It's difficult enough maintaining visibility and control over data located within the confines of the company. So what happens when data leaves the building, perhaps headed for a cloud provider, a third-party benefits administrator, or to the Comfort Inn inside a traveling employee's laptop or tablet?

Given the network of third parties, including resellers, vendors, suppliers, and others that most companies maintain, keeping tabs on data both inside and outside an organization is increasingly critical. Add to that the legions of road-weary employees coupled with ever expanding data storage capabilities on their smartphones and tablets and the job only gets harder.

Indeed, third parties are involved in 41 percent of data breaches, according to a 2011 Cost of Data Breach study conducted by the Ponemon Institute, a data security research firm. Data breaches attributed to third parties also tend to involve greater numbers of records, according to the DataLoss Database, a research project of the Open Security Foundation. Researchers theorize that this may stem from the type of work third parties often handle, such as benefits administration or payment processing.

Data breaches can inflict significant legal and administrative costs, not to mention reputational damage, if companies fail to take prudent steps to secure their data, even when it's held by others. The Ponemon study put the average cost of a data breach at $5.5 million, including direct and indirect expenses,  such as the cost of an internal investigation.

Monitoring data held by third parties can be a daunting, and at times tricky, proposition. “It's much less complex to control your own environment, versus controlling others with whom you need to share data,” says attorney Lisa Sotto, head of the privacy and cyber-security practice at law firm Hunton Wiliams.

To effectively protect their data, companies should borrow a practice from the environmental industry and take a “cradle to grave” approach, says Sotto, who worked in environmental law before turning to data security about a dozen years ago. That is, compliance officers need to consider the steps required to secure data from the time it's created until it's destroyed. Sotto notes that just as it's possible to experience leaks of hazardous materials, it's also possible to have data leaks. Both can be costly and damage customer relations.

Another recommended practice is defining “data” or “records” broadly. Sensitive data increasingly can be found not only on official corporate systems, like the payroll system, but also on records held by third parties, as well as documents that often aren't considered part of traditional data repositories, such as e-mails or text messages.

“It's much less complex to control your own environment, versus controlling others with whom you need to share data.”

—Lisa Sotto,

Head of Privacy & Cyber-Security Practice,

Hunton Williams

This is one area in which many organizations could improve. According to a 2013 survey by AIIM, an organization for information professionals, while nearly three-quarters of respondents include e-mail in their retention policies, slightly more than half depend on employees to manually save important e-mails as records.  

After companies have defined the universe of data they want to manage, they must then locate it. While this sounds obvious, it's sometimes overlooked. “You can't safeguard data if you don't know where it is,” says Rebecca Herold, an information privacy, security, and compliance consultant with Rebecca Herold & Associates.   

Finding data can require a data mapping exercise, says David Navetta, a founding partner of the Information Law Group and co-chair of the American Bar Association's Information Security Committee. The goals are to determine what information is being collected and for what purposes, where it's stored, how it's protected, and who's responsible for securing it. Only then can you get a handle on the risk it presents, Navetta says.

Unfortunately, the process typically doesn't lend itself to automation, Navetta says. Instead, it usually requires working with IT and other departments to gain an understanding of the information being created and transmitted in and out of an organization.  “This can be an excruciating process,” he says. It's not made easier by the fact that new data constantly is entering the picture.

                     ABOUT THIS SERIES

Compliance Week's six-part series, “The Lifecycle of Information Governance,” sponsored by HP Autonomy, will examine all the elements of handling information properly—from creation to storage to destruction—and how compliance departments should address each element. Click on the links below to access this exclusive series.

Part 1: Crafting an Effective Data Security Policy, Feb. 12

Part 2: Catching and Managing New Data, Feb. 20

Part 3: Get Data Classification Right First

Part 4: Protecting Data From Inside and Outside Threats

Part 5: Tracking Data After It Has Left the Building

Parts 6: To Be Announced

Conducting Due Diligence

The next step is to perform appropriate due diligence. Once companies have an idea of the type and volume of data they may be supplying to third parties—and before they sign any contracts—it makes sense to undertake a rigorous due diligence process. They want to ensure that third parties will safeguard data in expected ways.

