Every business collects and stores some kind of data that needs to be protected, from confidential business information to customer data to employee information and protected health information. Although it’s nearly impossible to keep systems impregnable from data theft, it’s a business imperative that a good faith effort be made. So where do you start?
You can begin with the National Institute of Standards and Technology’s “Framework for Improving Critical Infrastructure Cybersecurity.” Released in February 2014, the framework serves as a set of industry standards and best practices to help businesses manage cybersecurity risks and comes to us one year after President Obama’s Executive Order “Improving Critical Infrastructure Cybersecurity.”
Instead of step-by-step instructions or tools, the Framework acts as a guidebook and a framework for outcomes and is not a checklist. In using the Framework, a business makes its own analysis of its systems and processes.
The guidelines do advocate assessing cybersecurity risk in arrangements with external service providers with access to data.
On that note, here’s something to remember: According to Trustwave’s 2013 Global Security Report – which includes an examination of 450 global data breaches – in more than 60 percent of the cases, hackers obtained access through security deficiencies of vendors engaged to provide system support, development and/or maintenance.
If your agreements with vendors that have access to protected data do not address cybersecurity issues and standards, all of the risk remains with the owner of the data, because the vendor has no contractual requirement to protect the data or accept some of the risk in the event of a breach.
In addition to possible actions from those to whom a data breach relates (customers, employees, etc.), the Federal Trade Commission (FTC) has taken the position numerous times that a breach could have been prevented if steps were taken to require reasonable security in vendor agreements. Such was the case in its recent lawsuit against GMR Transcription Services related to a data breach involving medical transcription services.
Here are some questions to ask yourself in dealing with vendors:
- Does the vendor have the right to use your data?
- Is the vendor required to protect your data?
- Is your data stored in the cloud?
- Are you uploading data to a 3rd-party site which will then be manipulated or placed in some type of report and returned?
- Is the vendor required to notify you in the event that the vendor has a security breach which might involve your data?
- Does the vendor subcontract and allow others access to your data?
- Is the vendor using the data for its own business and not just to provide the services to you?
- Do your practices in collecting, using and transferring the data match your vendor’s?