The Third-Party Risk Factor
Just last week Malta was stunned by the news that a database containing information on more than 300,000 Maltese voters was leaked. The data contained names, addresses, ID card details and phone numbers in a form of an electoral register, and was exposed to the web on an unsecured internet-facing server. This information was said to be stored at a Maltese IT company. To add fuel to the fire, later in the same week it is further revealed that a 111 page client list of a Maltese law firm was also leaked in the same breach that contained client details and the details of legal work carried out. The story is still making the headlines as we write, and as details continue to unravel. This raises grave concerns from a data privacy perspective without a doubt, but equally intriguing is the third-party security aspect. Here we focus more on the rules as to why third-party security assessment is vital. The personal data of Maltese voters and the client data of a law firm can certainly be categorized as confidential PII where PII means Personally Identifiable Information under the General Data Protection Regulation (GDPR). Such information is personal in nature and must have high level security and accountability when being processed, in line with GDPR legislation. When an entity decides to process such data, for business reasons, the first crucial thing should be to categorize said data accordingly by creating an Information Classification Policy and deciding on how to protect and handle such data. Moreover, it is important to also establish a Data Retention Policy with clear guidelines as to where such data is being stored, how long it is being retained and the legal justification for such processing until it is finally deleted in a secure manner. From the articles we have read relating to this matter so far, our views are that probably this personal data and the client information was not adequately secured and classified. The PII information acquired from the breaches in question can potentially be a ground for criminals to craft legitimate-looking phishing e-mails targeting companies as well as becoming the means for identity theft through which further crimes could be perpetrated. At this stage, we do not know the extent of how this data was used or processed, only that it has been hacked. Furthermore, one wonders whether the argument reported in one of the papers, namely that the data was ‘old’ can actually hold water. The fact that the ID Card numbers and relative names are there, means both that information about many individuals is still valid as ID Card numbers do not change over a person’s lifetime and this could subsequently lead to identity theft jeopardising such individuals whose details were on that list. Impersonation attacks have proven to be successful in the past with 70% rise just in 2019. Using the valid ID Card numbers, criminals now have one more set of information about an individual that they can leverage for an attack. This raises the obvious question on what measures were undertaken, if any, by the parties engaging a third-party provider to process such data. One obvious measure that comes to mind is the implementation of a data processor agreement wherein it is clearly established who is the controller of such data and who the processor being appointed is. Furthermore, such agreements generally also establish the extent or limitations of what processing the third-party provider can do with the data in question, including measures of information security as to how such data is to be stored, managed and generally processed. The answer lies in third-party management practices that seem to have been lax to detect such non-compliance. But how can someone make sure that their contractor, third-party service provider or vendor will not misuse the data given to them? This is question which both the GDPR and the information security standards such as ISO 27001 address in order to mitigate to the extent possible. Here we provide you with a 5-step digest that you should always incorporate into the third-party management system or process. Risk Assessment – The most important is to understand that if you decide to outsource data processing to a vendor, the legal liability will stay with you. Meaning that even if your contractor is breached it is your company that will be held liable. For this reason, it is extremely important to do proper third-party risk assessment and understand the risks involved before engaging. If outsourcing highly sensitive data is not possible without high risk that you should consider alternative methods or restrictions to such processing. Remember it is your credibility, reputation and legal liability on the line if you choose a third-party processor poorly. You should assess the contractor before onboarding in every aspect possible to mitigate risks. Contract – If you have made a proper risk assessment and decided on a trustworthy processor, the contractual terms should certainly provide for the safe handling, processing and storing of the data through a detailed data processor agreement. You must make sure that the vendor is contractually obliged to follow your Information Security Policies and Standards, thus making sure that they accept your definition of safety and security. You should also include incident management rules, such as if the vendor detects a breach or any level of non-compliance, they are to immediately notify you of such breach or non-compliance. Right to Audit – another crucial element that you must include in the agreement is the right to audit. This clause will ensure that you can at any agreed time you do on-site audit to verify the third-party compliance with the contractual terms. Audit can also mean monitoring or online access and not always a physical on-site examination. Without a right to audit clause you will lose complete oversight and any chance of verifying vendor compliance. Exercise the Right to Audit – it is even more important to regularly exercise said audit on the third-party contractor as frequently as you decide. Having a contract and established rules only, won’t hold back a contractor on misaligning with said rules. You should schedule regular and comprehensive checks. Vendor Access – the access to your systems or data by contractors should be strictly controlled and monitored. If you suspect a breach of contractual terms or a data leak, you should immediately terminate contactor access and investigate. If possible, data processors should not be allowed to have actual copies of your data and should only be allowed access it by connecting to a subsystem over which you have full control. We are confident that if you follow the above steps you can mitigate the third-party risk to a minimum and avoid such breaches like the ones we have learnt of in the past week. NormShield tracks a comprehensive list of companies breached through their third-parties, which shows how important third-party security is and to make sure that said parties comply with your requirements. Lastly don’t forget that at the end of the day a third-party processor is consider an extension to your company and a breach on their side could have significant impact on your business not only from a physical point of you but also from a reputational one. Do you have contractors but are not sure about the risks? D4n6 can help you identify gaps in your data leakage prevention program or third-party management. Contact us today.