Good Morning, all-
I think everyone is very much on the right track and I agree with everything Nicole noted in her response!
One thing I would add is that your response approach will also largely depend on the type of breach. For example, corrective measures for a cyber security breach that results in the exposure of an individual's personal information will differ from measures that should be taken if an individual's personal information is exposed due to human error or negligence, such as a consumer's SSN being inadvertently displayed in a public filing like a Foreclosure Complaint or Bankruptcy filing. The former scenario will require a much more exhaustive corrective action plan, such as vulnerability and penetration testing, security patching, a post-mortem review of the incident, etc.; the latter scenario would require something more along the lines of filing a Protective Order, Motion/Order to Compel Redaction, or Motion/Order to Expunge the Record. As always, it's important to tailor your approach to the scenario in which the privacy infraction occurred. Lastly, while it is important to let the appropriate internal parties aware-and I believe this is something that Joe alluded to-it is equally important to make the affected individuals/consumers aware of the incident, and this expectation (and overall handling of security incidents) is largely guided by federal and state statutes, so it's important that both your organization and its third parties are familiar with the applicable statutes and regulations.
Original Message:
Sent: 12-30-2020 11:04 AM
From: Nicole O'Brien
Subject: Vendor Breach Workflow
Hi Joe!
Hope you had a nice Holiday.
You're totally on the right track. As long as their risk assessment is current and assure that the appropriate due diligence was conducted, you wont need to restart a risk assessment. However, if either of those is not true, start one immediately. And definitely prioritize "assessing" the damage, so you'll want to find out if any company data has been compromised, as soon as possible. Get a report from the vendor with as much detail as possible. Check the contract for anything that has to do with response and reporting on their end. Report the incident to the business internally and any other security / risk stakeholders, as appropriate. Remember that while TPRM is a great source for gathering and reporting risk information, the risk is OWNED by the line of business who signed the contract. They should be the primary point person for this process. Depending on the scope of the breach and how your organization is setup, the issue may be passed off entirely to an incident response team, compliance, legal or risk. Keep track of progress in your vendor record, and what steps are conducted to manage containment of any damage. Finally you'll want to circle back on the risk assessment process, and document any lessons learned.
Hope this is helpful! Feel free to reach out if you'd like to discuss further.
Happy new year!
Original Message:
Sent: 12-17-2020 09:50 AM
From: Joe Ciccone
Subject: Vendor Breach Workflow
Original Message:
Sent: 12-16-2020 09:54 AM
From: Deidra Campbell
Subject: Vendor Breach Workflow
Does anyone mind sharing the steps performed by the organization once a breach has been discovered and/or reported from a TPRM standpoint for a Vendor? The Right to Audit is in place in our contracts, but looking for specific suggestions for due diligence on our end during these scenarios. Should we request an incident report, go thru the entire risk assessment again, or request specific items, if it has been determined if our company data has been compromised? Thanks, DC
HI Deidra,
I don't know if this'll help, but here's a nice resource with guidance on how to respond to a data breach notification from a vendor:
https://info.corvusinsurance.com/hubfs/Whitepapers/The%20Ultimate%20Guide%20to%20Responding%20to%20a%20Vendor%20Data%20Breach.pdf