Compliance Takeaways from 5 Third-Party Data Breaches in 2019

We’re nearing the end of 2019, which is shaping up to be a year of substantial third-party breaches. Such cyber incidents continue to take place frequently, and their ramifications for organizations and compliance professionals are significant.

In third-party data breaches, the personal information held by large companies is compromised through a vendor, business partner or supplier. The consequences of such incidents can be considerable: Companies lose consumer confidence and loyalty and can face costly penalties for violating various regulations.

Which data breaches really stood out, and what can compliance professionals learn from them? Here are our top five:

1. American Medical Collection Agency (AMCA)

The Breach: AMCA was the third-party provider of billing services for large health care companies such as Quest Diagnostics, LabCorp and BioReference Laboratories. Health providers like AMCA hold some of patients’ most sensitive data, which can be used by attackers for identity theft, insurance fraud, financial gain or even blackmail.

The data breach took place from August 1, 2018 until March 30, 2019 and resulted in compromising the private information of 20 million Americans, including name, date of birth, provider and balance information.

The Takeaway: Don’t Mess with HIPAA

This data breach illustrated the disastrous consequences of noncompliance. As a result of the data breach, AMCA faced enormous penalties for not complying with HIPAA. In addition, the company’s four largest clients ceased operations with AMCA and numerous class-action suits were filed. Consequently, AMCA filed for bankruptcy.

2. Evite

The Breach: In May, Evite, an online text invitation service, said that an outside party had gained access to its servers and was able to access members’ personal data. At the time, it was believed that approximately 10 million users had their information exposed; however, later reports said that the number could be as high as 100 million.

The Takeaway: With GDPR, It’s Your Problem

Evite was probably not considered a critical partner to most of the companies that integrated the product into their own offerings.

According to GDPR, however, Evite would most likely be considered a data processor. This means that any problems with their treatment of personal information became the problem of companies connected to it. Such companies would have had to notify their own data subjects about the Evite data breach.

3. U.S. Customs and Border Protection

The Breach: In June, it was discovered that a contractor of the CPB had suffered a cyberattack. Consequently, photos of travelers into and out of the country and copies of license plate images were taken. The CPB alerted members of Congress, removed the subcontractor’s equipment from service and said it was monitoring its work.

The Takeaway: Beware of Federal Controls

The Federal Information Systems Act (FISMA) of 2002, amended in 2014 as the Federal Information Security Modernization Act, mandates best practices for safeguarding data and information systems. Contractors to the federal government are required to comply with FISMA, which they can do by implementing the NIST information security control standards. NIST calls for controlling the flow of CUI (controlled unclassified information) with approved authorizations.

While it’s not clear which one of these regulations was violated, it stands to reason that something was amiss from a compliance perspective.

4. Choice Hotels

The Breach: In July, researchers discovered an unsecured database containing data belonging to Choice Hotels. A total of 5.6 million records were exposed, with 700,000 of them containing information on guests such as names, email addresses and phone numbers. Apparently, the system had been exposed for a total of four days, and Choice Hotels said that the database was operated by a partner vendor.

There was also a ransom note saying that the 700,000 records had been stolen and backed up, with a demand for about $4,000. That stolen data may eventually wind up being used in tailored phishing campaigns or for increased spam.

The Takeaway: Don’t Underestimate GDPR Notification

This breach is particularly complicated when considering GDPR compliance. If the stolen data included European guest information, then Choice Hotels would be required to notify the guests of a breach. In addition, since Choice Hotels does not have a European headquarters, they cannot report to a single supervisory authority. Therefore, they would be conceivably be required to notify all of the authorities in the many different European countries where the hotels are located.

5. Monster.com

The Breach: In September, an exposed web server storing thousands of resumes of job seekers from Monster.com was discovered online. The resumes contained private information like phone numbers, home addresses, email addresses and prior work experience.

Monster said that the server was owned by an unnamed recruitment customer, with which it no longer works. Monster also said that since the customer purchased access to the data, it was responsible for notifying affected parties of the breach.

The Takeaway: You Can’t Pass the Buck with CCPA

While Monster.com noted that it is not responsible for data sold to third parties, the California Consumer Privacy Act will require that companies provide customers with the right to opt out of selling their personal information to third parties. Once CCPA goes into effect, failing to provide customers with this right will undoubtedly result in substantial penalties.

Preventing Third-Party Breaches

To avoid compliance penalties, companies are increasingly realizing that they must put processes in place to manage the collection and sharing of data, as well as to assess and continuously monitor the third parties that have access to that data.

To help minimize the risk of third-party breaches, companies must:

• Evaluate the supplier’s security posture,
• Remediate any security gaps,
• Be vigilant about how data is shared with the supplier,
• Continuously monitor supplier cyber posture and
• Minimize risk based on relationship.