With so much of today's business processes dependent on a complicated network of suppliers, contractors, and service providers, the problem of determining liability for data privacy and protection is quickly coming to a head. When sensitive data is hosted in a provider's infrastructure, is that provider or its customer responsible for protecting that data? If a company entrusts a partner with a customer database and that partner lets the database be compromised, which company is responsible for notifying those customers and who will end up footing the bill for legal damages?
These are complicated questions about third party risk management—ones that are still being dissected by regulators and the legal system. Numerous lawsuits are still in play that will determine the degree of vendor liability in breaches involving a partner or customer's consumer data. In fact, in late 2013, news came down from the 5 U.S. Circuit Court of Appeals that Heartland Payment Systems is going to be paying the piper for its massive 2008 breach involving consumer data entrusted to it by card-issuing banks. The banks had previously sued Heartland to recover costs caused by the breach, but that lawsuit was thrown out in March 2012. Now the appeals court judges say that the banks can sue Heartland. It will be interesting to see how this lawsuit plays out given the recent string of breaches suffered by retailers like Target and Neiman Marcus; card issuers and payment processors will certainly be looking to recover the significant costs associated with these incidents, which are already estimated to be upwards of $30 million.
Given these types of lawsuits, and the increasing numbers of breaches caused due to third party negligence, regulators have also started to pay greater attention to the role these vendors play in protecting consumer PII. For example, the newly implemented PCI DSS 3.0 requirements focus heavily on third party risk management. The regulation now requires organizations to sign agreements with vendors delineating who is responsible for specific aspects of the regulation when establishing a relationship. Troy Leach, chief technology officer of the PCI Security Standards Council told HealthCareInfosecurity.com:
Organizations must have a written agreement with the service provider to ensure they understand their obligation to secure data. We have a special interest group that is devoted to the topic of third-party security assurance, and we'll be putting out additional guidance on that topic in 2014.
In a similar vein, late last year the Office of the Comptroller of the Currency released new guidance on third party risk management which states that banking institutions need to do a better job at overseeing their vendors to account for information security risk. At the same time, new requirements in HIPAA imposed by the HITECH law put greater onus on third party 'business associates' to disclose breaches and put them under the purview of U.S. Department of Health and Human Services enforcement. But it doesn't necessarily relieve customers who have entrusted those organizations with data from enforcement or, for that matter, legal actions arising from incidents.
In 2014, the number of vendor-caused breaches will only continue to increase, as well as the regulatory pressure on businesses to focus on third party risk management. Organizations cannot simply end their relationships to circumvent these headaches. But, they can do a better job understanding the security posture of their partners in order to reduce the risk of being held liable for someone else's sins.
