Privacy Involves Every Part of the Supply Chain, Privacy Pros Say
Data security is inextricably linked to vendors, third parties and others along the supply chain, necessitating that companies have a firm understanding of how their information flows internally as well as externally, panelists said during a Practising Law Institute (PLI) event Wednesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Information security and vendor security can no longer be separated, said Linnea Solem, CEO of Solem Risk Partners. Gone are the days when companies' IT work remained on the premises, where they owned the employees and the risk, Solem said.
This means that “third-party oversight has gone beyond ‘Let's just put it into the contract and hold the vendor liable,’” she said. It's imperative that the C-suite understands your company is accountable for its use of vendors. As such, companies must have a “robust ... third-party governance program ... because the organization chose to outsource a function.”
Companies must show that if they use outside vendors or technology, they are "holding them to the right regulatory provisions in the contract" and have "appropriate guardrails" to limit the vendors' use of their data, added Solem. “You can't outsource accountability."
Similarly, InterSystems Data Protection Officer Ken Mortensen said contracts are no longer "enough.” Instead, they're “a starting point,” and they don’t “define actual protections” or “stop the bad things from happening.”
The panelists also emphasized the need to go several steps beyond one's company in the supply chain. For instance, there could be another vendor or business “four steps beyond," Mortenson said, "but that's part of the overall supply chain” and “could affect security" when it reaches the firm's data.
The term used in third-party risk management is “fourth to nth party,” Solem added. It recognizes that your company’s third party has vendors, thus “the fourth party.” But the fourth party also "has a vendor, and then that vendor has a vendor,” and so on.
Knowing that, Solem urged companies “to build a risk assessment process," where they have "contractual ability to conduct the [risk] assessment," or can "hold [their] vendor accountable to build a third-party risk management governance program,” which then can be audited.
Communications between a company and its vendors must also always be “integrated,” Mortensen said, so that they can collaborate on a plan to have in place in the event of a possible incident. Solem agreed that being “proactive” is key.
For companies beginning to think about third-party security, the two panelists recommended using the NIST Cybersecurity Framework for guidance. Mortensen said NIST and the Cybersecurity and Infrastructure Security Agency are both helpful resources.
Solem said another thing for companies to think about is procedures for ending a contract with a vendor. Now there's “a different risk profile to manage,” where “a different set of due diligence questions” needs to be asked. These address whether the third party retains any of the company's data, for what purpose and with what safeguards in place, she said.