Vendors can pose major data security risksPosted On: May. 20, 2007 12:00 AM CST
In jeopardizing the sensitive private data on 75,000 policyholders of New York state's largest health insurer, two company vendors demonstrated a risk that the vast majority of U.S. companies share, but do little to mitigate, information security experts say.
Against the insurer's data management protocols, a mental health claims provider in March arranged to ship the unencrypted data on a compact disc that was not password-protected to a data management firm. The ground shipper misdelivered the CD, and its whereabouts was unknown for days.
The insurer, Empire Blue Cross Blue Shield, a subsidiary of Indianapolis-based WellPoint Inc., was already notifying policyholders about the missing data when the CD was found in a delivery made to a residence.
The claims provider recovered the CD, and the data was not compromised, a WellPoint spokeswoman said.
The incident was "fairly prototypical of something that can go wrong" when using vendors that have access to a company's customer data, said David J. Navetta, managing member of InfoSecCompliance L.L.C. of Denver.
Information security experts are quick to note that about 70% data breaches are not attributable to vendors but are due to internal security problems.
Still, vendors pose a significant data security risk for corporate America, experts say. That's because nearly all companies retain an outside data management company of some kind, whether to process in-store or online credit card purchases or just to store data. Indeed, data storage is an area that Mark Greisiger, president of Philadelphia-based NetDiligence Inc. calls the "Achilles heel of most companies."
But about 75% of companies do not take adequate measures to ensure their vendors are protecting their data, experts say.
"There's more that companies should be doing," said Baljit Dail, global chief information officer for Aon Corp. of Chicago and global chief administrative officer for Aon Consulting.
That includes security demands that companies should impose on vendors that have temporary access but no permanent data manipulation or storage capabilities, said Kevin Kalinich, the Chicago-based co-national managing director of professional risk solutions for Aon Financial Services Group.
As Empire learned, establishing data management protocols is not enough, experts say. Those protocols and other protective measures should be outlined in contract provisions--after a vendor's security processes have undergone a precontract review (see related story, page 16). Then, companies must periodically verify that vendors are complying with contract terms.
Holding vendors to much tougher standards will not eliminate the risk they create, experts agree.
Even so, "Prudent and reasonable security practices can remove the burning plank issues," Mr. Greisiger said.
That's important because when data security fails, at least one of about three dozen state privacy laws and possibly federal privacy laws governing financial institutions and health providers come into play--exposing companies to penalties, fines, and costly customer notification and identity theft-monitoring requirements.
Regardless of their comfort level after completing their due diligence of a vendor, companies must negotiate vendor contracts that contain specific and stringent data security standards, experts said.
An important contract provision should require vendors to conduct background checks on all workers with access to sensitive data, experts said.
In addition, vendors should have a so-called "least privilege" policy, which restricts workers' data-access rights to the minimum level necessary to complete their work, said Anthony Hernandez, a partner and the head of the information risk management practice at SMART Business Advisory & Consulting L.L.C. in Philadelphia.
Of course, some vendors need to cross-train staff to handle multiple job functions in case of illness, Mr. Hernandez said. "What we look for in those situations are compensating controls to ensure there's no fraud" when employees must assume additional duties.
Mr. Greisiger recommended that contracts require vendors to both employ dedicated security teams and demonstrate they have strong security processes, such as software patch management.
Patches can create numerous system problems, he noted. Therefore, they have to be tested before they can be installed, and that process that can take three to six months per patch, he said. "It's a very daunting process to keep on top of."
Mr. Greisiger also recommended requiring vendors to conduct tests to check whether their security can be penetrated. He noted that penetration tests his firm has conducted found 75% of clients with dedicated security teams and ample security budgets still have serious security problems.
Because data security cannot be 100% guaranteed, most vendors try to negotiate a liability provision of no greater than two or three times the value of their contract, Mr. Navetta said.
But contracts should hold vendors liable for the ultimate cost of any data breach that is the vendor's fault, Mr. Hernandez said.
Credit card companies, for example, typically fine card-issuing banks from the high six figures to seven figures when data breaches lead to cardholder losses. The card-issuing banks pass those fines along to the merchants responsible for the data breach.
But few merchants have had contractual stipulations that hold vendors liable for those fines, experts said.
A slowly growing number of companies, however, are imposing such provisions, Mr. Hernandez said.
But the success of including a liability contract provision will come down to "the power of the customer," Mr. Greisiger said. "If you're a small customer and you need that provider to conduct your business, you can't negotiate."
Within the liability provision, companies should require vendors to purchase data security insurance and name the company as an additional insured, Mr. Navetta said (see story, page 24).
Contracts also should include provisions on how data would be protected if the company switches vendors once the contract ends, Mr. Kalinich said.
"Usually, people don't think about these terms upfront," but the transition of data from one vendor to another is "where bad things can happen," he said.
Even with a tough contract, vendors have to be audited, experts stressed.
Mr. Hernandez said auditing is the best way to minimize the risk of vendors' data breaches. "You just can't trust that they're doing what they say they're doing."
Mr. Hernandez noted, for example, that a company for which SMART Business conducted credit card data security work occasionally would randomly check the consultant's operations. The client's representatives would visit the consultant's offices unannounced periodically and examine a couple laptops to ensure the equipment was secure.