When your service provider has a breach
As the day progresses more and more Epsilon clients are notifying their customers that their details have been compromised, I got to thinking about what information is readily given to third parties for many different purposes. The outsourcing of certain specialist tasks is nothing new. What I've found in the past though is that information is often handed over without really thinking through any of the consequences should the information be compromised. So here are some of the things I believe you should be doing when handing over client information to third parties. as per usual feel free to add your own experiences and suggestions.
Before handing over any information over you may want to ask the following:
- What is the minimum amount of information that is needed in order to perform the tasks requested? - We often find that people are handing over substantial amounts of data when all that is really required is an email address and a first name. This will of course depend on what the third party is doing for you, but having a think about what they really need is a good starting point. Then it can be risk assessed and a decision taken.
- How are you protecting my information? - Likely you will get a warm fuzzy answer and you will have to sift through it to find out what the real answer is. What you want to look for are things like operational security processes. How are they going to notice if there was a breach? Do they utlise IDS/IPS. Do they have firewalls (and yes sometimes you will get the answer of "no we don't need a firewall"
- Do you have the right to audit? - The answer to this will often give an indication as to what the real answer is to the previous question. If the answer is "no", well ...
- Do they have an incident response process?
- What steps will be taken in the event of a breach and when will you be notified? - i.e. how long will they sit on the compromise before they will let you know that it is gone?
- What happens if the breach is at a subcontractor of the organisation? - Many companies subcontract processes to others.
- Who will carry any additional costs? - In some jurisdictions there is a notification requirement. In some cases this may need to take the form of snail mail, those stamps can be expensive, who will pay for that.
- You may need to communicate any special security requirements you have for your information. You will need to communicate these clearly to the provider so they can meet your expectations.
Collect the answers and have it put into the contract/agreement, that way nobody can forget who would do what and when.
That's my quick start list before handing information over.
Mark H
Comments
PrattleOnBoyo
Apr 5th 2011
1 decade ago
I didn't say it would be easy :-) but the reality is if you don;t ask you certainly won't get it. If you ask you have a better chance. You also have the opportunity to go elsewhere. Nothing like customers going elsewhere that makes vendors change their "standard" agreement.
Mark
Apr 5th 2011
1 decade ago
http://en.wikipedia.org/wiki/Informational_self-determination
The English article is pretty short and not as good as the German one. The Google translation may give a hint:
http://translate.google.de/translate?js=n&prev=_t&hl=de&ie=UTF-8&layout=2&eotf=1&sl=de&tl=en&u=http%3A%2F%2Fde.wikipedia.org%2Fwiki%2FInformationelle_Selbstbestimmung
alibert
Apr 5th 2011
1 decade ago
G
Apr 5th 2011
1 decade ago
I believe you misread Marks post. And Mark forgive me but you state "when handing over client information to third parties" and that is very different from what Prattle on is prattling on about.
Terms of Service, AUP's, Privacy policy, they are not negotiable, you agree or you don't agree. And they define the terms by which you consent to use of your information among other things.
But when negotiating a contract with a third party and it's dealing with clients information, you absolutely should be asking the above questions and writing them into the contract.
Otherwise, move on to a partner that will accept your terms...if they don't...you don't need the added risk...ala Epsilon.
Philip K.
Apr 6th 2011
1 decade ago