Tips for Your Vendor Security: Complying With Regulations
Organizations have much more than just data to lose in a third-party breach. Besides losing consumer confidence and loyalty, companies can face costly penalties for violating data privacy regulations.
During National Cybersecurity Awareness Month (NCSAM), it’s appropriate for organizations to also be aware of the risks of non-compliance. Not complying with HIPAA can cost as much as $1.5 million per year for each violation category. The fines for not complying with the EU’s General Data Privacy Regulation (GDPR) could be up to €20 million or 4% of annual revenue—whichever is greater. And the California Consumer Privacy Act (CCPA)—which will go into effect on January 1, 2020—will fine $7,500 per violation.
To get a sense of what it might cost a company that does not comply with regulations, one need look no further than this year’s $57 million GDPR penalty issued to Google. This is undoubtedly one of many exorbitant fines that non-compliant businesses will face.
It’s important to understand that if an organization is breached through a non-compliant third party, the organization will be held responsible and could face stiff penalties. For this reason, it’s important to be sure that vendors comply with regulations.
Here are some key points to consider:
GDPR and CCPA Right to Deletion
If your vendor is subject to GDPR, CCPA or any number of other privacy regulations, it must accept consumer requests to delete their data. This means that the vendor must have a way to know where every bit of each consumer's data is located within its systems.
The vendor may have to work through a "data mapping" and "data flow" exercise just to understand where all these bits of data are before developing the new software functionality that will delete the data in question. In addition, if the vendor has implemented a professional backup regime, even the customer data in backups may have to be deleted.
GDPR and NYDFS Breach Notification
Will the vendor know if it is breached by a hacker? Companies are required to notify a supervisory government authority within 72 hours of determining that there has been a data breach. The vendor will have to implement intrusion detection systems to know when a breach has occurred.
NYDFS "Minimum Cybersecurity Standards"
This may be one of the toughest requirements. The vendor will need to implement an information security management system, with controls such as those comprising standards like NIST or ISO 27002.
Keep in mind that compliance does not guarantee security. The threat landscape is constantly changing, and often at a significantly quicker rate than the regulatory landscape. However, organizations can significantly reduce risk by effectively screening and continuously monitoring their vendors for security threats and compliance.