in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

What Is A Third Party Data Breach?

A third party data breach is exactly what the name implies: it's when sensitive information is lost by a third party.  For example, let's say you're a customer of Company A.  This company contracts out some work to Contractor C--say, for the creation of a new CRM.  Company A hands over your data--among hundreds or thousands of others--to Contractor C so that this new software works correctly with existing customer data.

And then, Contractor C loses the data.  Perhaps a laptop is stolen from a programmer's car or during a corporate office break-in.  Or perhaps the data is backed up to a tape that is subsequently lost.  You get the idea.  It's a data breach, and it's been effected by a third party (i.e., neither you nor Company A, the original company you have a relationship with).

Who's Responsible for Third Party Data Breaches?

Against all common sense, the third party is generally not responsible for third-party data breaches. Not that this means the contractor doesn't have a problem on its hands; obviously, a data breach is not going to do wonders for a relationship between Company A and Contractor C.  The entity that has to deal with the public, though, is Company A.

This can be easily seen by what happens when a data breach occurs.  All the notifications and letters of apology are sent by the original company that collected the data.  The contractor could be named, but often times (in my experience) affected companies go out of their way to protect these third parties who caused the problem.

For example, when The GAP had a third-party data breach nearly two years ago--affecting 800,000 people who filled an application with the casual clothes retailer--it declined to name the contractor who experienced the data breach.  This was despite the contractor not having followed agreements to use data encryption to protect said data.

How Can Third Party Breaches Be Prevented?

The answer, unfortunately, is that they cannot be prevented...at least, not 100% of the time.  However, steps can be taken minimize the risk of a data breach.  One of the first steps is to use encryption where possible.

For example, whole disk encryption used on laptops would ensure that information on stolen computers remain secure.  If the contractor for The GAP had encrypted its laptops, as per their contractual agreement, the international retailer wouldn't have had to spend resources contacting 800,000 people about the breach, as well as extending free credit monitoring services (free to the 800,000; not free to The GAP).

As the same example shows, though, there's no guarantee that a third-party will actually do what they agree to in a contract.  So, how to ensure that specific information-security measures are in place?

Depending on how important the issue happens to be, a company could pursue the issue and follow up on it.  A centrally-managed encryption solution like AlertBoot, for example, would allow the third-party to easily encrypt their laptops as well as easily generate reports to confirm this.  Or, the company who contracted out the job could just log in to the web-based console to confirm as much (the third-party would have to agree to it, obviously).

Encryption is not the end-all, be-all of data security, though.  If the computer holding the data is connected to the internet, consideration must be given to firewalls, application control (what if someone installs P2P software?), and e-mail attachments.

There may even be a need for USB port control if there aren't any company policies restricting the copying of files to and from personal flash-memory devices (or, even if such policies do exist).

 
<Previous Next>

Data Encryption Software: Chart Industries Has 8 Laptops Stolen

Disk Encryption Software Not Used On Stolen CSULA Laptops?

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.