regulations, demonstrating compliance requires vendor management provisions speaking to specific topics such as: documented instructions, technical and organization measures, confidentiality, disclosure, right to audit, and retention periods. Paul stressed the importance of involving key stakeholders (IT, finance, legal, etc.) and how companies should prioritize building relationships with information security teams. Working with that team in particular is important because once a company identifies their existing vendor management approach, it’s key to find where privacy and security can be added and implemented within that cycle.
Shankar Chebbrolu, Enterprise Security Architect at RedHat spoke on his experience using various vendor management methods. Prior to 2016, RedHat used a home-grown approach to vendor management using Google Forms and a ticketing system. In May 2016, RedHat had an auditor assess the way the company was handling risk management, including third party management. Results from the auditor’s report showed RedHat needed to further develop their vendor management system in order to improve their privacy posture. RedHat implemented TrustArc Assessment Manager in February 2017 as a means to assess and minimize their third party risk. Shankar discussed how the robust, out-of-box templates within Assessment Manager, specifically vendor assessment, removed the need for his team to frame vendor questions themselves. As of February 2019, RedHat has completed over 200 vendor assessments using Assessment Manager!
Paul outlined several key takeaways for effective vendor management:
- Identify tools to manage vendor due diligence, whether it be by manual/low-tech or a technology platform approach, while considering long-term versus short-term sustainability
- Conduct privacy assessments (e.g., PTA, PIA and if necessary, DPIA) that addresses vendor’s overall privacy program appropriate to the nature of the information
- Be prepared to demonstrate due diligence – including reporting and individual rights management
- Establish a common repository for all vendor management and data protection initiatives
To learn more about best practices for vendor management, view the on-demand Privacy Insight Series webinar here. Registration is now open for the next webinar in the Privacy Insight Series: “Pragmatic Consent Management: Meeting Compliance and Business Needs.”
The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges. Over 20,000 privacy professionals registered for our events in 2018!
Soon companies that self-certified with the Department of Commerce (DOC) last fall before the September 30, 2016 deadline will have the 9 month “grace period” come to a close. The grace period was given to these companies so that they could ensure that all of their third party vendors met the Accountability for Onward Transfer principle. The grace period ends soon, meaning that the deadline is fast approaching.
The Privacy Shield Accountability for Onward Transfer principle, Section II, 3.b., states:
To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
In sum, maintaining your Privacy Shield certification by adhering to the Accountability for Onward Transfer principle requires a lot of due diligence. When your company has a relationship with a third party vendor involving the transferring personal information to that vendor, your company has to ensure that the vendor will process personal information in a manner consistent with your company’s obligations under the Principle. Your company’s contract with the vendor also has to state that the data your company transfers to it can only be used for limited and specified purposes. What’s more, vendors acting as agents have to cease and take steps to remediate unauthorized processing.
For most companies, this is a lot of work that is quite time consuming; the initial grace period concession was given in light of the time it may take a company to comply with this principle. For example, a few of the hundred vendors that a typical mid-sized business uses are: a marketing automation system, a customer relationship management system, an administrative services system, and a payroll system. Larger organizations may use thousands of vendors.
How will companies adhere to this principle? One option is to compile a large spreadsheet and call, email, or meet with internal business or process owners. Though this option is cost effective in terms of dollars, it is not cost effective in terms of time, productivity, and data integrity. Technology solutions to automate the process and provide an easily accessible digital repository may have up-front costs. However, long term savings in terms of time, productivity, and maintaining data integrity will far outweigh initial up-front costs.
If you have any questions about the requirements of this Principle, contact us.
The Internet of Things (or the Internet of Everything, as some refer to it) is changing the way of the world for businesses, governments and consumers, as devices and services are increasingly connected to the Internet in real-time, 24/7. This allows for the practically ubiquitous collection, storage and sharing of data on an always-on basis, which heralds countless innovations for enterprises and individuals alike.
However, with increased connectivity comes the potential for increased vulnerability—in both the cyber and physical worlds. This is why Privacy by Design is a paramount business practice for companies engaged in the IoT space, as well as a consideration steadily more expected by consumers. TRUSTe’s Privacy Risk Summit (Wednesday, June 8th in San Francisco), features three sessions devoted to IoT privacy issues. In this second preview blog, Darren Abernethy, Privacy Solutions Manager at TRUSTe offers a brief introduction to Privacy by Design in the IoT context.
The Internet of Things Continues to Grow Exponentially
The IoT is a short-hand term that refers to the interconnected environment in which previously offline, data-siloed objects can now continually communicate information among other objects and people. According to one estimate, the number of IoT-connected devices will number 38.5 billion in 2020, up from 13.4 billion in 2015: a rise of over 285%.
