March 25, 2014

Framework for Security: The Questions Your Vendors Should Answer About How They Handle Your Information

Written By

by Lynn Wangerin

Every business collects and stores some kind of data that needs to be protected, from confidential business information to customer data to employee information and protected health information. Although it’s nearly impossible to keep systems impregnable from data theft, it’s a business imperative that a good faith effort be made. So where do you start?

You can begin with the National Institute of Standards and Technology’s “Framework for Improving Critical Infrastructure Cybersecurity.” Released in February 2014, the framework serves as a set of industry standards and best practices to help businesses manage cybersecurity risks and comes to us one year after President Obama’s Executive Order “Improving Critical Infrastructure Cybersecurity.”

Instead of step-by-step instructions or tools, the Framework acts as a guidebook and a framework for outcomes and is not a checklist.  In using the Framework, a business makes its own analysis of its systems and processes.

The guidelines do advocate assessing cybersecurity risk in arrangements with external service providers with access to data.

On that note, here’s something to remember: According to Trustwave’s 2013 Global Security Report – which includes an examination of 450 global data breaches – in more than 60 percent of the cases, hackers obtained access through security deficiencies of vendors engaged to provide system support, development and/or maintenance.

If your agreements with vendors that have access to protected data do not address cybersecurity issues and standards, all of the risk remains with the owner of the data, because the vendor has no contractual requirement to protect the data or accept some of the risk in the event of a breach.

In addition to possible actions from those to whom a data breach relates (customers, employees, etc.), the Federal Trade Commission (FTC) has taken the position numerous times that a breach could have been prevented if steps were taken to require reasonable security in vendor agreements. Such was the case in its recent lawsuit against GMR Transcription Services related to a data breach involving medical transcription services.

Here are some questions to ask yourself in dealing with vendors: