Many data breaches occur not at the company that controls or owns the data, but rather at the company’s third-party service providers or vendors.  Regulators have noticed and have begun placing emphasis on a company’s obligation to monitor its service providers for compliance with cybersecurity requirements and that they adequately protect personal data in their custody. 

The most recent guidance was issued by the Federal Communications Commission (FCC), which includes some unique elements.

Background

Before we touch on recent guidance from the FCC, we should consider one of the best known cybersecurity regulations relating to monitoring of service providers.  In the New York Department of Financial Services’ Cybersecurity Regulation, there are specific requirements for covered entities to conduct a risk assessment of their third party service providers, and ensure minimum requirements are met:

(a) Each covered entity shall implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers. Such policies and procedures shall be based on the risk assessment of the covered entity and shall address to the extent applicable:

(1) the identification and risk assessment of third-party service providers;

(2) minimum cybersecurity practices required to be met by such third-party service providers in order for them to do business with the covered entity;

(3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-party service providers; and

(4) periodic assessment of such third-party service providers based on the risk they present and the continued adequacy of their cybersecurity practices.

23 NYCRR 500.11.  The NYDFS regulation requires that the covered entity’s policies and procedures include “relevant guidelines for due diligence and/or contractual protections relating to third-party service providers including to the extent applicable guidelines addressing” the vendor’s access control and encryption policies, as well as its policies relating to notice to the company for a cybersecurity incident affecting the company’s covered data or systems, and representations and warranties on these topics.

Other regulators, such as the Massachusetts Attorney General, use more general requirements in their regulations:

(f) Oversee service providers, by:

1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and

2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information.

201 C.M.R. 17.03(2)(f).

The Federal Communications Commission

Although there is no similar requirement detailed in the Telecommunications Act of 1996, which of course significantly predates the proliferation of state cybersecurity regulations, we have observed the FCC add some unusual elements in a recent consent agreement entered into this year, with notable vendor-related provisions summarized as follows:

1.         Inventory.  The company must prepare and maintain an inventory of personal data shared with vendors.

2.         Standards.  The company must require in a written contract that vendors with personal data adhere to standards regarding data minimization, retention, and deletion.  The standards can be the company’s own, or can be accepted industry standards.

3.         Risk assessments.  The company must conduct biennial risk assessments of vendors that have personal data in order to identify and assess risks to that personal data.  Based on those risks, the company must require the vendor to implement controls to address those risks.  Higher risks may require more frequent assessments.

4.         Retention and Deletion  Each such vendor must provide written confirmation no less than once every two years that includes reasonably sufficient information from such vendor to:  (a) identify the type and approximate volume of records containing personal data and the reasons(s) the vendor retains those records; and (b) confirm that vendor is in compliance with any applicable retention and deletion requirements.

5.         Confirmation of deletion, anonymization, or return.  Within six months of the vendor’s deletion, anonymization, or return of the personal data, the company must obtain written confirmation that the vendor has completed such action, unless required to retain the personal data  to comply with legal obligations.  If the latter, then the company must request, and make reasonable efforts to obtain from that vendor, a confirmation identifying the legal obligations that require the vendor to continue to retain personal data and the length of time for which personal data must be retained pursuant to those obligations.

6.         Compliance monitoring.  The company must monitor such vendors’ compliance with the applicable information security requirements, using assessments or reviews, for as long as the business engagement remains active and/or the vendor continues to retain personal data.  At a minimum, such oversight must include the following:

i. Non-conformance,  Any vendor that does not conform with any material aspect of the vendor requirements set forth in the agreement must be subject to annual assessments or reviews for a period of at least three (3) years, in addition to any existing requirements under the company’s vendor oversight program, unless the material nonconformance is remediable within ninety (90) days or the business engagement is terminated and the vendor no longer retains personal data.

ii.  Security breach.  Upon confirmation of a security breach from a vendor, the company must perform an appropriate investigation of that breach in coordination with the vendor, consistent with the company’s [not the vendor’s] incident response protocols.  Where appropriate, based on the risks posed to the security of personal data, the company must subject that vendor to an assessment or review following the breach, unless the business engagement is terminated and the vendor no longer retains personal data.

7.         Resources.  The company must provide its vendor management program with the resources and support necessary to comply with these requirements, including adequately resourced staff.

Our Take

Our team has handled numerous cyber incidents on behalf of companies affected by third-party or even fourth-party incidents experienced by their vendors, and so this compliance risk has real consequences and we are increasingly seeing regulators take note.  Judging by at least one recent consent order, it appears that the FCC is similarly interested in regulating covered entities’ obligations to monitor third party service providers secure handling of personal data.

The FCC’s requirements are specific, detailed, and do not require any company to have auditors or forensic specialists on staff, which should help smaller businesses comply.  Not only do the FCC’s requirements help companies manage vendors with personal information, the every-two-years inquiry should also encourage vendors to practice data minimization and remove personal data that is no longer needed (avoiding over-retention that is so frequently the subject of regulatory ire in breach situations). 

This may be part of a larger trend from the FCC that we may expect to observe in future actions.