Enforcing Data Security Policies With External Service Providers

05/31/2017 / James Quinn

In an article published in the May 7 edition of The New York Times, Nicole Perlroth reported on data security breaches that affected big names like Lady GaGa, Netflix, and Lockheed Martin. In the case of Lady GaGa and Netflix, pre-release copies of songs and TV episodes were taken and distributed by hackers. These thefts were orchestrated by penetrating the systems of organizations that provide ancillary services to the headliners … post-production businesses, content collaborators, consultants, vendors, etc.

The situations are analogous to the infamous Target breach a few years ago where access to credit card data was achieved by worming into the systems of a refrigeration company doing work for the retail giant. While large, well-known businesses typically have sophisticated security safeguards in place; the smaller, sometimes less savvy, businesses that provide services to them are often much more vulnerable to attack. If these vendors are electronically connected to customers and clients, their less robust systems can be the open road to the data and assets of the customers and clients.

The practice of imposing data security obligations on providers of conventional services like facilities repair, transportation, systems maintenance, project-based consulting, and the like is often overlooked. However, in most instances all of these providers will have an electronic connection to their customers and clients. These connections can take the form of things like electronic billing, logistics management, inventory management, shared data depositories, project management, remote monitoring of systems, and many other activities.

Each electronic joint can be a target and companies should ensure that their contracts with providers impose adequate security requirements that can be tested and verified for compliance. Otherwise, it’s entirely possible that all the effort and expense that goes into the development and deployment of internal safeguards may be wasted.