What Companies Need to Know About Third-Party Vendor Security and Privacy Issues

 (00:01):

Welcome to the, she said privacy. He said security podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century. Hi Jodi Daniels here. I’m a certified informational privacy professional, and I help provide practical privacy advice to overwhelmed companies. I’ve worked with companies like Deloitte, The Home Depot, Cox enterprises, Bank of America, and a lot more. And I’m joined today by my husband, Justin Daniels.

 (00:39):

So Justin Daniels here or otherwise known as Jodie Daniel’s husband. I am a cyber security subject matter expert in business attorney. I am the cyber QB, helping clients design and implement cyber plans. I also help them clean up the mess and recover from a data breach. I also provide cyber business consulting services to companies. Today. We have John Cocoran here and we have flipped the script and he will be refereeing this discussion and let with Bazell let the games begin and the dog starts us off. Right. All right, good. He wants to be heard. Exactly, you know, he didn’t get to introduce himself. So that’s why I spoke up. Exactly. So exactly. So thanks you guys. This is going to be a good episode. So what we’re talking about here. You both have expertise in privacy and security, and we’re going to be talking about a third-party vendor.

 (01:35):

So companies that are using third-party vendors and how that raises both privacy and security issues and some of those things that you need to be aware of. But first, before we get into that is episode is brought to you by red Clover advisors, which helps companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. And red Clover advisor works with companies in a variety of fields, including technology, SAS, e-commerce media agencies, professional services, and financial services. In short Red Clover Advisors uses data privacy to transform the way the companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more, go to ReCloverAdvisors.com You can also email info@redcloveradvisors.com. All right, so we’re going to hop into this topic and Justin, I want to start with you.

 (02:23):

So the topic is third party vendors, and you know, many companies, especially larger companies are using thousands of third-party vendors. And we were talking beforehand about how it creates all of these different security risks. So just launch us into this topic, what are some of the things that companies need to be aware of when they think about security concerns having to do with their third-party vendors? So I think the first thing is, is there really needs to be an awareness from the company perspective that you really need to care about the cyber hygiene of your third-party vendors. That step one is even recognizing that, Oh, I need, need to care about the vendor ecosystem I have and how they deal with cybersecurity. Second is what kind of process do I want to put the vendors through? There’s too many times when companies just send out a vendor questionnaire and simply rely on that without really going behind it to really understand what cyber hygiene the vendor really uses. Those are my two big ones, two big ones. All right. And then from a privacy perspective, Jody, what are some things that companies should be aware of when it comes to their third-party vendors?

 (03:41):

Yeah we really need to understand how the data is being used and, and processed. Are they using it for whatever reason that give them are, you know, maybe it’s a payroll provider or an accounting service or a marketing agency or some type of company, right? What are they doing with the data? And maybe are they even analyzing it, aggregating it for themselves and repurposing it? Do they share it downstream? Maybe they have sub processors or other vendors that they’ve hired to help fulfill whatever service or product that we bought from them. So it’s important to understand the Daisy chain, we’re almost the domino effect of how data is being used and processed.

 (04:21):

Okay. So I want to dive into those and use a couple high profile breaches that have happened in recent years as examples. So Justin you’ve followed many of these different companies that have been in the headlines in the last couple of years for different breaches. So do you want to start with a one in particular?

 (04:42):

So I think the best one to start with is target that really brought breaches onto the national landscape and what a lot of people don’t realize about the target breach. Is it really emanated from a third party, HPAC vendor in Pennsylvania. You’re thinking what’s that got to do with target? Well, back in the days, when we step foot in the physical target regularly, you know, someone needed to manage the HPAC for the building for target. And that’s what this company did, but they were also connected to Target’s network.

 (05:17):

And so a cybercriminal hacked into the HPAC vendor and wallah that got them into target, but not only did that, get them into Target’s network, they were able to get wherever they needed to go. So where do you go with a retailer? You go to that point of sale system, and then you target all those credit cards and that’s exactly what happened. And so the point of that story is the HPAC vendor is part of Target’s network because they have access to it. So how you then make sure that those third party vendors have good cyber hygiene because a consequence of their bad cyber is your data breach. It seems crazy that a HVAC provider is having access to Target’s point of sale system. How common is that? Sadly, it’s more common than you would think, because really the concept that we’re talking about is net work, segmentation, and least privileged access.

