Brad Kelso / FPS Lead Privacy Expert and Consultant  

To reduce costs, US companies commonly outsource data processing to third parties vendors (“TPV’s) with HR, finance, and marketing functions leading the way. This usually includes sharing the business’ personal data into SaaS applications and ongoing data exchanges (e.g. API’s) that are outside the control of the business.

Concurrently, the increased risk from data breaches, encryptions, malwares shutdowns, and outright data loss has outpaced the controls of most companies. Third-party risk management processes are frequently incomplete, outdated, or disconnected from the data itself, resulting in tremendous risk exposure. Compounding this are new privacy laws and increased Federal enforcements that add fines and increased legal liability in the mix – the perfect storm.

Third-party Risk Management – It’s the LAW:

For Third Parties sharing or using personal data, privacy laws now require that:

1. Businesses identify by contract, the specific data purposes and limitations of the data’s use
2. TPV’s are obligated to comply with the legally define data stewardship obligations: data security, governance, disclosure, opt-out, sharing/selling, consent
3. Third Parties must notify (within 5 days) any failure or inability to comply as contracted
4. Third parties are prohibited from collecting, using, sharing or retaining data unless specified
5. Business must have control processes in place that ensure compliance and can remediate any data privacy or loss failure.

      (Paraphrased from CCPA Section sec. 7053 “Contracting Requirement for Third Parties”)

Did You Know?

• Most mid-sized firms have 15-30 TPV’s that process personal data of employees or consumers – 2/3 of these handle ‘sensitive personal information’ (Privageo).
• Third-party data breaches have increased to 17%. Of these 23% were to software publishers (Black Kite, 2022)
• On February 21, 2024, Change Healthcare (Parent of United healthcare) was ransomed. It impacted 50% of the health payee and claims submissions in the US…$100MM per day each of whom had Change, Optum, or United as a third party data processor.
• In 2016, Uber experienced a data breach as a result of a compromised vendor, Teqtivity, that gained access to email addresses and other information for more than 77,000 Uber employees.
• In 2020, Door Dash became aware that a third-party vendor was the target of a phishing campaign that exposed names, emails, addresses and phone numbers of customers, as well as last four digits of credit card numbers of Door Dash customers.
• Over half of TPV’s have subcontractors themselves, largely undisclosed. These ‘Nth’ Parties create hidden, uncontrolled risks to the primary data owner. (Deloitte, 2023 In a 2023 Deloitte study, 74% of respondents faced at least one third-party related incident in the last three years.)
• The 2022 average data breach cost is $161 per record averaging 27,000 records or $4.3MM of 2023, the average cost of a data breach in the US was up to $9.48M. (Statista, January 2024)

Bottom line: you are ultimately responsible for the data that you have shared with TPV’s.

You can implement a streamlined method to regain visibility, and deploy effective controls to decrease enterprise risk. Here are steps you can take right now to minimize your risk:

1. Identify all the vendors you share data with across the entire enterprise
2. Take inventory of the personal data types being shared, focus on sensitive data
3. Develop a framework for assessing the risk with each vendor
4. Classify vendors according to blended risk – the data and the entity’s risk
5. Develop vendor onboarding and offboarding processes
6. Have a new vendor vetting process in place
7. Monitor your vendors regularly – external security scans and questionnaires
8. Establish and maintain an ongoing data risk dialogue with key vendors

fpSOLUTIONS offers two fixed-price “Third-Party Vendor Management” packages to help deliver all the key pieces needed to get you ensure your data is protected.

fpSOLUTIONS Third-party “Gap Assessment” (single day) is just right for companies looking to quickly initiate better risk visibility and prioritize risk management by delivering:

• High level risk methodology for known vendors
• Risk scorecard on TPRM across the enterprise
• Introduces ‘Four Pillar’ approach to mitigation
• Identifies and prioritizes known Third-party risk gaps

fpSOLUTIONS Third-party “Foundations” Jumpstart (one week) extends discovery into initial program build-out by delivering: All of the Gap Assessment deliverables plus,

• Extended Vendor List Detail build-out
• Broadened program initiation in six areas
• Initial program stand-up

Either package is available with or without attorney engagement (as an option to add oversight for attorney client  privilege protection).

For more information on these packages or to simply gain clarity on data privacy protection issues, click on the image below.  Or contact us directly at CustomerService@fpsolutions or call 855-959-8882 and we’ll connect you to our privacy consultants.