Veni Vidi Vici Vendor Management
Victoria Akosile, Deputy Director, Privacy Operations, BBB National Programs
In today's digital economy, vendor management is not just a business best practice, it is imperative for preserving consumer privacy. Third-party vendors and service providers handle everything from sensitive consumer data, such as health and financial information, to everyday details like grocery orders and scheduling needs.
Given the volume of data they handle, a single misstep can lead to an array of consequences, regulatory fines among the most severe. Even more so, the Federal Trade Commission (FTC) has increased its scrutiny over companies that intentionally mislead consumers or lack transparency regarding how their data is used by third parties without the consumers knowledge and/or consent.
For example, the FTC brought cases against Mobilewalla and data broker Gravy Analytics, demonstrating Section 5 violations companies can make when processing and sharing consumer data without consent and without appropriate guardrails in place. In this instance, companies that used data provided by Gravy Analytics and Mobilewalla were using data that was collected without proper consent management and authorization processes.
A thorough vendor vetting process might have helped raise questions around their mechanism for obtaining consent and been resolved before a case was brought by the FTC.
Additionally, according to a report from Black Kite, a cyber security research firm that tracks third-party breaches, unauthorized network access is the leading cause of third-party breaches.
A few examples of third-party data breaches that made first-party data vulnerable include major companies and organizations TicketMaster, John Hopkins University, and infamously SolarWinds. Although these companies differ in the service offered, they all suffered from vulnerabilities created by the actions of third parties, or it was the third party that led to the exposure of first party data.
And while it is not possible to fully insulate first-party data from a potential attack, reducing the risk of exposure through proper vendor management and third-party accountability mechanisms helps ensure that all parties are safeguarding personal information with adequate protection, keeping both your reputation and your customers' data secure.
Harms that result from unrestricted or unapproved secondary uses of data, particularly secondary uses by unvetted third parties, may expose a company to reputational damage, loss of customer trust, and liability under the patchwork of state and federal U.S. privacy laws, even when the company was unaware of harmful actions taken by a third party or subcontractor.
Proper vendor management should be a central goal of any data controller’s privacy compliance program. Although not intentional, some processors may not have the infrastructure or the in-house team to help them navigate requirements or understand where there is room for growth, especially in dealing with volume or sensitivity of first-party data.
Because many processors find themselves in the early stages of the privacy program maturity curve, evaluating the appropriateness of a processor’s privacy and security practices from the outside can be difficult for data controllers. However, to avoid fines and other consequences, companies must find a way to evaluate the maturity of external privacy operations, or risk entering a relationship that increases the controller’s exposure to the possibility of liability.
While privacy teams, procurement teams, and legal teams have incredibly important responsibilities to evaluate third party and other vendor relationships, organizations can leverage external support to determine which processors adhere to industry-leading standards for security and accountability.
The Global Cross Border Privacy Rules (CBPR) certifications provide a solution.
CBPRs are an international privacy certification framework created to ensure global companies meet interoperable standards for data governance and privacy—even in the absence of an applicable domestic privacy law. These standards thread the needle of regional differences while harmonizing foundation principles for best practices in regard to data privacy.
Global CBPRs offer two certifications: the CBPR certification for data controllers and Privacy Recognition for Processors for data processors. The latter focuses on security safeguards and accountability measures to ensure that all data processed is done securely and with a duty of care to handle responsibly. Both certifications hold companies to an enforceable and cross jurisdictional standard that requires an in-depth review of policies and practices related to personal data.
Although originally a regional framework, thanks to a 2024 expansion, the framework is now open to all countries. This is a critical development as it makes way for the cohesion of more data privacy standards to be applicable while creating a clearer path for a global interoperable standard. From the vendor management perspective, it is a helpful tool to manage third party vendors/service providers and institute quality control measures throughout the lifecycle of personal data collection and processing.
With applicability in nine major economies (and counting) first-party data collectors are able to engage with vendors globally with added ease, and vendors have a tangible way to demonstrate their commitment to safeguarding data.
The benefits of a vendor management tool include a reduced risk of contracting with a third-party that lacks appropriate policies related to data protection and data breaches. Global CBPRs analyze each applicant’s network-related security policies as part of the certification to ensure companies have adopted modern network safeguards, access control and acceptable use best practices, and sub processor controls.
Effective vendor management through evaluation and certification is a necessary and trusted signal for the industry, and a first line of defense against risks from third-party breaches. Using a uniform certification can assist in streamlining the procurement process for vendors tasked with processing personal information.
By starting with the Global Cross Border Privacy Rules as a baseline, developing a scalable vendor management program and reducing risk is an achievable victory.
Want to get started with vendor management or have questions? Reach out to our team at globalprivacy@bbbnp.org and our team will help you get started with effective vendor management today!