 (06:20):

So what all that means in plain English is think about if I’m the HPAC vendor for target. Maybe the only thing I need access to is certain parts of the network that allow me to keep tabs on the different locations that I need to be what’s going on their maintenance schedules, but why would I ever need access to Target’s POS system that has nothing to do with my function as an HPAC vendor. And that’s where the least privilege comes in, but also network segmentation. So think of a network, if you segment it into a bunch of different sandboxes and maybe one sandbox is invoicing POS system operations. And so how do you then segment those different areas so that if the hacker somehow gets access to one area, it’s not so easy for them to go into another sandbox, but if it’s just one big sandbox with everything in it, you get in one place, you can go ever, you can go wherever you want to go. And that’s what a lot of companies don’t really do well. And that was a fortune 500 company. Think of all the middle market and small companies, they don’t have the resource to even think about that kind of stuff. Let alone implement. Yeah. So Jodi, you followed this target breach as well. What sorts of privacy concerns were raised from that incident?

 (07:42):

Well, anytime you have a data breach you’re naturally falling into a privacy issue because now someone else has unauthorized access to personal data and what are they going to do with it? So that’s the intersection of privacy and security. I often talk about them being a concentric circle and there’s overlap well when the security is breached. Now, my data is no longer private and there’s a big overlap there. So now companies have to think about how am I going to communicate this to individuals. So there’s a big communication and PR strategy that has to happen once it’s determined a breach, many people all got the letter. Maybe you have credit monitoring and things like that, because now that information is on the black market somewhere and could be used for identity theft and things along those lines. Then in today’s worlds, Target, happened years ago. But now we also have these privacy laws to consider things like GDPR and CCPA and a number of others around the world. They also have obligations if you have a data breach. So not only does a company have everything I’ve just described, but they also have other obligations under these laws that they might need to consider as well.

 (08:54):

So when a data breach does happen, then they have additional obligations that are kicking the play

 (08:59):

They do. That’s why prevention is so important because it’s, it’s a lot your, your time resources and attention to having to deal with this is plentiful.

 (09:08):

Got it, John, I was going to add what complicates it as Jodi’s alluded to is the complex complicated regulatory structure. Because in the United States you don’t have an overarching cyber law or privacy law. You’ve got California’s consumer privacy act, which is a very important privacy statute, but now you’ve got HIPAA Gramm-Leach-Bliley we have more of a sector approach. So, but now when you’re a retailer and let’s be honest, what retailer isn’t doing business in California, I think it’s the fifth largest economy in its own right. So now you’ve got to really start thinking about, Oh, I need to worry about this California consumer protection act by calling Red Clover to help me out initially with figuring out what to do. Yeah. And Jodi and I did a great another episode where we talked about that, the different regulatory framework, that GDPR, CCPA, how that’s affecting things and how the lack of some kind of national standand makes it difficult for companies to figure out that landscape.

 (10:05):

Let’s, let’s talk about some of the other breaches that have been out there. So there’s been a number of different retailers that have had high profile breaches. Do you want to tackle some of the other ones? Home Depot is one. Marriott is, one is a couple of different ones that have happened. I think Focus Brands was another one Lord and Taylor and w what they all share in common is all of them started with a third-party vendor that allowed the cyber criminal to get access to credit cards, point of sale. Because at that time, when all those breaches occurred, that was very lucrative. Now it’s been graduated to let’s just ransomware and deny them access to their entire network. And not only that, but we’ll exfiltrate the data. So whether they pay it or not, they’re in a really tough spot. That’s what you’re seeing now. But back when we were talking about all these retailers, it was more of the third party vendor going in that way, you can still go through the third party vendor to get access, but now it’s all about ransomware.

 (11:04):

Privacy concerns from these various different retail breaches that come to mind?

 (11:10):

I mean, really similar to what we’ve, what we’ve already talked about. So, you know, if I’m at a point of sale system and I’m giving you my name and my credit card, and maybe an email kind of also ties to maybe what other connect, what other systems is point of sale connected to, because if the entry point is point of sale, can I easily go and grab one more data from other places? So not too much different.

 (11:31):

But I would also say John to follow up on Jodi ‘s point is even if they have access to the data and you’re a retailer and e-commerce, that does business in 50 States, you could have access to data that requires that you give breach notification in 50 States because there’s a different state law. Imagine trying to do that. If you don’t have the right cyber insurance, or even if you do so, put juxtapose that against, you know, doing it right on the front end, that is a huge thing to do all those notifications. So the notifications just explain to the listener what that means, how you comply with those different notifications. I imagine there are different standards in terms of the notice that you need to provide. So to your point, they’re relatively similar, but there are differences. So anytime you’ve ever gotten something in the mail and we’ve gotten them in the mail that say, Hey, we want you to know, you know, someone’s gained on authorized access to your data. Here’s the call center we’ve set up and here is the credit monitoring that we’ve set up. And so you get noticed that this has happened so that you can take certain precautions, and then it’s usually followed up by some type of letter from possibly a law firm about potential class action lawsuit. You get that one? Yep, yep. Yeah. You get that one as well. I guess that’s the other notice that we received,

 (12:55):

There’s a whole process to what that looks like. You have to determine when you have the right information, what you communicate, and then a whole process of determining which state has which requirements. So it’s, it’s very timely and an expensive and a diversion from regular business, and you really don’t have 50 different States. Right?

