When the European Union’s comprehensive privacy legislation, the General Data Protection Regulation (GDPR), went into effect last year, it put privacy compliance on the road map for many companies, including those where it wasn’t traditionally a priority. Even companies where GDPR doesn’t apply are having to contend with existing or pending privacy regulations within their state or locality.
The high visibility of GDPR and the lack of any overarching federal legislation covering companies’ collection and use of personal data has caused many states across the country to begin debating and, in many cases, passing their own privacy regulations. This has led to a “patchwork quilt” of laws that any company that does business beyond a hyper-local basis will have to contend with. As of January 2019, 31 states had some form of data privacy law on the books. This means that most U.S. businesses will be covered in one way or another by privacy laws and must begin to review the way they handle the personal data of its customers.
But to comply with these new laws doesn’t just cover your operations, it can extend to your vendors, business partners, and business associates. The GDPR regulation bluntly states organizations are responsible for their own processing of such data and ANY third parties that process or store this information on their behalf. In the U.S., the Massachusetts statute 201 CMR 17.00 has these elements in its compliance checklist:
“Have you taken reasonable steps to select and retain a third-party service provider that is capable of maintaining appropriate security measures consistent with 201 CMR 17.00?”
“Have you required such third-party service providers by contract to implement and maintain such appropriate security measures?”
California’s sweeping “California Consumer Privacy Act”, or the CCPA, references vendor or third-party liability in several sections (1798.06 C1, 2 and 5). It also requires organizations to contractually obligate service providers to meet any compliance obligation they may have under the law.
New York’s pending privacy law, so far, gets the most specific about service-provider security, requiring that they provide a “laundry list” of controls that are required. They are as follows:
- Securing access control measures that assign unique, non-default IDs and passwords to each person with access to systems.
- Encrypting personal information that travels across public networks or is transmitted via wireless.
- Monitoring systems for unauthorized use of, or access to, personal information.
- Encrypting information stored on portable devices.
- Implementing appropriate firewall protections and operating system patches.
- Implementing security software that receives regular updates.
- Security education and training.
This means your privacy compliance is only as strong as the weakest link in a vendor’s privacy and security practice. If they aren’t compliant, neither are you.
Ensuring each vendor complies with these various requirements can amount to performing a mini-audit on all of them unless you use a single compliant solution for vendor access. The first requirement listed above in New York’s “Secure Access Control Measures” law is a common area of vulnerability and non-compliance, since it covers how that partner or vendor accesses your company’s systems. The New York law’s current language states that third-party vendors must “assign unique identifications and passwords, which are not vendor-supplied default passwords, to each person with computer access that are reasonably designed to maintain the integrity of the security of the access controls.” This places a high bar for a company’s vendor compliance and interactions.
Methods such as VPNs are fraught with issues ranging from underlying security flaws in the software to overly broad access and lack of auditability. These access methods, which are common within IT support organizations for internal use, likely would not comply with these requirements for vendors. Other methods, such as screen sharing, also falls short of full compliance due to the way they impersonate the user being assisted. Most of these laws require the ability to be able to trace third-party activity back to a specific technician. This can be difficult when using software and platforms that are not designed with this kind of auditing capability in mind.
How do you know if your vendor is compliant with the same regulations you are subject to? Here are some key questions to ask a vendor in the due diligence phase:
- Does it have a compliance program for GDPR or relevant state statute? If your vendor does, it should be able to provide audits, certifications and other documentation of this.
- Does it store, forward or process any of the data of its customers? This should be obvious in the services the vendor is performing but there are often gray areas. An example of this would be a company providing desktop support to a healthcare company that might not interact directly with the health information on the client systems. However, if the company is using screen-sharing or other such technology to provide the support, such information may be exposed to the technicians.
- What method does it use to provide support and access to client systems? Is this system compliant with the regulations the client company is subject to? Make sure the vendor can show compliance with the regulations, as well.
- Can the vendor provide an accurate and granular log of all activities on the client network? This is important for audit and forensic purposes.
While positive answers to these questions isn’t a silver bullet for vendor compliance, it can indicate the vendor’s ability to keep you compliant and make it much easier when auditors or regulatory examiners come calling. Requiring vendors to prove their compliance with some form of documentation or audit is a good idea for your due diligence when considering using them for any services that involves access into your network and systems. If they dodge the question or provide no evidence of their compliance, you may want to dig deeper or consider other vendors.
Picking a vendor that is careless with access to your systems and networks can be as bad as hiring a bad employee or using subpar technology. When it comes to enforcement actions, even without a breach, a company can be cited for significant fines and penalties. The GDPR calls for fines up to 4% of a company’s annual worldwide revenue, or $20 million euro, whichever is greater. And state laws call for various remedies including significant fines and even jail time for flagrant violators.
In case you think the EU’s law might be toothless for U.S. companies, Facebook was recently fined €1.6 billion under the law, while Google was hit with a €57 million judgment. More citations are sure to come as high-profile breaches continue to rise.
As states race to each pass their own “mini-GDPRs,” ensuring your vendors comply can be a real chore. As privacy and cybersecurity laws become fragmented with each country and even states issuing their own standards, companies should build a robust vendor management program including strong due diligence, monitoring, granular auditability and state-of-the-art technology to make sure their vendors are as secure as they are. By following the strongest, best practices within their industries and setting up a strong vendor management program, companies can be best prepared to meet different compliance requirements with the added bonus of being more secure from third-party risk.