Consumer-focused, “smart home” devices are already a fixture in many retail outlets (think fitness wearables, connected refrigerators, sous-vide precision cookers, smart thermostats and lighting systems, the list goes on), and the next several years are expected to see IoT maturity in areas as diverse as connected cars, smart grids and cities, digital healthcare, agriculture, and various industrial channels. In short, there is no scarcity of interest in the application of IoT connectivity across sectors because of the granular insights that it facilitates.
The Connected World Requires Pre-Conceived Privacy by Design
A recently released survey conducted by Ipsos on behalf of TRUSTe/NCSA found that 89% of respondents say that they avoid companies that do not protect their privacy. This reality—that brand reputation and consumer trust are inextricably linked—is especially true in the IoT context. This is why Privacy by Design, or the practice of building privacy and security controls into a product or service at the outset of the planning process, rather than as an afterthought, is imperative.
There is no statutorily-defined, one-size-fits-all prescriptive list of what constitutes Privacy by Design. Indeed, in the context of IoT devices, Privacy by Design in practice ultimately depends on the types and quantity of information a device collects, the sensitivity of the data, and the overall risk posed to end users. Still, some issues should form the basis of any Privacy by Design assessment throughout product development, and these include:
Data Minimization. Whereas early IoT devices may have focused on collecting information indiscriminately, on a “we’ll find a use for this data later” basis, such an approach will no longer be tolerated by regulators. Most privacy regimes mandate that only data relevant to the purposes for which consent was originally given may be processed. And with the new EU GDPR privacy regulation’s effective date inching closer each day—along with its application to data controllers and processors of fines equaling up to 4% of global turnover for serious infractions—all IoT folks should be mindful to collect only what is necessary to achieve their business goals (and in keeping with their disclosures and public promises).
Perform Privacy and Security Risk Assessments Throughout All Stages of Development These complement an overall risk-based approach that includes, from the start, having a full inventory of the type and variety of personal information collected, as well as end-to-end understandings of data flows for the life cycle of any data. As the FTC has noted: “An evolving inventory serves triple duty: It offers a baseline as your staff and product line change over time. It can come in handy for regulatory compliance. And it can help you allocate your data security resources where they are needed most.” TRUSTe’s SaaS-based Assessment Manager was designed with this in mind, by automating the privacy impact assessment process for companies so that they may efficiently assess privacy risk, produce on-demand compliance/audit reports, and monitor privacy matters on an on-going basis.
Use Security Hygiene Best Practices This entails utilizing security transmission protocols and encryption techniques for personal information in transit and at rest, building in proper authentication controls, training company staff in privacy and data security best practices, limiting permissions, and using secure options as a smart device’s default settings that are changeable later by more advanced or aware end users.
Vet Vendors and Partners Privacy by Design considerations do not end with the device manufacturer, they extend to the partners and service providers associated with the device maker. Accordingly, IoT companies should embed processes to review third party providers’ practices as well as have contractual provisions in place that clarify responsibilities and liabilities before any product or service goes to market.
Transparency and Control IoT companies must be transparent with consumers—in easy to understand language and format—about how their troves of data are collected and used. This means up-front and accurate privacy statements, building in mechanisms for on-going notice and choice (including just-in-time notices), having conspicuous user privacy controls/dashboards, and effective communication—beyond the design phase—of access options, recommended security updates and other manifestations of respect for users’ preferences.
The Future of IoT Privacy by Design
As more devices, platforms and infrastructure connect to the Internet in real-time, the most successful industry participants will be those that regard Privacy by Design as an opportunity to demonstrate that they are worthy of consumers’ trust. Industry self-regulatory frameworks, such as the OTA IoT Trust Framework, are available to help companies to operationalise privacy by design. Time will tell whether this is enough to pre-empt the need (in the eyes of external regulators) for legislation. Also unclear are issues of interoperability in the IoT context, as well as questions of whether a one-time consent by consumers can realistically serve as “informed” consent as connected devices become a perpetual presence in our daily lives. For insights and analyses of these issues and more, be sure to check out next month’s TRUSTe Privacy Risk Summit, or contact TRUSTe today.
If you missed today’s webinar covering vendor management, you can watch a clip below and follow this link to download the full webinar.
Speakers Ray Everett, Director Product Management & Principle Consultant at TRUSTe and Charlie Miller, SVP at Shared Assessments covered best practices for vendor management, conducting vendor risk assessments and revealed results from a 2015 Vendor Risk Management benchmark study.
This webinar is part of TRUSTe’s Privacy Insight Series. View the recap below, or click here to download the full webinar.
Click here for a clip of the webinar.