I spent a few days in New York City on a vacation (and with only going online three times in five days) and started reviewing some on my favorite blogs and websites to see what happened in the information security world during my hiatus. Low and behold, we have had a couple of more data breaches disclosed. The biggest is the disclosure by Epsilon, who is used by a large number of companies for marketing (Epsilon data breach). While only it would appear only email address where involved in the data breach, it does lead to some questions.
What kind of service level agreement (SLA) did the companies involved have with Epsilon? How does your company evaluate the security controls of 3rd party vendors (hopefully, prior to signing of the contract)? Recently I have been reviewing the security controls and data privacy policies for several 3rd party vendors that my company is looking at contracting for specific services. While security controls might be in place and evaluated by a 3rd party, some of the privacy policies leave something to be desired.