Data Risk in the Third-Party Ecosystem - Ponemon Survey Results

Ponemon Institute
5 minute read | April.04.2016

Data breaches are on the rise and the percentage of those data breaches caused by third-party relationships is also expected to rise. In our recent survey, “Data Risk in the Third-Party Ecosystem,” conducted by the Ponemon Institute, 49% of respondents indicated their company had experienced a data breach caused by a vendor, and 73% expected the number of third-party-related cyber incidents to increase. In fact, many of the largest and most publicized breaches that have occurred since 2015 can be traced to third-party relationships.

As companies continue to embrace dynamic outsourcing and infrastructures, the inherent risks to data become much more difficult to manage. It is no longer possible to think of an enterprise as a single organization supported by a well-established and controlled “chain” but rather as the entry point to an ecosystem of suppliers, vendors and service providers each with their own sub-set of providers. These third-, fourth-, and nth- party relationships, and the risks associated with them, must be considered and managed when dealing with third-party risk. (Third-party vendors are direct service providers hired by a company. Fourth- through nth-party vendors are indirect service providers or subcontractors hired by a third-party vendor.)

Regulatory Concerns

Regulators are keenly aware of the risk posed by third parties to data assets and continue to publish guidance and update requirements with respect to managing it. Regulatory guidance generally requires companies do the following with respect to third parties:

Perform risk due diligence/assessment prior to establishing a relationship with a vendor
Incorporate security standards and expectations into vendor contracts
Limit data sharing and access to only those necessary for business purposes
Perform initial and ongoing assessment of third-party vendors
Require third parties to report any event or change that impacts the security of company assets

For those companies that do not adequately identify and manage third-party data risk, the impact of outsourcing fourth- and nth- party relationships will become all too apparent in their post-breach investigations.

Read the full brochure

Authors

Elizabeth McGinn Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.; New York

See my bio

D:+1 202 349 7968
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Elizabeth McGinn Partner

Washington, D.C.; New York

In conjunction with this work, she develops policies and procedures, records retention schedules and training materials. A significant part of her practice involves addressing data security breaches, working proactively with clients to prevent such breaches from occurring, and advising clients in responding to regulatory inquiries, investigations and enforcement actions related to privacy, information security and cybersecurity issues. She also assists numerous professional sports teams comply with data privacy concerns, consumer financing laws and payment system issues.

Beth also represents financial institutions, corporations and individuals in a wide range of matters. She advises clients in investigations, examinations and litigation initiated by the Consumer Financial Protection Bureau (CFPB), the New York Department of Financial Services (NYDFS), the Department of Justice (DOJ), the Federal Trade Commission (FTC), state attorneys general and bank regulatory agencies. She has represented financial institutions in class action litigation concerning federal and state fair lending laws, mortgage fraud, unfair and deceptive trade practices statutes, consumer fraud statutes and consumer privacy laws. She has extensive experience counseling clients in response to federal and state subpoenas and handling all aspects of e-discovery.

Over the course of her career, Beth has represented clients in matters involving simultaneous criminal, civil administrative and congressional proceedings. She has defended clients in matters relating to money laundering compliance issues and investigations and litigation by the U.S. Attorney’s Office for the Southern District of New York (SDNY), the Manhattan District Attorney’s Office, the Department of Treasury, the Securities and Exchange Commission (SEC), and various congressional committees, including the U.S. Committee on Homeland Security and Government Affairs Permanent Subcommittee on Investigations, the U.S. House Financial Services Committee and the U.S. House Committee on Oversight and Government Reform.

Beth has published and spoken on a variety of topics, including privacy, cybersecurity, electronic discovery, vendor management and consumer financial services litigation. She authored the chapter on “Oversight of Compliance and Control Responsibilities” for Navigating the Digital Age – The Definitive Cybersecurity Guide for Directors and Officers. She has been recognized for her work in Cyber Law (Data Protection and Privacy) by Legal 500 since 2013, which describes her as “outstanding on privacy and e-discovery issues,” “able to advise both on the regulatory and litigation sides of problems,” an attorney who "exceeds expectations on response and turnaround times,” “has strong industry knowledge in data security and privacy, and is able to walk the fine line between operational efficiency and regulatory compliance' when developing IT policies.” It also described her as “top notch, incredibly responsive, thoughtful, and provides advice that is both practical and efficient.”

Prior to joining Orrick, Beth was a partner at Buckley LLP where she was Co-chair of the firm’s Privacy, Cyber Risk & Data Security practice and E-discovery Committee. Previously she was an associate at Skadden, Arps, Slate, Meagher & Flom. She clerked for Federal Magistrate Judge P. Trevor Sharp of the United States District Court for the Middle District of North Carolina after law school. Beth is a Certified Information Privacy Professional (CIPP/US).

View Beth's webcasts & speaking engagements, news mentions and publications.