Organizations have much more than just data to lose in a third-party breach. Besides losing consumer confidence and loyalty, companies in both the United States and the EU can face costly penalties for violating data privacy regulations.
During National Cybersecurity Awareness Month (NSCAM), it’s appropriate for organizations to also be aware of the risks of non-compliance. Not complying with HIPAA can cost as much as $1.5 million per year for each violation category. The fines for not complying with the EU’s General Data Privacy Regulation (GDPR) could be up to €20 million or 4% of annual revenue—whichever is greater. And the California Consumer Privacy Act (CCPA)—which went into effect on January 1, 2020—fines $7,500 per willful violation of a consumer’s rights.
To get a sense of what it might cost a company that does not comply with regulations, one need look no further than last year’s $57 million GDPR penalty issued to Google, which was the first of many fines that non-compliant businesses have faced.
It’s important to understand that if an organization is breached through a non-compliant third party, the organization will be held responsible and could face stiff penalties. For this reason, it’s important to be sure that vendors comply with regulations.
Here are some key requirements to consider:
EBA Third-Party Outsourcing Regulations
The European Banking Authority (EBA) is responsible for overseeing banking activities in the EU and has issued new regulations regarding third-party compliance. When banks and other financial institutions in the EU elect to utilize third-party vendors, they must ensure that the vendors are providing the same level of protection for their customers as they, as financial organizations, are required to provide.
Understandably, the challenge of certifying that all of a bank’s third-party vendors are complying with the EBA regulation is real. Therefore, the EBA provides third-party outsourcing regulations to help guide financial institutions when selecting third-party vendors. Any vendor that was signed on or after October 1, 2019, must already comply with these new EBA guidelines. Companies must remediate vendors hired before October 1 by the close of 2021. This means that banks and financial institutions will be required to reevaluate their third-party vendors’ compliance to the EBA regulations or face fines.
GDPR and CCPA Right to Deletion
If your vendor is subject to GDPR, CCPA or any number of other privacy regulations, it must accept consumer requests to delete their data. This means that the vendor must have a way to know where every bit of each consumer’s data is located within its systems.
The vendor may have to work through a “data mapping” and “data flow” exercise just to understand where all these bits of data are before developing the new software functionality that will delete the data in question. In addition, if the vendor has implemented a professional backup regime, even the customer data in backups may have to be deleted.
GDPR Breach Notification
Will the vendor know if it is breached by a hacker? According to GDPR, companies are required to notify a supervisory government authority within 72 hours of determining that there has been a data breach. The vendor will have to implement intrusion detection systems to know when a breach has occurred.
NYDFS “Minimum Cybersecurity Standards”
This may be one of the toughest requirements. The vendor will need to implement an information security management system, with controls such as those comprising standards like NIST or ISO 27002.
Keep in mind that compliance does not guarantee security. The threat landscape is constantly changing, and often at a significantly quicker rate than the regulatory landscape. The additional task of monitoring tens, if not hundreds of third-party vendors simultaneously, only exacerbates this challenge. However, organizations can significantly reduce risk by effectively screening and continuously monitoring their vendors for security threats and compliance.
This is the third in a series in honor of National Cybersecurity Awareness Month (NCSAM) and is dedicated to helping organizations guide suppliers with their cybersecurity.