Who’s Got Your Sensitive Data? And Who Else, Too?

Brian Wood Blog

Outsourcing is NOT a “fire and forget” endeavor. Far from it.

“Trust but verify” is the recommended mantra — both before selecting a vendor as well as during the lifetime of the engagement, too.

Always remember: vendors are NOT all the same. Compliance counts. Training matters. Experience yields effectiveness. And none of this comes for free.

Summary post by Jim Kim of FierceComplianceIT and original press release by Experian on PRNewswire.

Emphasis in red added by me.

Brian Wood, VP Marketing

———-

Many companies ignore vendor security issues

At a time of rampant data security breaches, one would think that companies would take extra care when transferring sensitive information about customers, rightly assuming that the risks are elevated these days.

But a new study by the Ponemon Institute has found that a whopping 46 percent of survey respondents do not even evaluate “the security and privacy practices of vendors before sharing sensitive or confidential information.

That’s shocking in some ways, as the risks of litigation are high in this area.

The survey, commissioned by Experian Data Breach Resolution, polled nearly 750 individuals in organizations that transfer consumer data to third-party vendors. The poll also found that when sharing sensitive and confidential consumer information, 49 percent said that they “do not monitor — or are unsure whether their organization monitors — vendor security and privacy practices.”

Obviously, companies that do not proactively move to secure this data are putting themselves in danger. The survey results indicated that companies that transfer or share consumer data with vendors experience data breaches more often than not.

The culprits for vendor-related breaches are all too familiar. Negligence is the leading cause of most breaches involving vendors. Stolen or lost devices come in second. More than half of respondents said they discovered a breach by accident.

Companies would be wise to re-think their policies for vetting their vendors, who in turn would be wise to make sure they have a strong story to tell when security questions arise. And they will arise sooner or later.

http://www.fiercecomplianceit.com/story/many-companies-ignore-vendor-security-issues/2013-03-08

———

Experian Data Breach Resolution and the Ponemon Institute survey results identify opportunity for improved data oversight

Survey reveals 56 percent of respondents acknowledged incidents when their organizations did not act on a vendor’s data breach

COSTA MESA, Calif., Feb. 26, 2013 /PRNewswire/ — A new study, Securing Outsourced Consumer Data, commissioned by Experian Data Breach Resolution and conducted by the Ponemon Institute reveals that many organizations (46 percent) do not evaluate the security and privacy practices of vendors before sharing sensitive or confidential information.

The survey polled nearly 750 individuals in organizations that transfer consumer data to third-party vendors. The goal of the survey was to increase understanding of data breach frequency when consumer data is outsourced, to determine what steps are taken to ensure vendors’ data stewardship, and to evaluate privacy and security practices between companies and outsource vendors.

Many companies have higher standards for their in-house data security practices than they have for vendors that they enlist to hold customer information,” said Michael Bruemmer , vice president at Experian Data Breach Resolution. “The standards should be consistent, because not adhering to the same policies leaves companies vulnerable.”

When sharing sensitive and confidential consumer information, nearly half of respondents (49 percent) said that they do not monitor — or are unsure whether their organization monitors — vendor security and privacy practices. Additional key findings from the survey include:

  • Outsourcing consumer information demands oversight — Survey results indicate that organizations that transfer or share consumer data with vendors experience data breaches more often than not
    • Sixty-five percent (65%) of respondents said their organization had a data breach involving the loss or theft of their organization’s information, and the majority (64 percent) report that it has happened more than once
    • Sixty-four percent (64%) of respondents reported their organization has experienced more than one data breach
  • Training is essential to protect against data breaches —Causes for data breaches can be reduced significantly through enforcement of policies and effective training
    • Forty-five percent (45%) of respondents reported negligence as the root cause of third-party data breaches
    • Forty percent (40%) of data breaches were the result of lost or stolen devices
  • Security and control procedures need improvement
    • More than half of respondents (56 percent) said their organization learned about a data breach accidentally
    • Only 27 percent (27%) said the organization’s security and control procedures uncovered the incident; only 23 percent (23%) said the vendor’s security and control procedures alerted the organization to a breach

It is imperative that businesses and organizations place a priority on evaluating a vendor’s ability to secure sensitive data,” said Dr. Larry Ponemon , chairman and founder of the Ponemon Institute.

To access the full report, Securing Outsourced Consumer Data, visit http://www.Experian.com/ConsumerDataStudy.

For more information, visit http://www.experian.com/databreach.

http://www.prnewswire.com/news-releases/experian-data-breach-resolution-and-the-ponemon-institute-survey-results-identify-opportunity-for-improved-data-oversight-193240881.html