You’re the CEO of “Company-A” and you open up your email and see a series of exclamation points accompanying a variety of emails – all of which signify importance and scream “open me now.” As you scan the subject lines, beads of sweat begin to form on your forehead and that hearty breakfast isn’t sitting all that well. They read “Our customer data has been stolen”, “15 million of our customers PII gone”, “Vendor-X lost our customer data”, “Initiated data breach processes & procedures” and variants on this theme. It is clear, your trusted relationship with your customers just took a body-shot,and you’re going to have an interesting day.
Vendors lose our data?
Unfortunately, they do. One has only to look at the recent data breach of T-Mobile customers’ personal identifying information (PII). In this case the vendor hired (Experian) to conduct financial wellness checks on customers and potential customers was breached – not even the company itself. Similarly, the Target breach of 2013 allowed the ne’er-the-wells into the Target infrastructure and accessed customer data via the point of sale systems which another vendor had provided. The criminals used one vendor’s access to undermine the processes of a second vendor within the ecosystem of Target. No matter how much finger-pointing takes place, the bottom line is: “Your customer is affected by the breach.”
At the risk of stating the obvious, each vendor relationship is different. That said, each vendor relationship should also include some security and privacy basics throughout the lifetime of the relationship. These include:
- If your company’s sensitive data is going to reside within your vendor’s eco-system, have you conducted appropriate due diligence to ensure vendor’s infrastructure meets or exceeds your expectations on how your sensitive data will be handled? Identifying those areas of risk (acceptable or unacceptable) where data may be exposed and what, if any, mitigation is in place.
- Track record of protecting other customer data? There are a number of resources (open-source) which may be queried to determine if your prospective vendor has had past incidents and the circumstances. We may speculate the aforementioned T-Mobile contract with Experian included the disclosure that the company had two previous breaches which occurred in the prior years and T-Mobile was satisfied that the circumstances of those breachers were appropriately addressed.
- Background checks and the vendor’s vendors access to your data? How far down the food-chain does our data travel?
- Inspections and audits? Do you take the time to inspect and audit your vendor to determine if what they say they are doing to protect your data or that of your customer is actually taking place?
- When you terminate the relationship with a vendor do you have the means to ensure your company data (customer or otherwise) is returned and/or destroyed?
Your data is your data to protect. Know how your vendor is protecting the data which has been entrusted to you by your customers. For defense industry employers, this also applies to hiring activities – are you partnering with a career site that takes data security seriously, or one that operates with an open ecosystem?