The pre-conference workshops at the Data Protection &
Privacy Law Compliance Conference have begun! The first
workshop covered managing the risk of third party vendors. An
important element of ensuring the security and privacy of your
vendors is finding out what vendors your vendors are using.
As we all know, you can out-source the work, but not the
responsibility. And all too often the vendors we are
entrusting our information to are also using vendors, increasing
the risk that a data breach will occur. As reported in
the workshop, 39% of data breaches involve information held by a
third party. While a solid business practice is to include language
in your vendor agreement restricting your vendor from using
vendors, this often only works for the biggest of
organizations. An avenue for smaller companies is to request
that your vendors provide a material list of the vendors they use
and the security controls implemented by those vendors. This
will help you analyze the level of risk associated with your vendor
and determine if you are in compliance with regulations applicable
to your organization. In addition, the risk level will
dictate the frequency of security audits and on-site visits.
They key to managing the risk of using vendors is reducing the
number of unknowns!
Mintz Levin will be producing a series of Privacy webinars
starting in the fall. Vendor management will be a key
topic. Stay tuned for further information!
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The National Institute of Standards and Technology has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations, and this marks a very important release in the world of data privacy controls and standards.
The obligations of hedge funds, investment managers and service providers to protect confidential information relating to investors and avoid breaches of data privacy legislation is increasingly in focus.
In a recently released decision from the U.S. District Court for the Southern District of Florida, Mais v. Gulf Coast Collection Bureau, et al., Judge Robert N. Scola, Jr., granted in part and denied in part cross motions for summary judgment in a putative class action before considering the issue of class certification.
The report also found that most utilities only comply with mandatory cybersecurity standards, and have not implemented voluntary NERC recommendations regarding general or specific threats (e.g., Stuxnet).