 (13:15):

Right. And I imagine there’s a whole industry of other companies that help when this sorts of things happen to step in and help with that. There’s different.

 (13:23):

Let’s talk about how stepping back to the overall topic here, which is third-party vendors and how I figure out what is secure, what is safe, and Justin, you mentioned a questionnaire doing a questionnaire, kind of a little dismissively saying that a lot of times, that’s not enough. So talk a little bit about what role the questionnaire plays and how you can improve it if possible.

 (13:50):

So I’ll start with an example, John, and we’ll just use you. So let’s say you want to do business with my company and I send you a questionnaire and it says, John, do you have good security? And I’m sure you’re going to write back. Yes. My security is really bad. You shouldn’t do business with me.

 (14:07):

That’s exactly what you’re going to write. Right. You’re going to write back. Our security is fine. Right. And especially sales teams, right. Sales teams who want to make the sale are more likely to be like, Oh yeah, we’re fine. You want to watch the blood drain from the sales teams face, bring a lawyer or a privacy or security person into the room and watch like, Oh no, the office of no has arrived, but you know, a little more seriously, if all you do is send out the questionnaire and they answer them and you don’t go behind the answers, what have you really learned? It’s just an exercise and digital paper that really has no meaning. So what can you do? And so Jodi and I have been investigating technologies that maybe people can use that are questions that are geared to a kind of framework.

 (14:58):

It might be a NIST framework or an ISO, you know, a different security or privacy framework that basically can gauge the answers against what best practices are. So now you can start to compare and there’s, we’re seeing technologies that are out there that can identify, Oh, well, if they have to have this best practice and the answered this, they need these two other types of controls or things to put in place. Like maybe multi-factor authentication to be more compliant, but at least now you’re starting to go behind the questionnaire or construct something that gives you data that you can compare to a best practice. And now make more of an informed decision. Another aspect that would be helpful is if you put together a good third party vendor compliance program, you start to have definitions of, you know, the level of vendor. Like if I, if, if we have an outsourced it vendor, that should probably be a vendor who gets the proctology exam from a third party vendor perspective, because that can have serious ramifications, but maybe somebody who’s just providing email or whatnot or a service that’s limited to one part of your network and doesn’t go anywhere else.

 (16:07):

They may not get the same level of scrutiny because what they’re doing, isn’t as critical to the function of your business. But that assumes you’ve identified. What’s important to my business. What are the frameworks or business operations that I can’t go without, that shut me down. And then you start to build out from there, what are your third-party vendors who service those critical business functions? And now you start to say, okay, I have to put vendors in different buckets of the kind of scrutiny that I’m going to give them along with the questionnaires or technology that actually gives you actionable informed information about the true state of their cyber hygiene.

 (16:44):

So I want to turn to you Jodi, because you said one of the important questions that you should ask under this idea of how do I figure out what is secure and safe is how are they going to use the data that they acquire? So talk a little bit about that.

 (17:04):

Yeah. So it’s important to understand what they’re going to do with it. Are they using it just to perform the product or service that you’re, t offering or, you know, that the company is trying to perform, or are they maybe going to use it for themselves as well? Could they be pulling it together kind of a DataBank of some sorts, and maybe they’re going to use it for just analytics, but are they using the personal data for analytics or are they stripping the personal data? And if they’re stripping the personal data, how are they actually doing that? Are they sharing it with other customers? You know, I had a situation once where a company said, Oh, no, we don’t use it for anybody. Else’s, it’s not personal data. And we just use it for you. And after getting on the phone with them and it kind of something just didn’t add up.

 (17:47):

And I kept asking question after question was like peeling back the layers of an onion. It was identified that they were, it was true. It was a privacy friendly tool and the data was not personal for that purpose, but they were actually aggregating all of the data and repackaging it and selling it to other customers. So our company’s data was going to be used to fuel, you know, monetization strategy of data for somebody else. And they hadn’t disclosed that to us. So why would we be okay with that? Would we not be okay with that? And that’s a use situation. And with my data, it’s important to have that conversation with the company. And, and it’s often not the sales person on the other side, but really getting into their engineers and their technical architects to really drill in and what’s happening.

