Come to our session at #PSR18 – Vendor Risk Management: Maintaining Relationships While Limiting Liability

Are you at IAPP – International Association of Privacy Professionals P.S.R.  #PSR18 in Austin? If so, please come to our Thursday 10:30 – 11:30 session on Vendor Risk Management: Maintaining Relationships While Limiting Liability in Lone Star Ballroom A, Level 3. It should be great as I get to be with great panelists Tami Dokken and Melissa Krasnow and we will have Mark Smith as our moderator.

Bloomberg BNA Texas ProfileWhile you’re there pick up your copy of Bloomberg BNA’s  Domestic Privacy Profile: Texas!

If you can’t make it, here is a link to the .pdf (hey, I know people!).

Session Info:

3 Critical Cybersecurity Steps Your Company Must Take

I have presented at several cybersecurity conferences over the last few weeks and have had an opportunity to listen to and talk with some of the most highly regarded experts in this field. This includes experts from the FBI, Secret Service, private industry experts and many others.

The message I have heard over and over from all of these people echo these three things that every company must be doing to protect itself right now. To me, this means they qualify as “critical” for companies to be more secure. Obviously, there’s a lot more that companies should do and I’m sure many people have their own thoughts as to what these three may be, but these are the three I have heard over and over:

  1. Train all employees to recognize and resist falling for phishing emails.
  2. Use multi-factor authentication.
  3. Use adequate logging to detect intrusions and unauthorized activity in your network and maintain the logs for an adequate period of time. Statistics show the average time before an intrusion is discovered is 205 days. The logs will be cruicial in any investigation so you need to retain them for at least that long.

UPDATE: After I posted this article on LinkedIn, my friend Jim McConnell who knows more about third-party risk and supply chain risk management than probably anybody else I know, posted the following suggestions for this post. As usual, Jim is spot-on and would like to share Jim’s insights with you:


The post is HERE and I would encourage you to join in the discussion — after all, we are all learning from each other as we go along and conversations like this are a great way to do it!


Is Your Business Following the 3 Steps the FTC is Requiring for Using Data Service Providers?

FTCThe Federal Trade Commission now requires businesses to take the following 3 steps when contracting with data service providers: Investigate. Obligate. Verify.

Is your business following these steps?

  1. Investigate. Businesses are required to investigate by exercising due diligence before hiring data service providers.
  2. Obligate. Businesses are required to obligate their data service providers to adhere to the appropriate level of data security protections through their contractual agreements with the provider.
  3. Verify. Businesses are required to take steps to verify that the data service providers are adequately protecting data as required by the contractual standards.

These 3 steps were identified and explained by Daniel Solove in Duties When Contracting with Data Service Providers in which he explains how the FTC developed this new standard of care by observing the norms and standards that have developed in the law of privacy and data security in general and now essentially giving them the effect of law. He discerns these standards from, among other things, the recent FTC case In the Matter of GMR Transcription Services, Inc. (Jan. 31, 2014).

Solve also makes the following observations:

  • The standards could lead to an FTC enforcement action because of poor data service provider management alone, even without a data breach.
  • All companies need to take a closer look at their own data service provider management practices.
  • Virtually all businesses fall within the FTC’s regulatory authority and should follow these guidelines.
  • Even organizations that are not under the FTC regulatory authority should still follow these guidelines as the standard of care when it comes to contracting with data service providers.