Including External Data Privacy in Procurement Events

Procurement Professionals – The Case for Requiring External Data Privacy Requirements in ALL Vendor RFx

Does your organization’s procurement department probe the external data privacy protections deployed by prospective vendors and partners as part of their RFi/p/q process?  Sure, they already have an entire section or three in their standard procurement events dedicated to information security, cyber security and other IT/IS related questions.  But as one breached organization after another can attest, cyber security does not properly address external data privacy and the consequences – even for the largest orgs – continue to be devastating.  Moreover, even if your organization already takes external data privacy management seriously, your vendors likely do not.  And third-party vendor risks are some of the biggest vulnerabilities facing enterprise organizations today when it comes to information security.   

Corporate procurement pros are tasked with ensuring all prospective vendors and third-party partners meet with myriad requirements before being awarded a new contract.  Whether it is to provide software products, manufacturing materials, business services, staffing/contingent workforce resources or any other product or service, Procurement decides whether a vendor has what is required to be awarded the contract.  They deeply examine features, functionality, price, financial stability and most importantly in today’s digital economy – acceptable information and cyber security.   

However, with the new Social Engineering Attack Surface rendering traditional security measures inadequate, Procurement departments must understand what’s changed in the security realm and how to determine if prospective vendors’ defenses are up to snuff before awarding the contract.

This white paper includes indisputable evidence of the need for Procurement to adopt an active and muscular posture when it comes to data privacy and protection requirements.  An examination of half a dozen recent data breaches initiated through third-party vendors to the victim organization will illustrate how dire the risk is.  Following the establishment of these facts will be a methodology providing best practices for including data privacy management questions in a procurement event to ensure any third-party vendor or partner observes the same degree of protection as your own organization does.

Evidence Proving Third Party Channels Are Rife with External Data Privacy Risk

At Privacy Bee for Business, staff scour the internet daily to catalog every reported data breach around the world.  The frequency and volume of data breaches is staggering.  Every single day, as many as 20 data breaches are reported and recorded in Privacy Bee.  It is important to note that not every unauthorized intrusion into secured data systems is the result of third-party vendors’ inadequate external data privacy policies or practices.  Many breaches occur as the result of attacks directly made against the target organization itself.  Whether the result of Social Engineering – Phishing, Spear Phishing, Smishing, Vishing, email spoofing and others – or more traditional avenues like brute force attacks, software vulnerability exploitation, insider threats and others, the threat of data breach is real.  Organizations must take all prudent steps to interrupt these threats. 

The focus on third-party vendor risk is especially critical though, because although an organization may spend significant time and budget on hardening its own cyber security (even external data privacy management), the best laid security programs are routinely undone by vendors with systems access and poor external data hygiene practices.  

For purposes of illustrating just how acute the problem of third-party vendor data breaches has become, review the recently reported breaches below.  These were all captured within the month of February 2024 as part of Privacy Bee’s daily capture of reported breaches.  Every single one of these was specifically reported to be a breach initiated via a third-party vendor of the victim organization.  It is worth noting that these were not the only such breaches occurring for the month.  There were literally scores more.  These few are just reported here to illustrate the pattern.

February 2, 2024 – Health Alliance Data Breach

Illinois-based insurance company, Health Alliance filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights after identifying a data breach occurring at a subcontractor of one of Health Alliance’s vendors.  In the filing, Health Alliance revealed the incident resulted in an unauthorized party exfiltrating consumers’ sensitive information including names, Social Security numbers, addresses, member numbers, dates of birth, and health coverage information.

On December 20, 2023, Health Alliance received notification from one of its vendors, Ontrack, regarding a network disruption experienced by a subcontractor of Ontrack, namely Keenan & Associates, on August 27, 2023. Subsequently, Keenan initiated an investigation after disconnecting its network.

The investigation conducted by Keenan confirmed that certain records on its system, including those related to Health Alliance customers, had been accessed by an unauthorized party. Keenan then communicated the findings of its investigation to Health Alliance.

Upon discovering that sensitive consumer data had been accessible to an unauthorized party, Health Alliance undertook a review of the compromised files to identify the leaked information and affected consumers. This review process was concluded on January 23, 2024 and mailed letters to all those affected to alert them to the scope and nature of their exposure.   (Details from legal news outlet JD Supra)

February 12, 2024 – Bank of America Data Breach

One of the world’s leading financial institutions serving 69 million clients in more than 35 countries was not at all immune to the threat of data breach.  This, despite having likely some of the most formidable cyber security processes and practices in place. Nevertheless, on February 12. 2024, the financial leviathan was forced to make the embarrassing (and costly) announcement that their information systems had been compromised.  The personally identifiable information (PII) of an as yet undisclosed number of BofA customers was affected in the breach including individuals’ names, addresses, social security numbers, dates of birth, and financial information, including account and credit card numbers.

Once again, the way around the defenses of this leading, global financial institution was not by defeating its powerful encryption, hacking through hardened firewalls or finding vulnerabilities in the bank’s code to exploit.  All these potential weak spots were not present in BofA’s top notch cyber security organization.  Rather, the unauthorized parties found a way around the much less substantial defenses of a relatively minor, third-party vendor serving Bank of America. 

Infosys McCamish Systems (IMS) – a platform for managing insurance claims and associated business processes – was the suspected entry point for this hack.  IMS issued a breach notification letter with the Maine Attorney General’s office which read in part, “On or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications…  On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America’s systems were not compromised.”

It was subsequently determined threat actors LockBit, known for executing malware attacks on multiple organizations, was behind this attack.  They even claimed responsibility for it, revealing their hack had encrypted more than 2000 systems during the breach and demanding ransom to release them. 

This example is particularly outrageous because the third-party vendor at the heart of the intrusion was itself a very large enterprise with a deep tech pedigree.  Infosys, the parent company of IMS, is an IT consulting and services provider with more than 300,000 employees and clients in 56 countries around the world.  Clearly, neither of these two global giants, with their industry-leading cyber and information security regimes was able to prevent unauthorized breach of their data systems.  (Details from BleepingComputer.com)

February 5, 2024 – HopSkipDrive Data Breach

A maturing startup with a business model focused specifically on personal safety – they offer a student rideshare app delivering Uber-style services for children and teens – was itself victimized by a damaging data breach.  Luckily, the data accessed and stolen during the breach involved the personally identifiable information of more than 155,000 drivers working on the application and not any of the minors who patronize the tool. HopSkipDrive reports the stolen data includes names, email and physical addresses, driver license numbers and other non-driver identification card numbers.

Tech industry news outlet, TechCrunch reports the company first discovered the breach in the summer of 2023.   Beyond this admission, HopSkipJump has been frustratingly tight lipped about the incident, probably due to the potential for financial cataclysm this type of breach could cause for a startup, even one as mature and nominally successful as this one.  All HopSkipJump would say about the origins of the breach was that it first discovered suspect activity happening on “certain third-party applications utilized by our organization.”  However, they were not forthcoming with the name of any compromised partner applications.   They also revealed they first became aware of the issue after receiving communications from an unknown threat actor. 

HopSkipDrive said it is “committed to strengthening our systems’ security to prevent a similar event from occurring again in the future,” but did not elaborate on what additional safeguards it is implementing.  Yet, according to TechCrunch, the company’s leadership page does not show any Chief Security Office as part of its leadership team and asked the company if there was any dedicated executive focused on managing cyber security. The company responded saying their legal and technology teams both housed information security experts.   One wonders about the infosec leadership at the undisclosed third party where the breach originated.  (Details from TechCrunch)

Evidence of External Data Privacy Practices Being Examined in the RFx Process

Fact is, while Privacy Bee has not been provided access or visibility into the procurement documents and processes used by any of the three organizations in the above examples, it seems safe to conclude that external data privacy was not a primary or even tertiary requirement.  It goes without saying that these three organizations undoubtedly included hundreds of questions and requirements related to cyber security in their procurement events. 

After all, a global financial entity is the most highly regulated kind of business.  A healthcare insurer is similarly highly regulated, particularly as regards personal data under the HIPAA law in the US.  And of course, a ten-year-old startup reliant on investment capital, on a glide vector to initial public offering, is certain to be highly attuned to security to protect its funding.  So, how is it that three organizations most likely to ensure their cyber security was impenetrable allowed themselves to be victimized?

The fact is, there is little evidence of external data privacy risk mitigation practices and processes being something these organizations examine in their vendor selection process. As a result, any of these organizations is only as protected against social engineering and other external data privacy risks as their strongest vendor.  It would seem in all instances that neither the client nor the third-party vendor had sufficient EDP risk mitigation processes in place.

Moreover, if breaches of the strongest organizations with enterprise level vendor lists are happening regularly, then breaches are all but assured for their mid-sized counterparts with less profound spend on cybersecurity.  In short, no one is safe until everyone within any organization and everyone within its vendors’ organizations is safe from this attack vector.

Including External Data Privacy Requirements in a Procurement Event

Understanding EPD By Managing It Firsthand

The best way to be sure that a prospective vendor has the proper protections in place to secure external data privacy and prevent any vendor from allowing unauthorized access to your organization’s protected information systems is to first deploy best practices for EDP management inside your own operation.  This is best accomplished using Privacy Bee for Business and becoming aware of the privacy risk scores of all employees with information systems access. 

Privacy Risk Assessment tools are available at no-cost for all organizations no matter how many employees the organization wishes to examine.  Also of immense value is the detailed analysis and aggregation of hundreds of available data points about any organization yielded by performing External Data Privacy Audits – another zero-cost analytics tool available for use.

