CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
October 3, 2019
Almost half of the 392 million people living in America had their sensitive data — including names, birth dates, and social security numbers — stolen by attackers in the 2017 Equifax data breach. Reports surfaced that 147 million individuals had personally identifiable information (PII) exposed in the attack. Last month, the consumer credit reporting giant agreed to a settlement of up to $700 million with the Federal Trade Commission and the Consumer Financial Protection Bureau. In addition, a nationwide consumer class-action lawsuit is underway.
While much media coverage of this event touts the potential damage to individual consumers, what about the businesses who relied on Equifax services? Who companies do business with can have a deep impact on an organization's health and its customer base. In the last year and a half, major B2B security breaches were cataloged by Elastic-search (26 million) and Exactis (110 million), among many more. According to the National Cyber Security Alliance, 60% of small and midsize businesses go out of business within six months of a direct hack.
In the era of cloud computing, relying on integrations, applications and third-party services to execute and deliver a product or service is the norm. Staying abreast of your vendors’ health is a critical part of being a responsible business. From privacy infractions to data breaches, poor data hygiene to legal battles, vendor litigation and policy monitoring can help you navigate potential issues that could put you out of business.
Vendor lawsuit monitoring is the practice of monitoring your vendors for lawsuits that might put them out of business or create risk for your company.
Policy change detection is the practice of keeping track of changes in your vendors' compliance documents such as privacy policies, GDPR statements, cookie statements, and more. For most compliance certifications such as SOC2, monitoring your vendors is a mandatory requirement, but many companies simply check the box without truly reviewing those changes.
Most employees skip the fine print when purchasing SaaS products. While this behavior may be a concern for an individual consumer, for a business this behavior can rise to the level of negligence. The bar is higher for businesses, and data sharing with vendors that have not gone through the compliance validation process can land your company in court.
Recently the Department of Justice released guidance on how it evaluates criminal prosecutions for corporate compliance measures. Simply put, the ramifications of not monitoring your vendors can create criminal liability for your board, c-suite, and the company itself. As a business, you bear responsibility for your customers' digital information when engaging with vendors, even if your employees made the purchase decision.
The Small Business Association Office of Advocacy reports that litigation costs for small businesses range anywhere from $3,000 to $150,000 per event. This type of unexpected expense can be the nail in the coffin for smaller companies. Litigation monitoring alerts you to problems and gives your company the insight necessary to stay ahead of potential curveballs.
There are a few key areas of holistic data health that require constant evaluation:
Security integrity refers to systems deployed around confidentiality, integrity and availability. Security integrity is referred to as the CIA (or AIC) triad. Organizations and companies that dedicate bandwidth to access control and the safety of digital information make better business partners overall. Better business partners can help prevent and mitigate the severity of damage if or when an attack or breach arises.
Even behemoth tech companies like Google are struggling to keep pace and implement changes regarding compliance obligations and data privacy regulations on a global level as evidenced by its recent $57 million GDPR infraction fine. Through conducting vendor exploration and having policy monitoring practices in place to flag any changes or updates made to terms of service, your company can maintain audit-able logs that show your business is dedicated to proactively evaluating your vendors’ actions on an ongoing basis.
Automatically detecting changes to policy docs and receiving timely notifications of relevant issues — like fines for noncompliance or data misuse — for any downline providers grants you the ability to continuously evaluate who you conduct business with while keeping the health of your customers’ data in mind.
Lawsuits are a common component of business in the US. Major corporations spend millions of dollars each year on retaining huge legal teams responsible for watching for legislation and trends that could negatively impact a business. By the numbers, U.S. businesses spend 160% more than other global companies on litigation. Why? Because America is a wildly litigious country. Combine this proclivity with rapidly changing state and federal laws and the business environment can be a troublesome space to navigate with confidence. Risk and diligence have a causal relationship. But if you don’t have the deep pockets of a big operation, how do you spread your resources to monitor your vendors and other third-party interactions?
Vendor lawsuit monitoring provides access to essential insight and transparency in the integration, and application-reliant economy of business today. Vending with good vendors means evaluating and mitigating risk for your company and your customers. Separating the wheat from the chaff is a task that can no longer be ignored.
Closing the knowledge gap by making transparency, compliance, privacy and security a priority through vendor lawsuit and policy change detection monitoring can be key differentiators when vying for customers in a competitive digital world.
Vendor lawsuits and other poor data practices can have a deep and lasting impact on your business: at best, costing you customers, money and resources; at worse, forcing you to close your doors. Demanding the highest performance and integrity from your vendors is a surefire way to protect your bottom line, and to ensure that your business has the opportunity for a successful future.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.