Saturday, January 16, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Compliance Takeaways from 5 Third-Party Data Breaches in 2019

Lessons for Compliance Practitioners from This Year’s Most Significant Breaches

by Dov Goldman
October 17, 2019
in Compliance, Featured
group of co-workers holding "lessons learned" speech bubble

Panorays’ Director of Risk & Compliance, Dov Goldman, provides background on several of this year’s most noteworthy data breaches and offers lessons learned on each.

We’re nearing the end of 2019, which is shaping up to be a year of substantial third-party breaches. Such cyber incidents continue to take place frequently, and their ramifications for organizations and compliance professionals are significant.

In third-party data breaches, the personal information held by large companies is compromised through a vendor, business partner or supplier. The consequences of such incidents can be considerable: Companies lose consumer confidence and loyalty and can face costly penalties for violating various regulations.

Which data breaches really stood out, and what can compliance professionals learn from them? Here are our top five:

1. American Medical Collection Agency (AMCA)

The Breach: AMCA was the third-party provider of billing services for large health care companies such as Quest Diagnostics, LabCorp and BioReference Laboratories. Health providers like AMCA hold some of patients’ most sensitive data, which can be used by attackers for identity theft, insurance fraud, financial gain or even blackmail.

The data breach took place from August 1, 2018 until March 30, 2019 and resulted in compromising the private information of 20 million Americans, including name, date of birth, provider and balance information.

The Takeaway: Don’t Mess with HIPAA

This data breach illustrated the disastrous consequences of noncompliance. As a result of the data breach, AMCA faced enormous penalties for not complying with HIPAA. In addition, the company’s four largest clients ceased operations with AMCA and numerous class-action suits were filed. Consequently, AMCA filed for bankruptcy.

2. Evite

The Breach: In May, Evite, an online text invitation service, said that an outside party had gained access to its servers and was able to access members’ personal data. At the time, it was believed that approximately 10 million users had their information exposed; however, later reports said that the number could be as high as 100 million.

The Takeaway: With GDPR, It’s Your Problem

Evite was probably not considered a critical partner to most of the companies that integrated the product into their own offerings.

According to GDPR, however, Evite would most likely be considered a data processor. This means that any problems with their treatment of personal information became the problem of companies connected to it. Such companies would have had to notify their own data subjects about the Evite data breach.

3. U.S. Customs and Border Protection

The Breach: In June, it was discovered that a contractor of the CPB had suffered a cyberattack. Consequently, photos of travelers into and out of the country and copies of license plate images were taken. The CPB alerted members of Congress, removed the subcontractor’s equipment from service and said it was monitoring its work.

The Takeaway: Beware of Federal Controls

The Federal Information Systems Act (FISMA) of 2002, amended in 2014 as the Federal Information Security Modernization Act, mandates best practices for safeguarding data and information systems. Contractors to the federal government are required to comply with FISMA, which they can do by implementing the NIST information security control standards. NIST calls for controlling the flow of CUI (controlled unclassified information) with approved authorizations.

While it’s not clear which one of these regulations was violated, it stands to reason that something was amiss from a compliance perspective.

4. Choice Hotels

The Breach: In July, researchers discovered an unsecured database containing data belonging to Choice Hotels. A total of 5.6 million records were exposed, with 700,000 of them containing information on guests such as names, email addresses and phone numbers. Apparently, the system had been exposed for a total of four days, and Choice Hotels said that the database was operated by a partner vendor.

There was also a ransom note saying that the 700,000 records had been stolen and backed up, with a demand for about $4,000. That stolen data may eventually wind up being used in tailored phishing campaigns or for increased spam.

The Takeaway: Don’t Underestimate GDPR Notification

This breach is particularly complicated when considering GDPR compliance. If the stolen data included European guest information, then Choice Hotels would be required to notify the guests of a breach. In addition, since Choice Hotels does not have a European headquarters, they cannot report to a single supervisory authority. Therefore, they would be conceivably be required to notify all of the authorities in the many different European countries where the hotels are located.

5. Monster.com

The Breach: In September, an exposed web server storing thousands of resumes of job seekers from Monster.com was discovered online. The resumes contained private information like phone numbers, home addresses, email addresses and prior work experience.

Monster said that the server was owned by an unnamed recruitment customer, with which it no longer works. Monster also said that since the customer purchased access to the data, it was responsible for notifying affected parties of the breach.

The Takeaway: You Can’t Pass the Buck with CCPA

While Monster.com noted that it is not responsible for data sold to third parties, the California Consumer Privacy Act will require that companies provide customers with the right to opt out of selling their personal information to third parties. Once CCPA goes into effect, failing to provide customers with this right will undoubtedly result in substantial penalties.

Preventing Third-Party Breaches

To avoid compliance penalties, companies are increasingly realizing that they must put processes in place to manage the collection and sharing of data, as well as to assess and continuously monitor the third parties that have access to that data.

To help minimize the risk of third-party breaches, companies must:

  • Evaluate the supplier’s security posture,
  • Remediate any security gaps,
  • Be vigilant about how data is shared with the supplier,
  • Continuously monitor supplier cyber posture and
  • Minimize risk based on relationship.

Tags: CCPA/California Consumer Privacy Actdata breachGDPRHIPAAthird party risk management
Previous Post

What is the Board’s Role in Effective Risk Management?

Next Post

Smarsh Expands Executive Leadership Team

Dov Goldman

Dov Goldman is the Director of Risk & Compliance at Panorays. He has years of experience in the third-party risk and compliance field, as well as a long history as a serial entrepreneur, software and network engineer. Dov focuses on the evolving best practices and industry standards in third-party management and regulatory compliance. Previously, Dov was VP of Innovation at Opus, Director of Product Marketing at Navigant and Founder and CEO of Cognet Corp and Dynalog Technologies.

Related Posts

illustration of ransomware and hand paying ransom

Ransomware: It’s Time to Stop Negotiating

January 15, 2021
wrench with 100 dollar bills

DOJ Launches 2 Criminal Prosecutions of Illegal No-Poach and Wage-Fixing Agreements

January 14, 2021
mobile health care app

Prioritizing Compliance Along Health Care’s Digital Transformation Journey

January 14, 2021
illustration of executive standing center stage with team in silhouette behind him

COVID-19: Navigating the “CEO Moment”

January 13, 2021
Next Post
three unrecognizable leaders superimposed over cityscape

Smarsh Expands Executive Leadership Team

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management culture of ethics cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights