The Roles of Third Party Companies in Data Protection

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://blog.backup-technology.com/14923/roles-third-party-companies-data-protection/

Due to data breaches, protection of personal and health information has
become a vexing issue. Numerous organisations, including health care
industries have lost sensitive data. The data typically includes details of
vendors, patients, staff, health id numbers, contractors, etc. When such
data loss happens at a hospital, the hospital in question usually
apologizes for the inconvenience that staff and patient have faced due to
the data breach. In some cases, they try to shift the responsibility to
some other entity, claiming that the data theft was a “result of negligence
by an outside contractor” that was initially hired as an “expert” in
handing sensitive data.

But, does shifting blame to a third party right? Third party companies are
selected due to their surety to store and handle sensitive data properly to
begin with. They make their living handling such data and it is not in
their best interest to lose any data.

To gain the trust of affected individuals, some vendors who lost data due
to breach, take the responsibility of providing timely information and
offer credit monitoring services for the affected accounts. Providing these
services shows that the company has taken the responsibility and acted on
it to calm down individuals, who are worried about their sensitive data.

While the vendor has acted to address its responsibilities to communicate
affected accounts according to legal mandates and federal regulations, the
fact is that sensitive data, including identities have been stolen. It is
annoying that theft of information will impact on affected parties for a
longer period of time. There is the possibility that the affected parties
can sue the organization for negligence for a millions of dollars. Such
type of incidents raise questions about data security and precautions
against data breaches.
• Is it good to share sensitive information with third parties for data
storage?
• How do third parties give assurance to organizations that data will be
protected and will never be accessed inappropriately or misused?
• What is the liability of a third party for the data in their custody and
what type of charges can be applied when information is misused?
Though the answers of these queries are not easy, the popularity of cloud
storage services, as third party service providers, has brought these
questions to the forefront.

Enterprises trusting their data to third parties must make an effort to
ensure that the data is safe and secure. Enterprises should spend their
time and energy to weigh up the reliability of the third party and their
data protection claims. Here are some questions that can help in searching
suitable third part cloud storage service:
• What is the method of data storage in repository?
• Is the encryption methodology certified by a reliable authority?
• How do people access sensitive data and who has access to the data?
• What are the liabilities and rights of an organization in case of data
breaches?
• Does the vendor share sensitive data with anyone? If so, with whom and
why?
• Does the secure cryptographic mode of data security are really
impregnable or not?
• Does assurance of sensitive information protection check in veracity by
service vendors?
• Does the vendor take the responsibility of data protection and guarantee
of data breaches due to negligence?
When your company gets the answers of these questions, it becomes easy to
evaluate your service provider and their security protocol. Answers to
these questions will help in understanding the level of data security and
selecting the suitable service to protect sensitive information.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!