No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Compliance Takeaways from 5 Third-Party Data Breaches in 2019

Lessons for Compliance Practitioners from This Year’s Most Significant Breaches

by Dov Goldman
October 17, 2019
in Compliance, Featured
group of co-workers holding "lessons learned" speech bubble

Panorays’ Director of Risk & Compliance, Dov Goldman, provides background on several of this year’s most noteworthy data breaches and offers lessons learned on each.

We’re nearing the end of 2019, which is shaping up to be a year of substantial third-party breaches. Such cyber incidents continue to take place frequently, and their ramifications for organizations and compliance professionals are significant.

In third-party data breaches, the personal information held by large companies is compromised through a vendor, business partner or supplier. The consequences of such incidents can be considerable: Companies lose consumer confidence and loyalty and can face costly penalties for violating various regulations.

Which data breaches really stood out, and what can compliance professionals learn from them? Here are our top five:

1. American Medical Collection Agency (AMCA)

The Breach: AMCA was the third-party provider of billing services for large health care companies such as Quest Diagnostics, LabCorp and BioReference Laboratories. Health providers like AMCA hold some of patients’ most sensitive data, which can be used by attackers for identity theft, insurance fraud, financial gain or even blackmail.

The data breach took place from August 1, 2018 until March 30, 2019 and resulted in compromising the private information of 20 million Americans, including name, date of birth, provider and balance information.

The Takeaway: Don’t Mess with HIPAA

This data breach illustrated the disastrous consequences of noncompliance. As a result of the data breach, AMCA faced enormous penalties for not complying with HIPAA. In addition, the company’s four largest clients ceased operations with AMCA and numerous class-action suits were filed. Consequently, AMCA filed for bankruptcy.

2. Evite

The Breach: In May, Evite, an online text invitation service, said that an outside party had gained access to its servers and was able to access members’ personal data. At the time, it was believed that approximately 10 million users had their information exposed; however, later reports said that the number could be as high as 100 million.

The Takeaway: With GDPR, It’s Your Problem

Evite was probably not considered a critical partner to most of the companies that integrated the product into their own offerings.

According to GDPR, however, Evite would most likely be considered a data processor. This means that any problems with their treatment of personal information became the problem of companies connected to it. Such companies would have had to notify their own data subjects about the Evite data breach.

3. U.S. Customs and Border Protection

The Breach: In June, it was discovered that a contractor of the CPB had suffered a cyberattack. Consequently, photos of travelers into and out of the country and copies of license plate images were taken. The CPB alerted members of Congress, removed the subcontractor’s equipment from service and said it was monitoring its work.

The Takeaway: Beware of Federal Controls

The Federal Information Systems Act (FISMA) of 2002, amended in 2014 as the Federal Information Security Modernization Act, mandates best practices for safeguarding data and information systems. Contractors to the federal government are required to comply with FISMA, which they can do by implementing the NIST information security control standards. NIST calls for controlling the flow of CUI (controlled unclassified information) with approved authorizations.

While it’s not clear which one of these regulations was violated, it stands to reason that something was amiss from a compliance perspective.

4. Choice Hotels

The Breach: In July, researchers discovered an unsecured database containing data belonging to Choice Hotels. A total of 5.6 million records were exposed, with 700,000 of them containing information on guests such as names, email addresses and phone numbers. Apparently, the system had been exposed for a total of four days, and Choice Hotels said that the database was operated by a partner vendor.

There was also a ransom note saying that the 700,000 records had been stolen and backed up, with a demand for about $4,000. That stolen data may eventually wind up being used in tailored phishing campaigns or for increased spam.

The Takeaway: Don’t Underestimate GDPR Notification

This breach is particularly complicated when considering GDPR compliance. If the stolen data included European guest information, then Choice Hotels would be required to notify the guests of a breach. In addition, since Choice Hotels does not have a European headquarters, they cannot report to a single supervisory authority. Therefore, they would be conceivably be required to notify all of the authorities in the many different European countries where the hotels are located.

5. Monster.com

The Breach: In September, an exposed web server storing thousands of resumes of job seekers from Monster.com was discovered online. The resumes contained private information like phone numbers, home addresses, email addresses and prior work experience.

Monster said that the server was owned by an unnamed recruitment customer, with which it no longer works. Monster also said that since the customer purchased access to the data, it was responsible for notifying affected parties of the breach.

The Takeaway: You Can’t Pass the Buck with CCPA

While Monster.com noted that it is not responsible for data sold to third parties, the California Consumer Privacy Act will require that companies provide customers with the right to opt out of selling their personal information to third parties. Once CCPA goes into effect, failing to provide customers with this right will undoubtedly result in substantial penalties.

Preventing Third-Party Breaches

To avoid compliance penalties, companies are increasingly realizing that they must put processes in place to manage the collection and sharing of data, as well as to assess and continuously monitor the third parties that have access to that data.

To help minimize the risk of third-party breaches, companies must:

  • Evaluate the supplier’s security posture,
  • Remediate any security gaps,
  • Be vigilant about how data is shared with the supplier,
  • Continuously monitor supplier cyber posture and
  • Minimize risk based on relationship.

Tags: California Consumer Privacy Act (CCPA)Data BreachGDPRHIPAAThird Party Risk Management
Previous Post

What is the Board’s Role in Effective Risk Management?

Next Post

Smarsh Expands Executive Leadership Team

Dov Goldman

Dov Goldman

Dov Goldman is the Director of Risk & Compliance at Panorays. He has years of experience in the third-party risk and compliance field, as well as a long history as a serial entrepreneur, software and network engineer. Dov focuses on the evolving best practices and industry standards in third-party management and regulatory compliance. Previously, Dov was VP of Innovation at Opus, Director of Product Marketing at Navigant and Founder and CEO of Cognet Corp and Dynalog Technologies.

Related Posts

todd snyder runway show scarf

Lessons Learned: Todd Snyder CCPA Enforcement Action

by Richart Ruddie
May 29, 2025

Third-party risk, overcollection of data and lax training all cited by California data privacy enforcer

GAN Integrity TPRM & AI

Where TPRM Meets AI: Balancing Risk & Reward

by Corporate Compliance Insights
May 13, 2025

Is your organization prepared for the dual challenges of AI in third-party risk management? Whitepaper Where TPRM Meets AI: Balancing...

new york and us flags

New York Tightens the Breach Clock: 30 Days to Notify

by Melissa Crespo and Reiley Porter
May 12, 2025

State joins growing national trend toward broader personal information definitions and stricter notification timelines for data compromises

robot reviewing contract

9 Emerging Use Cases for AI in TPRM

by Miriam Konradsen Ayed and Craig Moss
May 6, 2025

(Sponsored) As third-party ecosystems grow more complex, compliance teams face mounting pressure to assess and monitor external relationships effectively. Miriam...

Next Post
three unrecognizable leaders superimposed over cityscape

Smarsh Expands Executive Leadership Team

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights