It is essential to assess the privacy and cybersecurity practices of third-party service providers not only for employee personal information, but also for confidential and personal information relating to the activities of an organization and its customers, clients, patients, students, etc. The Federal Trade Commission (FTC) announced a settlement on Dec. 15 with a financial institution it claims did not oversee the data security practices of one of its third-party service providers, as required by the Gramm-Leach Bliley Act. Backup rule.
The safeguard rule requires financial institutions to develop, implement and maintain a comprehensive information security program. As part of this program, financial institutions must oversee their third-party vendors, ensuring that they are able to implement and maintain appropriate protections for customer information, and require them to do so by contract. . The FTC alleged that the financial institution in this matter had not done so.
âVendor monitoring is an essential part of any comprehensive data security program, especially where vendors can put sensitive consumer data at risk,â said Andrew Smith, director of the FTC’s Bureau of Consumer Protection. âIf you’re a finance company, monitoring vendors isn’t just a good idea, it’s the law.
In this case, the FTC alleges that the provider of the financial institution, which performed a text recognition scan on the mortgage documents, stored the contents of the documents on a cloud-based server in plain text, without any protection. to block unauthorized access, such as requiring a password or encrypting information. And, according to the FTC, the financial institution (i) failed to adequately verify the offending seller and other sellers; (ii) did not have safeguard requirements in all supplier contracts; and (iii) has not performed risk assessments of all of its third party vendors, as required by the Safeguard Rule. Unfortunately, the complaint claims that the server was accessed dozens of times and that the documents on the server contained sensitive information about mortgage holders and the like, such as names, dates of birth, social security numbers. , loan information, credit and debit account numbers, drivers license numbers or credit records.
It is important to note that similar legal and regulatory requirements exist at the state and federal levels outside of the financial services industry. Here are some examples:
- Under HIPAA, Covered Entities that work with certain third parties, known as Business Partners, must enter into âBusiness Associate Agreementsâ that set out extensive contractual obligations for the Business Associate with respect to privacy and security, which also apply directly to the business associate.
- New York’s Stop Hacking and Improving Electronic Data Security Act (SHIELD Act) requires “[a]Any person or business that owns or authorizes computerized data that includes private information of “a New York resident to” select service providers able to maintain appropriate guarantees and require these guarantees by contract.
- Companies subject to data security regulations in Massachusetts, 201 CMR 17.00, must supervise service providers by (i) taking reasonable steps to select and retain those who are able to maintain appropriate security measures to protect such personal information in accordance with Massachusetts and any applicable federal regulations, and ( ii) requiring these service providers by contract to implement and maintain such appropriate security measures.
- Several other states have similar requirements, including California, Colorado, Oregon, and Rhode Island.
The FTC’s proposed rule requires that the financial institution, among other things:
- undergo biennial evaluations of the effectiveness of its data security program by an independent body, which the FTC has the authority to approve.
- ask a senior company official to certify annually that the institution is in compliance with the final FTC order.
- Report any future data breach to the FTC within 10 days of notification from other federal or state government agencies.
We talked here certain steps organizations could take to assess the privacy and data security capabilities of their third-party service providers. Of course, these are not the only steps an organization can include in a supplier management program. These steps would be based on the organization’s own risk assessment regarding the nature and extent of the sharing and processing of sensitive data it performs with third-party service providers. Of course, at a minimum, any organization must ensure that the framework service contract with the provider includes a requirement that reasonable safeguards regarding personal information be maintained by the provider. Regardless of the measures taken to address this risk, organizations should regularly assess the privacy and cybersecurity risks presented by third-party service providers and how to deal with them. And don’t forget that, as many of these organizations are service providers themselves, they may also be under increased scrutiny in this regard.