Privacy and security concerns are not just for those who play in the regulated spaces (kids, money, and health) anymore. Anyone who works in retail knows that privacy and security are at the top of every commercial contracts review list, but hackers are finding value in—and therefore trying to hack—a broader array of data sets. A recent security breach of newswire services and an increase in the use of mobile devices and applications highlights the need to review privacy and security elements across a broader range of relationships.
An Associated Press article about the newswire breach detailed a five-year insider trading scandal made possible by hacking the computers of newswire services that were responsible for publishing earnings announcements and other press releases for corporations. The newswire breach is one more instance in a recurring pattern of hackers “penetrating third-party companies that have access to sensitive information.” In hindsight, it may seem obvious that newswire organizations, as recipients of company information that is confidential prior to release, would be targets for hackers, but organizations that do not conduct their core business in regulated spaces may not (until now) be as well-versed in the potential perils of providing access to their information.
As mobile devices become increasingly important to our everyday lives, hackers are also targeting the devices and the “apps” on those devices. According to a recent report, attacks on the leading mobile operating systems have risen in the past three years.
Because hackers are becoming more sophisticated in their techniques and their access points, companies need to carefully consider with whom they share information (and/or access to their information, including via apps used by employees and service providers), how much information they share, and whether or not such sharing and/or use is secure. Although many companies are starting to require certain representations about security in contracts with vendors that have access to confidential information, companies can also take additional steps to reduce their potential risk.
Some practical ways companies can reduce their potential risk in this area are as follows:
- Require vendors to implement appropriate security measures in connection with data to which they have access and audit such measures periodically.
- Require vendors to demonstrate a meaningful ability to back up any financial or other obligations with respect to failure to implement security measures.
- Understand what data you provide to vendors and limit access to only such data that is necessary for the vendor to perform its services. In other words, resist the urge to find comfort in shifting all responsibility to the vendor without doing your homework.
- Understand and require appropriate security measures on your side of the fence (i.e. don’t disclose data you don’t need to disclose and work with your IT team to implement practical checks and balances).
- Consider technological changes on both sides that are appropriate to ensure adequate security of the data being accessed. For example, is continuous remote access really necessary or advised in connection with the services being provided and the data being accessed?