March 29, 2018
Your Data . . .Your Responsibility – WST
The quick version of this story is that Facebook allowed researchers to create an application that collected certain types of data from some Facebook users. This was a common practice of Facebook, and users were generally made aware that this could happen. The problem began when a certain researcher collected data on not just the voluntary participants but also the participants’ Facebook friends, and then turned around and gave the data to a (some would say shady) political data company.
The public outcry and anger is not directed at the company or people that ultimately misused the data, but at Facebook. At the end of the day, it is Facebook’s responsibility to protect the data. Facebook entrusted the information of many of its users to a “trusted” third-party that apparently misused the information and now the Facebook CEO may get to go before congress to explain why they let that happen.
Many financial institutions outsource to vendors that have access to view, store, and/or process private customer data. Whether it is backups, email, or server hosting, once you hand that info over, you need to make sure you have the utmost confidence it will be properly utilized and protected. You must know if something bad happens to it, you will be responsible for explaining to your customers what occurred and why.
Gaining such confidence in large part stems from having a quality vendor management program that covers due diligence, selection and continuous monitoring. Although vendor management can be challenging, here are a few things that are considered fundamental to an effective program.
- Have a formal process to define what information a vendor will be accessing and/or handling, and how you will vet and select that vendor. Obviously, standards will be different between an email hosting company and a company changing your lightbulbs.
- Proper vendor management includes a risk assessment. Each vendor should get a score, based on the sensitivity of the data they will come into contact with, the level of access required, organizational stability, security controls, etc. This should be reviewed and updated regularly.
- Vendor relationships change. A company that did one thing for you in the past may now have expanded access or a play a larger role in the day-to-day operations of your institution. Make sure your vendor management processes have triggers that can initiate a re-assessment of the risk level if the relationship expands or changes.
- Make sure your incident response process includes handling a breach at a third-party. How and when will you get information from them, and how will you communicate with your customers? You don’t want to “wing it” in the event your vendor has a breach. Have a plan and review it at least annually.