I have covered the business risks around third parties and data security from a PCI DSS compliance perspective in my previous post. The recent incidents of email and data losses by third parties (Play.com’s breach and Epsilon’s breach) have some key lessons for businesses using third parties to deliver their business.
Some of the key questions to be asked by the leadership of the businesses engaging with third parties are:
1. Does an updated list of third parties exist?
2. What data is transferred across or handled by these third parties?
3. Are there any preventive/detective/corrective controls in place at the third parties to avoid/identify/remediate data loss?
4. What level of preventive/detective/corrective controls are in place and how often are they reviewed? (SLAs/KPIs/Metrics)
5. In the event of an incident, what process (Incident Response Plan) is in place between the business and the third parties?
6. Are there appropriate contract clauses to protect the business from financial penalties and data losses?
Silverpop and Epsilon may have received their share of negative media coverage due to weak security controls in relation to the breaches, however it is the businesses engaging with such third party service providers that have to rigorously review the third party security and ensure that their reputation, operations and business are not impacted.