A questionnaire can offer an overall understanding of the other party's security environment, Sotto says. If a third party will be working with a large volume of data, or if the information is especially sensitive, it may be worthwhile to send someone onsite to examine their systems, she adds.

You'll want to check that the third party has information security or privacy policies in place, Herold says. Equally important is verifying that personnel receive training on the policies and are held accountable for safeguarding clients' information. It's not uncommon to find that “the people handling the information are not told what to do with it,” she adds.

Another important step: Get it in writing. “Impose contractual obligations on the third party to protect your data,” Sotto says. The contract should require the company to only use the data in the way it's intended, and to safeguard it appropriately. Such requirements are becoming more common she adds. Often, this section of a contract or addendum can run to six pages or more.

Some contracts include indemnification clauses, requiring the company to cover the costs of any breaches, says Larry Ponemon, chair and founder of the Ponemon Institute.  

After appropriate due diligence on a third party and drawing up a solid contract, an organization still needs some way to be assured that the company lives up to its agreement throughout the contract term. “You want the ability to look at the vendor over time,” Ponemon says.

Reviews should be conducted on a periodic basis, since vendors or other third parties may change ownership, or find they lack the resources to carry out the protections initially promised, Sotto says. “You can get a handle on this at the beginning (of a partnership), but don't take it as indicative of what may happen five years down the road.”

POSITIVE AND NEGATIVE DATA BREACH ATTRIBUTES

According to the Ponemon Institute's 2011 Cost of Data Breach Study, six positive and negative attributes can influence the cost of a data breach. Details below.

Over the years of conducting this research, we have identified six attributes that can influence the cost of data breach. The percent of organizations in this study that have these attributes are shown in the figure below. These attributes are defined as follows:

CISO (or equivalent title) has overall responsibility for enterprise data protection. Forty-three percent have centralized the management of data protection with the appointment of a C-level security professional.

Data was lost or stolen due to a third party flub. Forty-one percent of organizations had a

data breach caused by a third party. This can include when protected data is in the hands of

outsourcers, cloud providers, and business partners.

The organization notified data breach victims quickly. Forty-one percent notified victims

within 30 days or less.

The data breach involved lost or stolen devices. Thirty-nine percent of organizations had

a data breach as a result of a lost or stolen mobile device, which included laptops,

smartphones, tablets, and UBS drives that contained confidential and sensitive information.

Consultants are engaged to help remediate the data breach. Thirty-seven percent of

organizations represented in this study hired consultants to assist in their data breach

response and remediation.

It is the first time the organization had a data breach.Most of the organizations in this

year's study have already experienced a data breach. Only 22 percent say it is the first time.

Source: The Ponemon Institute.

One way to be assured the company is adhering to the contract is by requiring an independent party to validate its processes, Herold says. An example would be an Information Security Management Systems (ISMS) audit. This type of audit examines the information management system for compliance with ISO 27001, an information security management standard.

Another option is attestation, or requiring an executive with the third party to submit quarterly or monthly statements attesting to the steps the company is taking to secure data. “Having an executive put their name on it establishes accountability,” Herold says. 

Finally, the data itself should be secured through encryption or encoding. In the past, security often focused on protecting the systems through which data flowed, with firewalls and other tools, says Navetta. As data travels further from central repositories, it becomes more important to secure the data itself, rather than just the systems, he adds.  

Another option is data loss prevention solutions, Ponemon says. These often combine hardware and software to prevent the wrongful outflow of data. Again, that's in contrast to, say, anti-virus software, which tries to keep malware or viruses from entering a system. However, using this tool may require the client company to gain access to the provider's network, in order to watch for anomalies in network traffic. Some of these tools currently aren't as sophisticated as the tools that secure the systems or perimeters, Navetta says. However, they should improve over time, he adds.

That's good news for the growing number or organizations moving information to third parties. Indeed, 85 percent of respondents to the 2012 Cloud Computing Market Maturity Study identified themselves as cloud users. For them, taking steps to safeguard information both within and outside their networks is critical.