This article was originally posted on NYU Law School’s Compliance & Enforcement blog.
Privacy regulators increasingly are prescribing rules around third-party vendor and data processing management.<fn> In addition to the EU’s General Data Protection Regulation, the California Consumer Privacy Act, and Brazil’s General Data Protection Law, several other countries are making progress on data privacy bills, including Argentina and New Zealand. These regulations have prompted regulated entities to consider whether to pursue a single global compliance strategy or, instead, to pursue a fragmented approach to privacy compliance. See Data Privacy Compliance, Gartner, https://www.gartner.com/en/legal-compliance/insights/data-privacy-compliance (last visited Oct. 22, 2019).</fn> As of March 1, 2019, for instance, New York’s Department of Financial Services (NYDFS) requires that Covered Entities establish policies and procedures for assessing the risks posed by vendors, determining minimum cybersecurity and privacy practices, conducting due diligence, and following up with periodic assessments.<fn>Covered Entity “means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” N.Y. Comp. Codes R. & Regs. tit. 23, § 500.1(c) (2017). Covered Entities “implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.” Id. § 500.11(a).</fn>However, the NYDFS does not go so far as to prescribe a “one-size-fits-all” approach to these third-party management requirements.<fn>FAQs: 23 NYCRR Part 500 – Cybersecurity, N.Y. St. Dep’t Fin. Servs., https://www.dfs.ny.gov/industry_guidance/cyber_faqs (last visited Oct. 8, 2019).</fn>Nor do other financial regulators, such as the Financial Industry Regulatory Authority, leaving the decision as to the appropriate form of third-party management largely to the entities themselves.<fn>See Avi Gesser et al., 2019 Predictions – Top 10 Cybersecurity/Privacy Trends to Prepare for Now, Compliance & Enforcement (Jan. 15, 2019), https://wp.nyu.edu/compliance_enforcement/2019/01/15/2019-predictions-top-10-cybersecurity-privacy-trends-to-prepare-for-now.</fn>
How, then, should companies implement NYDFS-style third-party risk management rules? The leading approach taken by compliance functions is to invest heavily in upfront due diligence of third-party vendors and data processors. This “point-in-time” approach is premised on the idea that third-party risks are best identified by asking an exhaustive list of questions prior to the onboarding of a third party and recertifying those answers on a future date. A Gartner survey of 195 chief privacy and compliance officers shows that 72% of the effort allocated to identifying and monitoring third-party privacy risks happens during upfront due diligence and recertification.
This allocation of resources, however, does not best capture material privacy risks. New research from Gartner shows why the point-in-time approach does not best capture third-party privacy risk. Eighty-three percent of privacy officers surveyed in a recent Gartner study said that they identified third-party risks after due diligence and before recertification. Moreover, 31% of those risks identified between due diligence and recertification resulted in a material impact to the company, where material impact is defined as costing the company more than 0.05% of revenue. For instance, a third-party vendor offering new-in-kind data processing services might experience a shift in product strategy after a company does due diligence on them, which could lead to riskier forms of data processing for the company.<fn>“New-in-kind data processing services” refers to novel methods of processing data. Such methods are typically developed to process data faster or derive new insights from data. For instance, so-called “stream processing” allows data to be collected and processed without storing the data prior to processing. This type of processing is valuable in situations where the value of the data declines precipitously even minutes after its creation. See, e.g., What Is Streaming Data?, AWS, https://aws.amazon.com/streaming-data (last visited Oct. 22, 2019).</fn>
Paradoxically, the very third-party vendors that are emerging to help companies manage third-party privacy and cyber risk are, due to their new services and new business models, in some cases exposing companies to new compliance risks.
To understand the shortcomings with the point-in-time approach, we need to appreciate the changing nature of third-party risk. Increasingly, third parties are performing new-in-kind technology services for companies. Moreover, third parties providing such services include an increasing number of business model innovators. Finally, as data continues to grow in importance, such third-party vendors are increasingly providing services to the companies that hire them outside of the companies’ core business models. In short, organizations’ third- and fourth-party ecosystems continue to grow in size and complexity.
The implication of this survey data is that compliance with the NYDFS’s third-party risk rules, and others like them, through the traditional point-in-time approach might not be enough to protect companies from material risks. Forward-looking companies, then, should take care not to mistake “thorough due diligence” for adequate risk reduction.<fn>FAQs: 23 NYCRR Part 500 – Cybersecurity, supra note 3.</fn>Such companies will need to employ an alternative approach to compliance that better accounts for the material risks that arise between due diligence and recertification.