They are here, are you ready?
Organizations rely heavily on third parties for improved profitability, faster time to market, competitive advantage, and decreased costs. Third-party relationships come with multiple risks, including strategic, reputational, regulatory, information security, and financial risks. In the recent Ponemon Institute survey, fifty-six (56%) percent of organizations say they had experienced a data breach stemming from a third-party security failure.
New privacy rules designed to better safeguard the personal data of individuals, that includes 3rd party data breaches, are becoming requirements around the world. Recent laws include the EU’s GDPR, Singapore’s Personal Data Protection Act (PDPA), Australia’s Notifiable Data Breaches (NDB).
New Canadian legislation just became law on November 1st, 2018. Known as the Personal Information Protection and Electronic Documents Act (or PIPEDA), it requires Canadian companies to alert their customers any time their personal information may have fallen into the wrong hands.
Among the new rules are a requirement that companies must keep accurate data about cybersecurity safeguards for two years following, in case breaches are revealed down the line. The laws also call for “appropriate” digital safeguards at all parts of the business, including dealings with third party contractors. The rules call for penalties— up to $100,000 per violation.
The United States is currently exploring a nationwide data breach mandate. With so many high-profile data breaches in the news, U.S. states are taking steps to tighten up their data breach notification laws. Since June 1, eight U.S. states have either amended or enacted tougher new data breach notification laws. Across the United States, there is growing acceptance of the idea that more steps need to be taken to protect personal information from falling into the wrong hands. The most recent Starwood (SPG) breach will only further this move.
In America, all 50 states (plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands) now have enacted legislation requiring both private and governmental entities to notify individuals of security breaches involving personally identifiable information.
You must not only protect customer data within your IT environment, but also ensure that the processes and practices of your third parties are also compliant with various regulations and requirements.
According to Gartner, many companies have yet to design IAM programs specifically for third-parties, particularly when it comes to governance, risk and monitoring. In fact, they themselves have said that companies need an IAM program purpose built to address the third party challenges and that the customization of an IAM system will fall short of addressing all the challenges.
Companies should focus on third party identity risk and lifecycle solutions. With a successful implementation of a 3rd party identity lifecycle solution, companies can answer a few questions:
- How many 3rd parties are in our environment?
- Who is the sponsor of a particular 3rd party?
- What partner does a particular 3rd party work for?
- What is the risk this individual poses to our organization?
- Does this third party still work for said partner, and are they still engaged with us?
We are recently ran a web demo of our solutions on the 15th of November, here is the link to view the recording.