Remember the old shampoo commercial that claims consumers will tell two friends, and they'll tell two friends, and they'll tell two friends, and so on? The same can be said of private data when it comes to companies sharing their data with vendors.
Without the appropriate controls in place, it's hard to know where data will end up, but once a system is breached, there's a good chance sensitive information will be scattered to the winds. In the insurance arena, data is at risk at all phases in the industry lifecycle.
What are the potential implications of these breaches? Minimally, the owner of the data and its vendors suffer reputational and financial harm. Financial harm can come from several sources, from the cost of notifying affected customers, to the cost of fixing the process that caused a breach, to the cost of lost business due to customer dissatisfaction and mistrust.
The government is also applying increasingly onerous penalties. Recently, the California Department of Managed Health Care fined a health system $200,000 for exposing confidential health information. The Federal Trade Commission recently settled a lost-data case for $10 million in civil penalties and another $5 million for consumer redress. The risk and toll of data getting into the wrong hands appears to be on the rise.
Many organizations have a vendor governance policy that ensures their vendors take appropriate care of private data. These policies cover a variety of topics and require the participation and coordination of a number of functions. These functions include, but are not limited to, information technology, legal, risk management, procurement and subject-matter experts.
This coordination ensures that the needs and concerns of the entire organization are considered and, ultimately, the risks facing the organization are assessed and mitigated. But it's difficult to address the controls of the vendors of your vendors, or subvendors, especially when you don't know all of the parties involved.
KNOW YOUR SUBVENDOR
It's becoming more common for firms to specialize in one function and outsource others for economic efficiency, which begs the question: How is it that someone else can do the same thing for less money? Granted, sometimes savings are achieved because of economies of scale, but that's not always the case. Sometimes service providers cut corners in order to save money. What are the chances those corners being cut include things like encrypting laptops and implementing secure e-mail and file transfer protocols? Probably pretty good.
So what can you do if your data end up in the hands of an organization that you don't know and, therefore, don't trust?
Get it in writing. As those who manage risk will tell you, the best way to control what your subvendors are doing starts with the contract with your vendor. Smart language in the contract can help you limit to whom your vendor gives your data, and controls how the data is utilized. However, if your data is already in the hands of others, you should act quickly to secure it.
Depending on the language in the vendor contract and the language in their contract with their vendors, it's likely either you or your vendor have the right to audit the subvendor. How deep you may be able to drill into that audit will vary in all situations, but regardless of those limitations, there are still several steps you can take to reclaim control over your data.
HOW TO TAKE ACTION
Before a risk manager can begin, the initial step should be to understanding your rights based on your contracts with your vendors and the contracts your vendors have with their vendors.
Ideally, you will have the ability to conduct site visits of both your vendors and the subvendors, but you may face several constraints. These could include frequency of visits, who attends, topics covered and the types of tests you can conduct. One of the most common (and significant) limitations is that you may not be allowed to conduct any testing directly with your subvendors, and you will have to rely on your vendor to be your proxy.
Do your due diligence. Before testing, one needs to begin the due diligence regarding the subvendor. A logical place to start is identifying the data elements they have in their possession. Do they have Social Security numbers and other personal information such as date of birth and addresses? Financial data? Healthcare information? Confidential or proprietary information?
Once you have an inventory of data, you need to understand their policies and procedures around the protection of that data. What are their controls around logical and physical access? Do they place limitations on what types of media the data can be stored in? How do they control the transmission of data both internally and externally? Finally, it is important to fully understand the services they are providing, with a primary focus on what they do with your data and with whom they may share your data.
Prepare an action plan. At this point, a company can begin scoping a plan of attack against privacy risks. Optimally, one can identify quick hits that will provide peace of mind with limited effort from the company, its vendor, or the subvendor. A good step is identifying any data elements that the subvendor does not require in order to provide their services or data elements that can be fully or partially masked. After any preliminary information like this is identified, the real work begins.
A full analysis is supported first by creating a set of key considerations based on your due diligence and then comparing your desired state to the current state and identifying the gaps for each item.
Review any gaps that may exist and complete a risk analysis to prioritize a list of action items. Once the key items to be remedied are identified, implementation plans need to be created and communicated to the vendor and the subvendor to obtain agreement on how to implement the fix.
This last step is a crucial one in the process as it is where companies are most likely to receive resistance. The best way to get participant buy-in is to demonstrate how implementing a change would strengthen their controls and make them a safer choice as a service provider.
Once in agreement, it's time to implement any corrective actions. Offering constructive assistance during the implementation will also help to ensure your company, its vendor and subvendor will achieve the desired results. In a sense, it helps to change the relationship from what can easily be perceived as oppositional to more of a cooperative partnership where goals are aligned.
And last but not least, monitor, monitor, monitor. Once this exercise is complete and the improvements made, it is logical to request reporting matrices on a scheduled basis. Developing and reporting metrics create a win-win situation as it provides the proactive risk manager with key reporting information to ensure that vendors and subvendors are doing what is expected. As long as they are meeting their targets, they will not need to commit any of their resources (time, money and people) to fix any emerging issues.
Now that the company and its vendor and subvendors have secured the information and improved the collective operations, you'll be happy to tell two friends.
PETER PEARLMAN is a consultant with Navigant Consulting.
November 1, 2007
Copyright 2007© LRP Publications