Do CIOs Need to Worry About Service Providers?

By now we’ve all had the experience of getting a letter explaining that our credit card information has been compromised, a sincere apology about the trouble this is going to cause us, and an offer of credit reporting services for a year. Yes, if you have a pulse and a credit card or bank account, you’ve probably gotten more than one of these.

Did you know that this happens to businesses, too?

We just got this type of letter from one of our customers. Let’s call them Well Known Company, Inc. (WKCI).  The letter from WKCI was contrite and apologetic and helpful. It explained that their service provider, let’s call them A Very Large Bank (AVLB) had experienced a data breach and our company information may have been compromised. Yes, WKCI outsourced some of their financial operations to AVLB, and AVLB had a data breach and our company information may have been lost.

Notice that the breach notification came from WKCI, and not from AVLB, the bank that lost the information.

What ??? !!!

Did Well Known Company have to bear all of the costs of breach notification, credit alerts, and potential litigation even though they didn’t actually lose the data?

Yes, it doesn’t seem fair, but that is how breach notification works. You are responsible for insuring that sensitive data is protected, even when it leaves your control and passes to one of your service providers.

Actually, WKCI is a company that I know is very diligent about protecting data within their IT infrastructure. They follow security best practices and are very diligent about encrypting and monitoring their systems. The IT security team is one of the best.  So, it seems doubly unfair that they bear the brunt of the data breach notification costs in this case. It is unfortunate that their bank was not so careful.

As a CIO or IT director, what can you do to protect your company from this type of data loss?

Here are three things you can do:

1. Educate the senior managers in your company about the risk of data loss through service providers. Once they understand that your company is at risk even after the data leaves your control, they will get on board with the following steps.
2. Work with your legal team to incorporate data protection language into all of your service agreements. Don’t sign any new service contracts that don’t explicitly require the service provider to certify that they encrypt data at rest and in motion, and use encryption key management best practices.
3. Encrypt sensitive data before you send it to service providers. Don’t just encrypt the transfer session (data in motion), but encrypt the actual data. This will force your service provider to have the necessary encryption infrastructure to protect the data.

We know that the average cost of a data breach is about $200 per record, sometimes adding up to millions of dollars. Unfortunately, that is a cost that you will bear even if you are not directly responsible for a breach.

Hopefully these suggestions will help you reduce the chances of being WKCI!

Patrick