Skeeter Spray is a blog for the common Information Security Professional. Why Skeeter Spray? See Post #1

Monday, April 11, 2011

Data Breaches---Where are you?

I spent a few days in New York City on a vacation (and with only going online three times in five days) and started reviewing some on my favorite blogs and websites to see what happened in the information security world during my hiatus.  Low and behold, we have had a couple of more data breaches disclosed.   The biggest is the disclosure by Epsilon, who is used by a large number of companies for marketing (Epsilon data breach).   While only it would appear only email address where involved in the data breach, it does lead to some questions.

What kind of service level agreement (SLA) did the companies involved have with Epsilon?  How does your company evaluate the security controls of 3rd party vendors (hopefully, prior to signing of the contract)?  Recently I have been reviewing the security controls and data privacy policies for several 3rd party vendors that my company is looking at contracting for specific services.   While security controls might be in place and evaluated by a 3rd party, some of the privacy policies leave something to be desired. 

One of the privacy policies only said that the vendor would only share the personal data (name, email, company, etc...) with their affiliated companies.  What the heck does that mean?  Is that companies that are only involve with the specific product we are looking at or does that mean any affiliated company on any project, product, or services they might contract for?   That could lead to dozens and dozens of companies that could potentially have access to data of my company’s employees.    What kind of privacy policy do all these other companies have?  What happens when one of these 3rd or 4th “generation” companies has a data breach?   My company will never get notified that the email addresses of our employee’s have been potentially involved in a data breach.   

The moral of the story, when you are reviewing the security controls of potential vendors, make sure you know the privacy policy of those vendors and ensure that the notification process is documented in the contract, including timeframes, who makes notifications and to whom those notifications are made.


No comments:

Post a Comment