A recent GAO report has revealed that federal agencies utilizing contracted workers are failing to implement contractual assurances with third-parties regarding the protection of sensitive information.
GAO auditors examined the contracting practices of three of the largest federal agencies and of those three, only one (DHS) required third-party companies to sign standard contracts requiring the contractors to follow best practices in safeguarding sensitive information.
In a recent data breach, a TSA contractor allegedly provided a Boston couple the social security numbers for more than a dozen TSA workers. Third-parties are increasingly responsible for data breaches, but most often, the hiring agency or company will face the resulting lawsuits, reputational damages, fines, etc. Outsourcers, consultants, contractors and business partners were responsible for almost half of the data breach incidents in 2008 and recent incidents show third-party gaps are mounting.
It is critical for organizations to require third-parties to be aware of, understand and acknowledge their responsibilities for protecting all types of information. Organizations should:
- Train contractors on best practices for protecting information
- Require contractors to sign non-disclosure agreements
- Require contractors to review and acknowledge organization-specific policies and procedures
- Require contractors to review ongoing updates as risks, challenges, requirements change
- Track all contractor agreements with legal-ready and audit-ready documentation
Lessons learned have shown that third-party data breaches will continue to occur if organizations do not change their status quo processes and connect the dots with third-parties more effectively.
How are you addressing your third-party relationships today?
Have your business partners, contractors, etc. signed off on your organization’s policies and procedures?
Do they understand their individual roles and responsibilities for protecting your customer / sensitive information?