darren whittingham - Fotolia

What should you do when third-party compliance is failing?

Third-party compliance is a necessary part of securing your organization's data. Expert Matthew Pascucci discusses what to do if you suspect a business partner isn't compliant.

What do I do if I suspect one of my company's business partners or a third party we work with isn't taking the necessary steps to secure our data? How do I challenge third-party compliance if I believe the business is not properly guarding the security of all the information of its customers?

The security of your data being held, processed or transmitted by a third party is always a security risk. Essentially, you have to trust an organization other than your own with the security and care of your data.

The third party or business partner could perform security up to or even beyond your standards, but there's always the possibility for negligence. If there's even the slightest concern that a third party is being careless with the security of your organization's data, you should act immediately.

Before giving your data to a third party or business partner, there should be a thorough review of the partner and how it performs security. This can include security questionnaires, on-site visits, audits of the third party's environment and a review of its regulatory certifications. Vendor management has become one of the largest areas of concern when it comes to data governance, and it's a growing risk if due diligence isn't done upfront.

Not only should an organization do a thorough review of the vendor or third-party compliance before handing data over, but its legal department should be involved to put a contract into writing that states the responsibilities of the vendor and the liabilities for which it's on the hook if data is breached, as well as how the vendor will respond. Large vendors might not have the option to change contractual wording, but it should be discussed and reviewed by your organization's legal counsel before handing the data over. This could also include a clause to have a third-party compliance audit if there's concern about the way data is being handled.

If there isn't a binding contract on how data should be handled, and no due diligence on the environment and how the data's security and privacy are being upheld, it's probably time to migrate away from the third party, if possible. Just the fact that you're already concerned with the handling of the data is worrisome.

If there's nothing in place to protect the organization's data or its right to review how its data is being secured, speaking to the provider about it while it has access to the data could be risky. If the relationship your organization has with the third party does not allow you to freely ask these questions, I'd recommended migrating all the data out of the provider's environment and into another that's been vetted for security, with your legal team advising on the contractual language of the agreement.

After this is set up, delete all the data from the suspicious provider and end the contract. The biggest issue here is having another vendor vetted and tested before removing the data from the risky vendor. Hopefully, this will enable the secure deletion of your records on the way out, too.

It's always recommended that you understand your third-party compliance and incident response plan, as well as the role that your organization will play if the data is breached. Also, it's necessary to understand the data flow process and how your data is stored, processed and transmitted along the entire supply chain for you to understand where the risks are.

If it's possible for your organization to encrypt the data, doing so may limit the security concerns of weak controls on the vendor side. Lastly, if all else fails, take out a cybersecurity insurance policy on data loss regarding the data being given to the third party as a way of assisting with costs related to a breach on the vendor side.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn about Microsoft's relationship with third-party security software

Read about the use of third-party tools in the cloud

Find out how to improve supply chain security with controls over third parties

This was last published in September 2017

Dig Deeper on Compliance