Small business and non-profits often overlook one important part of their cybersecurity program: third-party management.
What is Third-party Management, and Why Does It Matter for Small Businesses and Non-profits?
Third-party Management is the process of reviewing technology providers and other service providers who are “third parties” or outsiders to your organization and their relationship with your customers and community. It matters in a cybersecurity context because an organization can’t directly control what the third party is doing with data you provide or how they secure the data. Often small businesses and non-profits think they are not large enough to influence third parties’ data practices, but there is a lot smaller organizations can do to protect data they own or collect.
Imagine a scenario like this: TriumphT is a small screen-printing business that specializes in making T-shirts and jerseys for community activities, such as sports teams. TriumphT has grown recently, and managing information about its customers in a spreadsheet is no longer working well. TriumphT is considering working with a software provider that delivers Customer Relationship Management (CRM) solutions to better manage, organize, and market to its customer base. TriumphT is inclined to just sign the contract because the CRM solution provides everything TriumphT wants, at a good price. What could go wrong?
Data Control and Ownership: Do You Know How Data Will Be Used?
Most organizations do not want a vendor they’ve already paid to use data about its customers, clients, or community members without its approval. However, third parties, without including restrictions in the contract, may use these data and claim that the contract did not prohibit such use. For example, the CRM solution contract might have a provision in the contract that enables the solution to take TriumphT’s data and use it for its own purposes, such as selling data from TriumphT’s customers to targeted advertisers for a profit. Or, the CRM solution contract may not have any language that prevents such use, so the CRM company believes it can use data without restriction. If suddenly customers, clients, or community members begin receiving advertising from a variety of other organizations, they may not want to use TriumphT for its services anymore.
Cybersecurity: Are You Ready to Pay for Another Company’s Mistakes?
Organizations like TriumphT may not immediately think that there are any privacy issues in its business model or that its data could be valuable to outsiders. After all, TriumphT screen prints T-shirts and jerseys — it doesn’t collect, for example, health data. However, personally identifiable information, such as contact information of customers and names of individuals, some of which may be children, will be printed on the jerseys. These data might be stored in a technology solution. What happens when the technology solution is compromised by hackers?
Usually, one or more of the following can occur after compromise:
· If data is stolen and misused by hackers, TriumphT could lose its customers.
· If personal information is compromised, under state law TriumphT will likely be responsible for notifying all of the individuals whose information has been compromised.
Because TriumphT originally collected the data, it will likely have to pay the cost of notifying via registered mail, any fines that result, legal assistance, and potentially forensic services to determine what occurred. The current average cost after a data breach is between $150 and $175 per record. If TriumphT has collected 1000 names, the cost would be around $150,000, money that most small businesses and non-profits do not have readily available. And that money cannot then be used for business improvements or for actual services provided to the community.
What Can Small Businesses and Non-profits Do to Avoid These Issues?
Start with the basics. Before signing a contract with any technology solution provider or other provider, understand their data practices.
Third-Party Risk Assessment
In security, we call this a third-party risk assessment, which includes listing questions and receiving written responses from a third party (that you should retain in your records). Although there are sophisticated models for conducting these assessments, consider starting with basic questions and interviewing more than one third-party vendor. These questions will enable you to learn more about their practices and determine whether the cost is worth the potential risk. Some examples of questions you might ask (before signing a contract!) are as follows:
· How do you ensure that my data will not be used for your company’s commercial benefit?
· How do you prevent your personnel from accessing my confidential data?
· What security training practices do you have for your personnel to protect my confidential data?
· How will you store my data? Is it physically or logically separated from your other customers’ data?
· Describe your cybersecurity program. Please share policies and procedures you use to maintain your program.
· How frequently do you review your program? Please offer an example of the last change you made to your program after a review.
· Do you assess your third parties? Please describe your process.
· Do you currently maintain any certifications of your cybersecurity program? If so, please list the types of certificates you maintain.
· Are you willing to negotiate reasonable cybersecurity contract provisions?
These questions only begin to scratch the surface of a complete third-party assessment, but they should give you a better idea of how a third party handles your data. These questions can be adapted to any number of third parties, whether a third party provides catering services or software services.
If you don’t receive satisfactory answers, the benefit of a third-party assessment is that you can consider other options. If you decide to proceed, you are more aware of potential risks. These assessments can be conducted throughout your relationship, even if you have already signed a contract, but they are most powerful before you sign.
Although third-party assessments are very useful for choosing a vendor, contractual provisions are essential to ensure your organization can financially recover when unforeseen circumstances occur. Without the ability to recover, it is highly likely that third parties will close their doors. Consider the following example:
Rights! is a religiously affiliated community advocacy group that assists church members in navigating government services available to them. Rights! purchased a cloud-based software solution to track all of the individuals receiving services, information about them (such as disability status, medical needs, income status, and date of birth), which services were successfully obtained, and which services are still in-progress. Rights! signed a form contract created by the software solution and did not negotiate the contract details. The software solution vendor did not use reasonable security controls, and all of its customers’ personal details have been compromised. Rights! provides services to California residents, and now it is required to notify each individual that their personal details, including sensitive information, may have been misused. Rights! operates a tight budget funded mainly by church donations and does not have the financial ability to notify each individual. Rights! is now forced to choose between fundraising to pay for notification or shutting down the non-profit, negatively impacting hundreds of its clients. What could Rights! have done differently?
Although a legal representative may be retained for assistance with contracts, small businesses and non-profits certainly can include language on their own, as well. Examples of key information to include are as follows:
· Clear description of which data belong to the organization and limits on what a vendor may do with the data (data may not be used for ‘vendor’s purposes and must only be used to provide service to organization’)
· Definition of what constitutes personal information that must be protected under “applicable laws,” including examples of what your organization collects (which ensures that data breach applies to your data and not to another definition)
· The vendor must use “reasonable security practices” to protect such data (or more specific language if desired)
· The ability to conduct risk assessments on the vendor at least annually
· The vendor must notify you “as soon as possible” regarding any data breach of your data
· You have the ability to assess, audit, or forensically investigate the vendor at their expense following any probable data breach and that they will take reasonable actions as soon as possible to correct issues identified and that the outcomes of these assessments or audits are shared with you.
· The vendor must pay for the cost of data breach notification and forensic services when the data breach occurs due to their actions/inaction, including any legal actions taken against you
· An exception to any limitation of liability or liability cap for data breaches (many contracts limit payout for breach of contract to the value of the contract — data breaches may cost far more than that)
· You may terminate the relationship with no penalty to you upon probable data breach or evidence that the vendor is not reasonably protecting the data
What Do I Do If a Vendor Doesn’t Agree to These Provisions?
Every organization has a choice of which organizations with whom to do business. Organizations make any number of risk decisions on a daily basis, such as “will they be able to scale to fit my growing organization” or “is the price worth it?” Cybersecurity is no different. If an organization prefers to do business with a vendor that does not have strong security practices, the organization may wish to conduct more frequent third-party assessments or consider getting cyberrisk or cyberliability insurance to offset potential costs should a data breach occur. Your organization may prefer to take the risk for a better cost, but at least the risks, then, are known to you.
If your organization needs cyber support, please visit 1600 Avenue's NPCC (National Privacy and Cybersecurity Center)