 (18:38):

And you, I know you’ve had experiences stories where you’ve had clients where you’ve uncovered just from not looking only settling with looking at their website, but going beyond it, having a human conversation with someone where you have found situations where they said they were in compliance with GDPR and CCPA CCPA, but it turns out that their practices were actually not in compliance

 (19:02):

Well, and so similar to the story that I just shared, that certainly happened. And there’s been times where they might still be complying with the law, but what they’re saying, isn’t that still quite adding up to what’s actually happening, that the data is being used a little bit differently than described. I think sometimes companies have good intentions and they’re trying their best to summarize, but it can never replace the human interaction of really drilling in and saying, okay, so I send the data to you and you do what with it. Oh, well we put it in this database. Okay. And so then you do, what was it? Oh, well we share it with all these people. Okay. And so how do I get the data to you? Because I hear that you don’t have any personal data. Oh no, no, no, no.

 (19:43):

We, we totally have personal data. You’re sending it to us. And that actually right in itself, uncovers any type of privacy obligation that a company has. So if I’m sharing personal data, that’s a flag that says I have obligations when I send it to the vendor, the vendor has obligations. So we can’t only look to the pretty webpage that is great. Companies should have pretty web pages that explain this stuff. But we also have to go a step beyond and really make sure that we understand the flow of data, what we send them, they do what with it and the end result. And when we look at that whole process laid, that’s generally not perfectly described on pretty webpages. And it gets uncovered through these assessments. Justin was describing or an old fashioned conversation.

 (20:31):

Yeah. And actually to circle back to you, Justin, is it enough to have that human conversation or circling back to your point about segmenting networks? You know, maybe that human’s going to say, yeah, we segmented our network. Our network is fine is totally secure. Should companies be going an extra step further where they even have, depending on the size of the company have a professional from their team that looks under the hood, so to speak for that third-party company to make sure. And you see where I’m going with this. Make sure that that, yeah. Okay. If I come to you and I want to do business with you, and I say, you know what, John, I want to have my third party vendor come onto your network and Snoop around, what is your answer going to be? You know, there’s the challenge, I guess, is I don’t want to do that.

 (21:18):

Yes or no. Probably not. Right. That’s not the right answer. The answer is, hell no, I’m not giving you access to my network. Now in certain circumstances, if it’s a large company and it’s a smaller vendor, they might have the ability to strength. Yeah. Get that done. But practically speaking, what really happens, that’s where your third-party vendor contract comes into play the cyber insurance that you make them have the actual obligations that underpin what Jodi and I have talked about, because now what you’re seeing in a lot of commercial contracts are the data privacy and security addendum, where a lot of these issues in a third-party contract get addressed for exactly. The reason that you’re talking about, which is getting access to somebody else’s network is not easy. You might be able to do some security testing on their public facing network, like their website and whatnot. So what a companies end up doing, they have a contract, they have requirements about cyber insurance because there are some limitations.

 (22:25):

Makes sense. That makes sense. As we wrap up this conversation, any further thoughts on either the security side or the privacy side, as it pertains to third-party vendor agreements.

 (22:38):

So I would ask that I think a lot of times people think the small SAS company for whatever cool tool that they downloaded off the internet, it’s no big deal. And any time you have data going anywhere, you want to understand who that company is. And you should read their privacy notices and practices. And you know, some of the bigger companies also have kind of security certifications that they have to go through. So that gives you a little bit of a sense of comfort, but I guess I would leave that anytime you’re sharing data, no company is sort of too small to to discount. And, and on our side from a data breach point of view, there’s certain data that’s included in the definition of a data breach kind of per the law. But at the same time, from a privacy point of view, there might still be data that’s not in that fancy definition, but that still counts. And you want to be paying attention to that. So it’s, don’t only pay attention to the security definition and only the big companies, the little guys and all the personal data account,

 (23:41):

Justin, any final thoughts? I guess what I would add is, well, I’m a small company. No one’s going to target me. I’m not a problem to anyone. How many times have we heard that? A lot in your prime target because you’ve done nothing. So I’m going to go after you target, but that’s exactly how you phrase it or what’s the more. Sometimes I phrase it like that. I guess what I’m going to add, John, is no company is too small to not be thinking about this yet. In my view, there remain remains a real gap in terms of what companies say about what they’re doing about privacy and security versus, Hey, we just want to get out there and get the technology implemented, start making money off of this. There’s still a huge gap between the importance of people attribute to what Jody and I are talking about. And then the actions that get taken. I mean, don’t, you still have people who say, what about the GDPR PR thing? It doesn’t apply to me. I don’t have to worry about it. And you have to explain to them that, Oh, but you do need to care.

 (24:46):

Right. Great. Red Clover advisors is the name of the company, Jody. Where can people go to learn more about you and the work that you guys do? Yeah. Come check us out at redcloveradvisors.com. You can send us a message info@ redcloveradvisors.com and visit us on LinkedIn or Facebook. All right. Great. Thanks everyone. Thanks for listening to the, she said privacy. He said security podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn. See you next time.