May 22, 2020//Tony Howlett
When the European Union’s comprehensive privacy legislation, the General Data Protection Regulation (GDPR), went into effect last year, it put privacy compliance on the road map for many companies, including those where it wasn’t traditionally a priority. Even companies where GDPR doesn’t apply are having to contend with existing or pending privacy regulations within their state or locality.
The high visibility of GDPR and the lack of any overarching federal legislation covering companies’ collection and use of personal data has caused many states across the country to begin debating and, in many cases, passing their own privacy regulations. This has led to a “patchwork quilt” of laws that any company that does business beyond a hyper-local basis will have to contend with. As of January 2019, 31 states had some form of data privacy law on the books. This means that most U.S. businesses will be covered in one way or another by privacy laws and must begin to review the way they handle the personal data of its customers.
But to comply with these new laws doesn’t just cover your operations, it can extend to your vendors, business partners, and business associates. The GDPR regulation bluntly states organizations are responsible for their own processing of such data and ANY third parties that process or store this information on their behalf. In the U.S., the Massachusetts statute 201 CMR 17.00 has these elements in its compliance checklist:
“Have you taken reasonable steps to select and retain a third-party service provider that is capable of maintaining appropriate security measures consistent with 201 CMR 17.00?”
“Have you required such third-party service providers by contract to implement and maintain such appropriate security measures?”
California’s sweeping “California Consumer Privacy Act”, or the CCPA, references vendor or third-party liability in several sections (1798.06 C1, 2 and 5). It also requires organizations to contractually obligate service providers to meet any compliance obligation they may have under the law.
New York’s pending privacy law, so far, gets the most specific about service-provider security, requiring that they provide a “laundry list” of controls that are required. They are as follows:
This means your privacy compliance is only as strong as the weakest link in a vendor’s privacy and security practice. If they aren’t compliant, neither are you.
Ensuring each vendor complies with these various requirements can amount to performing a mini-audit on all of them unless you use a single solution for vendor access that is compliant. The first requirement listed above in New York’s “Secure Access Control Measures” law is a common area of vulnerability and non-compliance, since it covers how that partner or vendor accesses your company’s systems. The New York law’s current language states that third-party vendors must “assign unique identifications and passwords, which are not vendor-supplied default passwords, to each person with computer access that are reasonably designed to maintain the integrity of the security of the access controls.” This places a high bar for a company’s vendor compliance and interactions.
Methods such as VPNs are fraught with issues ranging from underlying security flaws in the software to overly broad access and lack of auditability. These access methods, which are common within IT support organizations for internal use, likely would not comply with these requirements for vendors. Other methods, such as screen sharing, also falls short of full compliance due to the way they impersonate the user being assisted. Most of these laws require the ability to be able to trace third-party activity back to a specific technician. This can be difficult when using software and platforms that are not designed with this kind of auditing capability in mind.
How do you know if your vendor is compliant with the same regulations you are subject to? Here are some key questions to ask a vendor in the due diligence phase:
While positive answers to these questions isn’t a silver bullet for vendor compliance, it can indicate the vendor’s ability to keep you compliant and make it much easier when auditors or regulatory examiners come calling. Requiring vendors to prove their compliance with some form of documentation or audit is a good idea for your due diligence when considering using them for any services that involves access into your network and systems. If they dodge the question or provide no evidence of their compliance, you may want to dig deeper or consider other vendors.
Picking a vendor that is careless with access to your systems and networks can be as bad as hiring a bad employee or using subpar technology. When it comes to enforcement actions, even without a breach, a company can be cited for significant fines and penalties. The GDPR calls for fines up to 4% of a company’s annual worldwide revenue, or $20 million euro, whichever is greater. And state laws call for various remedies including significant fines and even jail time for flagrant violators.
In case you think the EU’s law might be toothless for U.S. companies, Facebook was recently fined €1.6 billion under the law, while Google was hit with a €57 million judgment. More citations are sure to come as high-profile breaches continue to rise.
As states race to each pass their own “mini-GDPRs,” ensuring your vendors comply can be a real chore. As privacy and cybersecurity laws become fragmented with each country and even states issuing their own standards, companies should build a robust vendor management program including strong due diligence, monitoring, granular auditability and state-of-the-art technology to make sure their vendors are as secure as they are. By following the strongest, best practices within their industries and setting up a strong vendor management program, companies can be best prepared to meet different compliance requirements with the added bonus of being more secure from third-party risk.