In today's digital economy, vendor management is not just a business best practice, it is imperative for preserving consumer privacy. Third-party vendors and service providers handle everything from sensitive consumer data, such as health and financial information, to everyday details like grocery orders and scheduling needs.
Given the volume of data they handle, a single misstep can lead to an array of consequences, regulatory fines among the most severe. Even more so, the Federal Trade Commission (FTC) has increased its scrutiny over companies that intentionally mislead consumers or lack transparency regarding how their data is used by third parties without the consumers knowledge and/or consent.
For example, the FTC brought cases against Mobilewalla and data broker Gravy Analytics, demonstrating Section 5 violations companies can make when processing and sharing consumer data without consent and without appropriate guardrails in place. In this instance, companies that used data provided by Gravy Analytics and Mobilewalla were using data that was collected without proper consent management and authorization processes.
A thorough vendor vetting process might have helped raise questions around their mechanism for obtaining consent and been resolved before a case was brought by the FTC.
Additionally, according to a report from Black Kite, a cyber security research firm that tracks third-party breaches, unauthorized network access is the leading cause of third-party breaches.
A few examples of third-party data breaches that made first-party data vulnerable include major companies and organizations TicketMaster, John Hopkins University, and infamously SolarWinds. Although these companies differ in the service offered, they all suffered from vulnerabilities created by the actions of third parties, or it was the third party that led to the exposure of first party data.
And while it is not possible to fully insulate first-party data from a potential attack, reducing the risk of exposure through proper vendor management and third-party accountability mechanisms helps ensure that all parties are safeguarding personal information with adequate protection, keeping both your reputation and your customers' data secure.
Vendor Management Solutions
Practical and reasonable measures must be taken to ensure a thorough vetting is done when choosing third-party vendors and service providers to employ or when entering into:- A sale of data (broadly defined as exchange of data with third parties for consideration by most statutes), or
- A contractual relationship with a service provider (that may then work with other service providers, or subcontractors, further down the data value chain).
Harms that result from unrestricted or unapproved secondary uses of data, particularly secondary uses by unvetted third parties, may expose a company to reputational damage, loss of customer trust, and liability under the patchwork of state and federal U.S. privacy laws, even when the company was unaware of harmful actions taken by a third party or subcontractor.
Proper vendor management should be a central goal of any data controller’s privacy compliance program. Although not intentional, some processors may not have the infrastructure or the in-house team to help them navigate requirements or understand where there is room for growth, especially in dealing with volume or sensitivity of first-party data.
Because many processors find themselves in the early stages of the privacy program maturity curve, evaluating the appropriateness of a processor’s privacy and security practices from the outside can be difficult for data controllers. However, to avoid fines and other consequences, companies must find a way to evaluate the maturity of external privacy operations, or risk entering a relationship that increases the controller’s exposure to the possibility of liability.
While privacy teams, procurement teams, and legal teams have incredibly important responsibilities to evaluate third party and other vendor relationships, organizations can leverage external support to determine which processors adhere to industry-leading standards for security and accountability.
The Global Cross Border Privacy Rules (CBPR) certifications provide a solution.
CBPRs are an international privacy certification framework created to ensure global companies meet interoperable standards for data governance and privacy—even in the absence of an applicable domestic privacy law. These standards thread the needle of regional differences while harmonizing foundation principles for best practices in regard to data privacy.
Global CBPRs offer two certifications: the CBPR certification for data controllers and Privacy Recognition for Processors for data processors. The latter focuses on security safeguards and accountability measures to ensure that all data processed is done securely and with a duty of care to handle responsibly. Both certifications hold companies to an enforceable and cross jurisdictional standard that requires an in-depth review of policies and practices related to personal data.
Although originally a regional framework, thanks to a 2024 expansion, the framework is now open to all countries. This is a critical development as it makes way for the cohesion of more data privacy standards to be applicable while creating a clearer path for a global interoperable standard. From the vendor management perspective, it is a helpful tool to manage third party vendors/service providers and institute quality control measures throughout the lifecycle of personal data collection and processing.
With applicability in nine major economies (and counting) first-party data collectors are able to engage with vendors globally with added ease, and vendors have a tangible way to demonstrate their commitment to safeguarding data.
The benefits of a vendor management tool include a reduced risk of contracting with a third-party that lacks appropriate policies related to data protection and data breaches. Global CBPRs analyze each applicant’s network-related security policies as part of the certification to ensure companies have adopted modern network safeguards, access control and acceptable use best practices, and sub processor controls.
Effective vendor management through evaluation and certification is a necessary and trusted signal for the industry, and a first line of defense against risks from third-party breaches. Using a uniform certification can assist in streamlining the procurement process for vendors tasked with processing personal information.
By starting with the Global Cross Border Privacy Rules as a baseline, developing a scalable vendor management program and reducing risk is an achievable victory.
Want to get started with vendor management or have questions? Reach out to our team at globalprivacy@bbbnp.org and our team will help you get started with effective vendor management today!