Best of 2022: Not your fault, but still your fine? Third-party risks, breaches and enforcements

These days, it is convenient and commonplace to outsource IT services, website development, human resources and other business functions to a third-party vendor.

However, when many processes involve the collection, processing and storage of personal data, extra care must be taken when selecting third-party service providers, doing due diligence, and outsourcing these tasks.

You can always delegate the task to a third-party provider, but when it comes to safeguarding personal data and complying with privacy laws, you cannot simply delegate the responsibility for the sensitive data in your care.

Third-party risks are real

Several breaches involving third-party vendors have been reported in recent times.

In April 2021, the personal data of 30,000 users of NTUC e2i’s services were compromised in a malware attack on the employability organisation’s third-party provider. The malware infected the mailbox of one of the third-party vendor’s employees, leading to the breach.

A few months later, MyRepublic, a Singaporean telco, discovered that its third-party data storage platform had suffered a security breach. The breach resulted in unauthorised access to the personal data of 80,000 individuals, including customer names, mobile numbers, scanned copies of national identity cards, addresses of foreign residents and copies of utility bills.

In the same year, Fullerton Health’s appointment booking platform, which is handled by a third-party vendor, was accessed by an unauthorised party. Fullerton’s vendor discovered that the breach to their server compromised customer names, identification numbers, contact information, bank account details and even some health information.

Accountability lies with the organisation, not the vendor

Although breaches may occur in the domain of the third-party vendor, the organisation is always primarily responsible for taking care of customer data.

If a third-party vendor has been engaged to process personal data, the organisation must, thus, ensure that the vendor undertakes the necessary security arrangements to protect that data. One of the best practices is to clearly specify this with your vendor through a written contract.

Learn more about how to manage third-party risks and performance through our course here.

It is invariably difficult to conduct business today without dealing with any third-party vendors. While such arrangements carry a significant amount of risk, this risk can be mitigated. It is imperative for organisations to conduct due diligence when choosing a third-party provider. Clear policies on the usage, transfer, storage, and security of the data must be set up, and regular audits should be conducted meticulously and periodically.

Organisations must also be reasonably satisfied that the staff of their third-party vendors are trained in data privacy and protection knowledge.

On the other hand, if you are a third-party provider or data intermediary, implementing a data protection/privacy management programme (DPMP), consistently training your staff, and appointing a data protection officer (DPO), a first step in demonstrating accountability, is a must in order to build trust with your clients.

Enforcement decisions arising from third-party vendors

Several enforcement cases involving the mismanagement of third-party vendors have resulted in financial penalties for the organisations.

In September 2021, a fine of $13,500 was imposed on SAP Asia by the Personal Data Protection Commission (PDPC) for the disclosure of the personal data of 43 former employees. In this case, there was a miscommunication between the organisation and the vendor employed to develop the payslip issuance system.

This led to an error wherein the payslips of these 43 employees were sent to the wrong recipients. Although the vendor was in charge of developing the system, SAP Asia was held responsible for not giving clear instructions and for not testing the programme thoroughly.

In another case, Royal Caribbean Cruises suffered a cyber attack on its electronic receipt system which affected the personal data of over 6,000 customers. The data compromised included customer names, amounts paid, first four and last four digits of credit cards, cheque numbers, and in some cases, even the nationality, date of birth, address and passport number of customers.

The receipt system was found to have security vulnerabilities that could be easily exploited by bad actors. Although the receipt system was developed by a third-party vendor, Royal Caribbean Cruises was held responsible by the PDPC because the vendor was only in charge of developing the system, but was not engaged to process customer data on behalf of the cruise company.

Furthermore, it was the responsibility of Royal Caribbean Cruises to conduct regular security testing and patching to ensure that the data it processes is always secure.

Find out the best practices of third-party vendor management through our course here or speak to one of our consultants at sales@straitsinteractive.com.

This article was originally published on 25 March 2022.