The European Union's General Data Protection Regulation, which has been enforced since last May, is inspiring renewed efforts worldwide, including at the federal and state levels in the United States, to boost privacy protections. Several U.S. states, including Oregon, North Carolina, Virginia and Washington, are considering new legislation to shore up consumer data privacy laws in the wake of California passing strict privacy requirements last year.
While Democrats in Congress have once again introduced national breach notification and privacy legislation, states aren’t holding their breath that anything will get passed at the federal level and are taking matters into their own hands.
A by-product of the legislation is the spotlight that’s being placed on third parties. Companies are finding they have an incredible amount of data that is being collected, processed or stored by third-party service providers. This means there are going to be some changes that will need to be made in their third-party contracting and oversight to be compliant with these new laws.
For example,Virginia has proposed a bill that places new requirements on businesses to "take all reasonable steps to dispose of, or arrange for the disposal of, consumer records.” That means businesses will be required to know which third parties collect, process, store or have access to consumer records, and establish the appropriate contractual clauses and procedures to ensure the third party disposes of the data according to policy.
North Carolina has proposed legislation that ransomware attacks would be considered a security breach, and a breached entity would need to notify the state attorney general's office within 30 days. That means businesses will need to ensure their contracts clearly identify breach notification requirements.
These are just two examples and there are many more. As these proposals move into law, having visibility into third-party relationships is not a nice to have - it’s a requirement.
But here’s the reality. Most companies don’t know which third parties have their data.
A recent third-party risk survey conducted by Aravo showed that 73% of the respondents “cannot produce a complete report of all of their third parties with cyber risk exposure quickly and easily.” That means that nearly three out of four of those businesses who responded couldn’t comply with these data privacy regulations if they wanted.
If you’re concerned about the data that’s being exposed to your third parties, contact us today and let’s discuss how we can help.