Michaels craft stores. TRICARE. Global Payments Inc. These are among the most recent and prominent examples of third-party data breaches that adversely impacted financial institutions, healthcare providers and other affiliated entities.
How prepared is your organization to respond to a third-party breach – not just the hard costs of breach notification, account monitoring or regulatory penalties, but also litigation and reputational loss?
Customers don’t care about your partners; they will hold you responsible when you notify them of a breach. You have to be prepared not just to respond to such incidents, but to help prevent them.
Join James Christiansen, a vendor management specialist, for expert advice on how to manage third-party risks, including:
- Prevention:Â Steps you can take to measure the areas and parties at greatest risk;
- Detection:How to detect a third-party breach, and why some breaches go undiscovered for months;
- Response:Â Gauging the impact of a third-party breach and addressing breach disclosure. Who needs to be involved, and how quickly should an organization react and mobilize?
Background
In Sept. 2011, the U.S. Defense Department’s TRICARE health program notified 4.9 million beneficiaries of a data breach caused when backup tapes were stolen from the car of an employee of Science Applications International Corp., one of TRICARE’s business associates.
In the spring of 2012, financial institutions began monitoring accounts and replacing payment cards after news that Global Payments Inc., a payments processor, had been breached, exposing an estimated 1.5 million accounts. Just three years earlier, Heartland Payment Systems, another processor, was breached, impacting 130 million cards.
The common factor among each of these incidents: They occurred at third-party entities, yet adversely affected the healthcare providers and financial institutions that relied on them for services.
The hard lesson: Any organization can be victimized by a breach, even when the breach occurs outside its control. Responding to such an incident requires understanding, due diligence, risk mitigation and preparation.
How prepared is your organization when it comes to addressing and responding to the risk of a third-party breach? Remember: You can outsource processes, but you cannot outsource responsibility.
The problem is not unique to financial services and healthcare. Third-party breaches occur in every sector, and pose the potential for numerous organizational challenges, including reputational damage and expense associated with cleaning up the post-breach mess.
Risk analysis is the first step toward protection. Research shows 80 percent of data exported to third parties includes sensitive information that could be eliminated. By limiting the amount of information, organizations reduce risk.
James Christiansen, Chief Information Risk Officer at third-party risk-score provider Evantix, has spent more than two decades in the trenches of breach recovery and response. During this session, Christiansen will review recent third-party breaches, highlighting what affected organizations did right and what they could have done better in the wake of those breaches.
Some highlights Christiansen will cover:
- Why the simplest breach-prevention solutions are often the best, and how organizations can rely on best practices to minimize exposure;
- Balancing regulatory and industry security requirements;
- Maximizing human resources and budgetary limitations to ensure due diligence.
The probability that your organization will suffer a third-party breach can be significantly reduced by following these basic strategies, which Christiansen will detail:
- How to assess the potential impact of a third-party breach:Â The cost drivers, including direct costs, regulatory/industry fines, legal suits and reputational damage.
- Leveraging information:Â Reviewing PCI certifications and SSAE16 to gauge security and breach risks.
- Reducing risk:Â The role well-worded contracts play in reducing the probability of a third-party breach, and how to limit financial and reputational damage when a breach does occur.