With the actionable data derived from these two processes, an enterprise-level operation immediately gains insight into its risk of being attacked and breached by threat actors leveraging the immense volume of unsecured external data available on executives, rank-and-file employees and operational systems.  Armed with this hard data a CISO is able to generate a powerful business case for engaging Privacy Bee for Business to manage ongoing deletions of all identified data exposures.  The cost benefit analysis of doing so is compelling and can be read about in detail in these two papers from Privacy Bee. 

Read: Cost Benefit Analysis Proves the Necessity of Business Privacy Management 

Read: Calculating the ROI into External Data Privacy Management Solutions

Concurrent to these efforts, it is strenuously recommended that an organization deploy the Vendor Risk Management facet of the Privacy Bee for Business platform.  This solution element mirrors the inwardly focused data privacy management efforts of the platform.   It delivers the same incisive view into the privacy risk profiles of any third-party vendor’s employee with any degree of information systems integration and access to your organization’s information systems. 

Privacy Bee VRM will begin monitoring all third-party business partners for EDP risk, the most common attack vector used to compromise vendors.   It provides reports containing the same Privacy Risk Scores on each company, highlighting their risk at a glance. Rich analytics further break vendors down by department, risk tier, and more, with all thresholds fully customizable for developing business rules that align with your organization’s specific goals and requirements. In addition, Privacy Bee VRM works with all 3rd party vendors one-on-one to decrease their vulnerabilities, effectively de-risking your company at no additional cost.

Applying Firsthand Perspective to Developing the Correct Questions for an RFx

After several quarters of Privacy Bee platform utilization, an organization develops a much more fulsome, practical understanding of how external data privacy is weaponized by threat actors and how unsecured external data can be properly managed to yield quantifiable reduction of risk.  Armed with this new understanding and data driven perspectives, a procurement organization is far better equipped to generate the RFi/p/q questions needed to arrive at an informed decision as regards a prospective vendor’s level of EDP security.

Privacy Bee recommends adding a new subsection to the Information Security or Cyber Security segments of standard RFx documents issued to prospective vendors of any product of service.  Some examples of questions a procurement process may include in this recommended, new segment are culled from the 2021 Privacy Metrics Report produced and published by the Future of Privacy Forum.

Privacy metrics as defined by the Future of Privacy Forum report as, “both quantitative and qualitative assessments that privacy leaders use to measure, manage, track, benchmark, report on, and improve their privacy program and its components and to establish transparency and trust.  Specifically, privacy teams may adopt the SMART Framework (Specific, Measurable, Actionable, Relevant and Time Bound) to create SMART privacy metrics to assess their capabilities and fulfillment of objectives, demonstrating the relevancy of each metric while ensuring the completion of tasks within specified time frames.”

Sample Questions to Consider Including in the New EDP Section of the RFx

  • How does the prospective vendor initiate, track and manage Data Subject Requests (DSARs)?
    • Do they track DSARs issued, in progress, closed?
    • Do they measure duration of time from request to result?
    • What percentage of is satisfied within required time?
  • Has the prospective vendor been target of privacy incidents or breaches?
    • # of incidents by type/severity/business unit/region
    • # of impacted customers
    • % of incidents by type, closed within SLA commitments
    • % of incidents where root cause has been identified and corrective actions taken
    • # and % of incidents notified to regulators and data subjects
    • # and % of incidents reported within X hours/days of determination
    • Mean time to discovery (measure of detective capability)
    • Mean time to resolve (measure of responsiveness)
  • Has the prospective vendor received privacy complaints?
  • Has the prospective vendor received any privacy queries?
  • Does the prospective vendor actively manage consent on its own web equities?
    • Offer data “sale” and cookie opt outs?
    • Consent for processing activity?
    • Consent for data sharing?
    • Opt-in consent for email marketing?

Pages six through nine of the Privacy Metrics Report contain a trove of additional EDP management metrics to potentially be included in a detailed procurement assessment and review of any prospective vendor.  Of course, the questions your organization may be compelled to include will be influenced by industry and other specific factors.  What’s clear however, is that these are critically important questions to ask of any vendor organization with whom your organization entrusts data systems access. 

Conclusions

Applying up-to-date best practices for external data privacy management to your organization is no longer a nice to have option.  The ongoing torrent of daily breaches attests to the acute need for external data privacy and evidences the profound lack of such solutions currently in place.

By taking firm control over the organization’s external data privacy policies using Privacy Bee for Business, it becomes possible to drive metrics and compliance with privacy-focused business objectives in ways that protect against breaches and the costly consequences that ensue.  It also becomes possible to apply the same compliance goals to any third party organization with which business may be transacted.

Procurement can and must be a key driver of this initiative which not only ensures sunken cost of existing cyber and information security efforts are not wasted.  But which also demonstrates to markets, investors, consumers and prospective partners the organization’s deep and demonstrable commitment to security and safety.

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account: