Trusted Third Parties

Outsourcing can place sensitive data in the care of third parties. If the data goes missing, it could be more than just your reputation that suffers

During August 2009, three men were charged with hacking into the IT networks of Heartland Payment Systems in the U.S., compromising more than 100 million credit and debit card details. This major credit card payment company processes millions of transactions a month for 175,000 retail merchants. Such an incident - while registering as probably the largest data breach in U.S. history - is just one of a stream of high-profile cases involving third parties.

In a global marketplace, outsourcing has become increasingly popular as an ever-wider range of functions are handled externally. They range from data centre operations, payroll, data processing and disaster recovery, all the way through to marketing and communication services.

The trouble is that the abundance of third party suppliers for various services can often lead to reduced information 'visibility'. This may be good for your bottom line, but third party relationships pose a whole new set of security risks - risks that are not priced into the cost of outsourced services. Yet it seems that both public and private sectors have been slow to realize the dangers. Executives are often happy to accept the risk until problems arise and their company's reputation is in jeopardy.

Recent headlines have now made third party supplier management a top concern. In India, earlier this year, credit card details were stolen from a call centre used by a global IT firm. In 2007, a laptop was stolen from a printing company used by a top UK retailer; the laptop contained personal details (such as salary details and national insurance numbers) of the retailer's 26,000 employees.

Have we seen it all?

Surprisingly, however, according to KPMG's Data Loss Barometer, third parties have accounted for a minority of security incidents (11%) in 2009 so far. But is that just the tip of the iceberg: how many cases go unreported?

From our member firms' experience helping organizations address their third party risks, third parties can often be unable or unwilling to report security incidents. With this in mind, how many companies are being left in the dark?

Protecting data that's beyond your control

Many organizations should understand that they are liable for data protection breaches happening on third party premises. They are responsible for managing activities conducted through third party relationships, and for identifying and managing the risks that arise from those relationships - to exactly the same extent that they would if such activities were conducted within their own organization.

So, once that is understood, how does an organization go about safeguarding the data it has entrusted to third parties?

First, you must decide, through risk assessment and due diligence, whether or not to enter into a third party relationship.

Next, ensure that contracts are structured to cover the necessary aspects of information security: what are the respective roles and responsibilities of the parties involved; how will adequate security be achieved; how will this be reported; how will disputes be resolved? Those are just a some of the questions about which you should satisfy yourself.

Of course, when dealing with contracts, you should also seek legal counsel. And stand your ground if you encounter resistance over the time and cost of security provisions. The initial outlays are definitely worthwhile if they lessen the impact of a security incident.

Next, put controls in place in your own organization to ensure that data is properly managed, secured, stored and processed. Each process and third party relationship will differ, of course, so the risks and controls will vary too.

Finally, organizations should be vigilant in ensuring not only that services are provided as agreed, but that security is tight. No system is foolproof, so you'll also need effective strategic planning. Third party relationships are here to stay, but those who take the necessary precautions will, hopefully, avoid making headlines for all the wrong reasons.