No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Compliance Takeaways from 5 Third-Party Data Breaches in 2019

Lessons for Compliance Practitioners from This Year’s Most Significant Breaches

by Dov Goldman
October 17, 2019
in Compliance, Featured
group of co-workers holding "lessons learned" speech bubble

Panorays’ Director of Risk & Compliance, Dov Goldman, provides background on several of this year’s most noteworthy data breaches and offers lessons learned on each.

We’re nearing the end of 2019, which is shaping up to be a year of substantial third-party breaches. Such cyber incidents continue to take place frequently, and their ramifications for organizations and compliance professionals are significant.

In third-party data breaches, the personal information held by large companies is compromised through a vendor, business partner or supplier. The consequences of such incidents can be considerable: Companies lose consumer confidence and loyalty and can face costly penalties for violating various regulations.

Which data breaches really stood out, and what can compliance professionals learn from them? Here are our top five:

1. American Medical Collection Agency (AMCA)

The Breach: AMCA was the third-party provider of billing services for large health care companies such as Quest Diagnostics, LabCorp and BioReference Laboratories. Health providers like AMCA hold some of patients’ most sensitive data, which can be used by attackers for identity theft, insurance fraud, financial gain or even blackmail.

The data breach took place from August 1, 2018 until March 30, 2019 and resulted in compromising the private information of 20 million Americans, including name, date of birth, provider and balance information.

The Takeaway: Don’t Mess with HIPAA

This data breach illustrated the disastrous consequences of noncompliance. As a result of the data breach, AMCA faced enormous penalties for not complying with HIPAA. In addition, the company’s four largest clients ceased operations with AMCA and numerous class-action suits were filed. Consequently, AMCA filed for bankruptcy.

2. Evite

The Breach: In May, Evite, an online text invitation service, said that an outside party had gained access to its servers and was able to access members’ personal data. At the time, it was believed that approximately 10 million users had their information exposed; however, later reports said that the number could be as high as 100 million.

The Takeaway: With GDPR, It’s Your Problem

Evite was probably not considered a critical partner to most of the companies that integrated the product into their own offerings.

According to GDPR, however, Evite would most likely be considered a data processor. This means that any problems with their treatment of personal information became the problem of companies connected to it. Such companies would have had to notify their own data subjects about the Evite data breach.

3. U.S. Customs and Border Protection

The Breach: In June, it was discovered that a contractor of the CPB had suffered a cyberattack. Consequently, photos of travelers into and out of the country and copies of license plate images were taken. The CPB alerted members of Congress, removed the subcontractor’s equipment from service and said it was monitoring its work.

The Takeaway: Beware of Federal Controls

The Federal Information Systems Act (FISMA) of 2002, amended in 2014 as the Federal Information Security Modernization Act, mandates best practices for safeguarding data and information systems. Contractors to the federal government are required to comply with FISMA, which they can do by implementing the NIST information security control standards. NIST calls for controlling the flow of CUI (controlled unclassified information) with approved authorizations.

While it’s not clear which one of these regulations was violated, it stands to reason that something was amiss from a compliance perspective.

4. Choice Hotels

The Breach: In July, researchers discovered an unsecured database containing data belonging to Choice Hotels. A total of 5.6 million records were exposed, with 700,000 of them containing information on guests such as names, email addresses and phone numbers. Apparently, the system had been exposed for a total of four days, and Choice Hotels said that the database was operated by a partner vendor.

There was also a ransom note saying that the 700,000 records had been stolen and backed up, with a demand for about $4,000. That stolen data may eventually wind up being used in tailored phishing campaigns or for increased spam.

The Takeaway: Don’t Underestimate GDPR Notification

This breach is particularly complicated when considering GDPR compliance. If the stolen data included European guest information, then Choice Hotels would be required to notify the guests of a breach. In addition, since Choice Hotels does not have a European headquarters, they cannot report to a single supervisory authority. Therefore, they would be conceivably be required to notify all of the authorities in the many different European countries where the hotels are located.

5. Monster.com

The Breach: In September, an exposed web server storing thousands of resumes of job seekers from Monster.com was discovered online. The resumes contained private information like phone numbers, home addresses, email addresses and prior work experience.

Monster said that the server was owned by an unnamed recruitment customer, with which it no longer works. Monster also said that since the customer purchased access to the data, it was responsible for notifying affected parties of the breach.

The Takeaway: You Can’t Pass the Buck with CCPA

While Monster.com noted that it is not responsible for data sold to third parties, the California Consumer Privacy Act will require that companies provide customers with the right to opt out of selling their personal information to third parties. Once CCPA goes into effect, failing to provide customers with this right will undoubtedly result in substantial penalties.

Preventing Third-Party Breaches

To avoid compliance penalties, companies are increasingly realizing that they must put processes in place to manage the collection and sharing of data, as well as to assess and continuously monitor the third parties that have access to that data.

To help minimize the risk of third-party breaches, companies must:

  • Evaluate the supplier’s security posture,
  • Remediate any security gaps,
  • Be vigilant about how data is shared with the supplier,
  • Continuously monitor supplier cyber posture and
  • Minimize risk based on relationship.

Tags: California Consumer Privacy Act (CCPA)Data BreachGDPRHIPAAThird Party Risk Management
Previous Post

What is the Board’s Role in Effective Risk Management?

Next Post

Smarsh Expands Executive Leadership Team

Dov Goldman

Dov Goldman

Dov Goldman is the Director of Risk & Compliance at Panorays. He has years of experience in the third-party risk and compliance field, as well as a long history as a serial entrepreneur, software and network engineer. Dov focuses on the evolving best practices and industry standards in third-party management and regulatory compliance. Previously, Dov was VP of Innovation at Opus, Director of Product Marketing at Navigant and Founder and CEO of Cognet Corp and Dynalog Technologies.

Related Posts

Build and Scope Better Vendor Due Diligence Questionnaires

Build and Scope Better Vendor Due Diligence Questionnaires

by Corporate Compliance Insights
January 18, 2023

Make sure you're asking all the right questions when onboarding new third-party vendors White Paper Build and Scope Better Vendor...

SWISS GRC DAY 2023

SWISS GRC DAY 2023

by Aarti Maharaj
December 15, 2022

The SWISS GRC DAY brings together interested parties from all over Switzerland and nearby countries. Topics include first-hand news, challenges...

16th Edition Third Party Vendor Risk Management for Financial Institutions Conference

16th Edition Third Party Vendor Risk Management for Financial Institutions Conference

by Aarti Maharaj
December 8, 2022

The GFMI 16th Edition Third Party Vendor Risk Management for Financial Institutions conference taking place in New York, NY on...

cci top 10 stories collage

Top 10 Compliance Stories of 2022

by Jennifer L. Gaskin
December 7, 2022

The more things change, the more they stay the same. This time last year, we summarized the top 10 ESG...

Next Post
three unrecognizable leaders superimposed over cityscape

Smarsh Expands Executive Leadership Team

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT