Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Survey: Distrust of Vendors Raises Questions on Data Security, Regulatory Compliance

By Ian Lopez
June 01, 2016

Obviously, data breaches aren't trust builders, but many companies are skeptical even of those parties with whom they share confidential data, including their own vendors.

A recent survey of nearly 600 individuals across industries by the Ponemon Institute found that more than a third of U.S. businesses (37%) believe that their primary third-party vendors wouldn't notify them in the event of a breach involving “sensitive and confidential information.” Further aiding this sense of distrust are company views of “fourth-'nth'-party” vendors ' subcontractors or indirect service providers hired by a third-party vendor ' which 73% of respondents believed would “fail to notify” in the event of a breach. Here, an “nth” is used to refer to an unknown number in a series of numbers.

Titled “Data Risk in the Third Party Ecosystem,” the survey was commissioned by law firm Buck- leySandler and Treliant Risk Advisors to provide insight on the challenges facing companies trying to protect client information when sharing data with third parties. All companies surveyed have a vendor data risk management program and were asked to solely consider their outsourcing relationships where they share “sensitive or confidential information or involve processes” that require vendor access to that information. Unveiled in the study were company difficulties with “mitigating, detecting and minimizing” risks posed by third parties handling their data.

As to why some companies lack faith in their vendors handling of data, Margo H.K. Tank, partner with BuckleySandler, stated that, “In a data-driven economy, there is high need to outsource services and reduce costs. While many companies do have direct relationships with third parties, they still find it difficult to manage, detect and mitigate risks associated with these third parties that have access to confidential and/or sensitive company information. Lack of resources and skill sets are factors.”

Why the Distrust?

Consternation over outside data handling is not unwarranted. About half (49%) of companies reported that they experienced a breach caused by vendors, while 16% reported that they weren't sure if a vendor was to blame. The perception is erring on the negative side as well, with 73% of companies reporting that they see vendor-related cybersecurity incidents increasing.

The distrust deepens at the nth-party level, Tank said, because “the eco-system is further expanded and relationships with vendors become indirect or remote. There may be lack of transparency, control or bargaining power, thus companies find it difficult to manage, detect and mitigate risks associated with these Fourth-nth parties that have access.”

To make matters worse, the majority of companies find it difficult to manage vendor-related cyber incidents, with 65% reporting that they “don't have the internal resources to check or verify” when evaluating vendors' security and privacy practices. Tank said that this finding is “alarming, in light of the focus of federal and state regulators on consumer protection and the need to notify consumers in the event of breach and not being able to do so.”

This inability to look into vendor practices runs deep, with 58% of companies saying that they cannot determine whether vendor “safeguards and security policies are sufficient to prevent a data breach.” Forty-one percent say that these safeguards and policies are sufficient for breach response.

“The results create awareness of the problem. And the reliance solely upon contractual agreements instead of audits and assessments to evaluate the security and privacy practices creates significant risk. Companies will need to establish and track metrics regarding the effectiveness of the vendor risk management program and establish vendor risk management committees,” Tank said.

Vendor Relations

The survey results suggest that for many companies, when it comes to vendor relations, information governance needs to be strengthened ' 31% view their vendor risk management program as “highly effective,” while 38% don't track metrics on their programs' effectiveness. In addition, 62% said that “their boards of directors do not require assurances that vendor risk is being assessed, managed or monitored appropriately, or they are unsure.” This, Tank said, “will have to change,” as “the [Consumer Financial Protection Bureau; CFPB] and other regulators are mandating active involvement of boards in managing data security risks.”

“Companies must understand managing data risk is not merely a compliance and contract issue but a fundamental strategic challenge in which personal data, intellectual property and transactional records must be protected from third-, fourth- and nth-party risk,” Tank said. “Risk assessments, data security program reviews and most importantly, onsite due diligence, kicking the tires and looking under the hood are all warranted in these circumstances.”

The full survey can be found at http://bit.ly/1TGiM8b.


Ian Lopez writes for Legaltech News, an ALM sibling publication in which this article'also appeared.

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.