Insider Threats Part 3 – Making Third-Party Risk Management A Priority

By Antonia Dumas, Associate at XPAN Law Group LLC

In the first blog of this insider threat series, we discussed the importance of changing the perspective regarding third-party relationships as insider threats. Then we turned to more obvious threats, your own employees as your weakest link. However, now we turn to the need to make third-party risk management a priority.

Third-Party Breaches Are Now A Frequent Headline

Just within the last month, we had another big name company get hit by a third-party data breach. And not just any big name company, but Quest Diagnostics (“Quest”), a Fortune 500 healthcare company that is the largest provider of clinical laboratory testing services in the US (i.e., a processor of large amounts of sensitive personal information).    

The breach resulted from an infiltration of one of the vendors used by Quest’s vendor and caused the exposure of the records of around 12 million customers. Quest contracted a vendor (Optum360) for billing collection services that in turn uses a vendor to provide its services,  American Medical Collection Agency of New York (“AMCA”). As Quest announced in its initial public statement, an unauthorized user gained illicit access to the AMCA’s payment page and AMCA believed that personal information was accessed, including “certain financial data, Social Security numbers, and medical information, but not laboratory test results.”  Quest provided an update this month including additional details about the breach (unauthorized access between August 1, 2018 to March 30, 2019) and AMCA’s breach response (including forensics review and notices sent to affected individuals). AMCA clarified that the information contained on the affected system included a large range of personal information and specific information regarding medical services, financial information and even diagnosis codes. However, it is important to remember that AMCA had access (via Optum360) to all of this personal information regarding Quest patients when it was only providing billing collection services. Had Quest been proactively managing its third party relationship with Optum360 (and AMCA) – such as limiting the amount of data it was given access and imposing appropriate security and privacy requirements  – Quest could have arguably reduced the risks of unauthorized use or disclosure of its patients’ personal data. 

While not the largest breach to date, the attack affected the most valuable categories of information: personal identifiable information, financial information and healthcare information. So far, the breach has resulted in a class action suit being initiated in federal court as well as AMCA filing for bankruptcy. The pending class action has been filed against all three parties in the data processing chain (Quest, Optum360 and AMCA) partially based on the breach of Quest patient information and its alleged failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect that data.  We will be on the edge of our seats waiting to see the outcome and what it may provide as guidance on requirements for third-party risk management.

FTC Cracks Down On Third-Party Breaches To Prevent the Ripple Effect 

The FTC has been trying to crack down on requirements for managing security risks in general and third-party risks in particular.  In 2018, the Federal Trade Commission (“FTC”) sought enforcement of privacy and security safeguards and third-party management on various companies by requiring the implementation of a comprehensive security program and have a third party audit the program periodically (see previous blog here). 

However, the FTC has also identified security requirements that should be imposed on third party service providers, even internal standards and security management. As the FTC noted in its announcement of its settlement with DealerBuilt, third party breaches due to “lax security practices” of third-party service providers create a domino or ripple effect (which we have seen time and time again). Furthermore, when business that contract to use these types of software or other third-party services, they often fail to conduct any third-party assessments or attempt to control the security of the third-party relationship (i.e., requirements around how data is accessed, used, transferred, etc.). 

DealerBuilt, an industry-specific software for auto dealers developed by LightYear Dealer Technologies (and a big name in the business), sells licenses of its software to collect and maintain large amounts of sensitive data (including financial, payroll, accounting, and other information about consumers and employees). Like many software licenses, they provide an option to host the software on the client’s servers or on DealBuilt’s servers (and conduct regular backups). 

In the FTC’s Complaint, it alleges a series of security failures that show a general lack of security since June 2017, including: failure to maintain a written information security policy, to implement reasonable employee training or guidance, to assess risk to personal information stored on network, to use readily available security measures to monitor and identify security events; and failure to use reasonable access controls. And in particular connection with the breach: (1) Improper storage consumer personal information on computer network in clear text; and (2) Failure to have reasonable process for storage devices. Due to DealerBuilt’s failures, an employee was permitted to unilaterally purchase and connect a storage device to the network without taking any steps to avoid the open connection that was created which allowed a hacker to enter the system’s backup database and access the personal data of more than 12 million customers. 

The FTC’s proposed consent order in the DealerBuilt case has provided more detailed requirements.The order includes: (1) a mandated information security program that includes designated individuals to be responsible for the program, reporting annually to the board of directors, and requires the implementation of internal and external safeguards (including training, technical measures, data access controls, encryption of social security numbers and financial information , policies and procedures for all devices, etc.); (2) third-party assessments of its program every two years (which it has required before), and (3) annual certification by senior corporate manager. 

Domestic Privacy Law Are Imposing Proactive Measures 

The FTC is not the only source that businesses can look to when determining the key components of a strong privacy and security third-party management program.  Privacy laws are emerging throughout the United States and imposing proactive security and privacy requirements including the management of third-party relationships.  Some laws generally establish a duty to safeguard data (which includes data sharing and transfers to third-parties) and require the implementation of security and privacy programs (also addressing third-party transfers and disclosures). For example, businesses must implement and maintain reasonable security procedures and practices to protect personal information under the California Consumer Privacy Act (“CCPA”) (Sec. 1798.150). As written, this blanket requirement would require active management of third-party relationships and their handling of data impacted by the CCPA.  Other privacy laws require reasonable care of protecting data from unauthorized third-party disclosures and insecure transmission of data to third-parties. (Illinois Biometric Information Privacy Act, Sec. 10 and 15(e); Texas Biometric Act, Sec. 503.001(b)(2) and (c)(2); and Washington’s biometric law, Sec. 19.375.020(2)(4)(a)).  Some laws are requiring the implementation of a comprehensive security program (like the Vermont data broker law, Sec. 2430),which would seem to include third-party management. The New York Department Of Financial Services Cybersecurity regulations makes it clear that it not only requires the implementation of a comprehensive cybersecurity program (Sec. 500.02)) but also the oversight of third-party providers (Sec. 500.04; 500.11). 

As new laws are proposed, more will require proactive management of third-parties and imposing appropriate security safeguards on third-parties. 

Start Taking Action To Protect Your Business

As more breaches are resulting (or better said, being discovery) due to poor third-party management or a lack of incorporation of third party management into privacy and security programs, businesses need to make third-party risk a priority. Furthermore, as the FTC is starting to crack down on business and emerging privacy laws are imposing proactive measures, it makes sense to include third-party risks as an essential item in any privacy and security plan.  

Businesses should develop a comprehensive privacy and security plan that includes strong corporate and employee policies and procedures as well as continuous training and awareness. This comprehensive privacy and security plan should include a third party management program.  On the one hand, this program should set standards and best practices for all your vendors and third-party service providers (including software licenses, cloud-based services, etc). On the other hand, this program should also establish vetting policies and procedures for your employees. XPAN assists its clients with the development of such programs, vendor due diligence, vendor contract review, among other services.  

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.