Digital Vendor Risk Management – The Next Compliance Frontier

Authored by Chris Olson, CEO & Co-Founder, The Media Trust

This article originally appeared in Law360 in September 2017

Compliance Rules Law Regulation Policy Business Technology concept

In 2013, Target, a popular US-based retailer suffered a massive data breach as a result of a compromised contractor. That incident, and countless others like it, changed the way organizations—and regulators—view data security, third-party business relationships, and risk management.

Unfortunately, heightened awareness of third-party risk and the urgency of identifying third-party activity has not fully extended to the consumer-facing digital assets—websites, mobile applications, social media—that form the backbone of modern business-to-consumer communications. As demonstrated by Equifax’s recent website breach[i], internet-rendered risks need to be taken more seriously. Enterprises that fail to see how their digital assets act as conduits for nefarious actors and for unauthorized data collection and data sharing, could result in dire consequences in the form of regulatory fines, security incidents and brand damage. Besides lost fees, law firms and legal consultants are doing a disservice by not providing a more comprehensive guidance to their clients.

Dynamic digital ecosystem

Internet-related technology has changed dramatically in a short time span. To put things into perspective, 20 years ago websites contained static code, mostly owned and operated by the enterprise. Fast forward to today and the polar opposite: a majority of code that executes on websites (between 50-75%) come from third-party service providers.

Third-party vendors provide the interactive and engaging functionality that people expect when they visit a website—content recommendation engines, customer identification platforms, social media widgets and video platforms, to name a few. In addition, third parties are also the source of numerous backend services that optimize the digital business-to-consumer interaction—content delivery network, marketing management platforms, consumer data tracking, data analytics, and more.

Yes, third parties are critical to the business-to-consumer digital experience, but they also present critical challenges to the enterprise. Many enterprises do not closely monitor the scope and nature of the data collection and sharing activities occurring on their digital assets. Because third-party vendors typically operate outside the purview of today’s IT and security infrastructure, enterprises often have minimal insight into or control over the actual website code execution and data collection activities on its digital assets, including activities that directly impact a customer’s browser.

Many of today’s website security solutions and consent management tools are insufficient to monitor this third-party code and data collection activities. As a result, digital assets can easily be compromised without an enterprise’s knowledge and become a conduit for malware propagation, data leakage, and unauthorized tracking and data collection. Enterprises not actively managing this third-party digital risk face significant harm in the current regulatory environment around data compliance; and, this reality should be a major boardroom or C-level topic.

Enterprises need digital asset compliance strategies for various domestic and international privacy and security regulations such as COPPA, HIPAA, FERPA and GDPR, among others, as well as industry standards such as PCI DSS and voluntary self-regulatory practices. The ability to demonstrate compliance reduces the risk of penalties, hefty fines and ensuing reputational harm, not to mention black swan events as experienced by Target and Equifax.

Digital risks require a digital management approach

Effectively identifying, defining and mitigating digital asset risk, while challenging, is consistent with the principles of Vendor Risk Management (VRM; sometimes also called “vendor management”). VRM is the widely adopted practice of building an extensive organization-wide plan to identify and decrease the potential business uncertainties and legal liabilities associated with third-party vendors, especially in relation to information technology (IT) products and services. Today’s digital environment requires VRM strategies, but with a twist to adapt to its ever-changing nature and the fact that most digital asset activities are not traditionally associated with privacy, data security, and compliance.

Enter digital or online vendor risk management. This process extends the third-party risk management processes of VRM to the various vendors who are active in an enterprise’s digital ecosystem. Effective application calls for collaboration among security, risk and compliance professionals to ensure continuous monitoring of consumer-facing digital assets—websites, mobile apps and social media—to identify, analyze and govern third-party digital vendor risks.

Mapping the uncertainty and potential threats that third-party activities on digital assets pose is not straightforward. Due to the size, complexity and variability of the opaque enterprise-digital vendor relationship, digital asset management requires a specific policy. First, however, enterprises need to evaluate risks in two critical areas:

  1. Security: An enterprise’s digital assets are directly affected if a third- (or even a fourth- or fifth-) party vendor’s code is compromised to deliver malware to consumers, redirect consumers or create a vulnerability that can be exploited to breach the enterprise network. As the primary vector for the incident, the enterprise is responsible for protecting not only its digital assets and network but also its customers, employees, and third parties who use those digital assets.
  2. Data Regulations: Organizations are also responsible for preventing undisclosed or unauthorized data collection and data sharing activities on their digital assets, even if the conduct results from the activities of a third-, fourth-, or fifth-party digital vendor and the enterprise is not aware of those activities.

For example, if a digital vendor contributing code to an enterprise website collects information about or tracks online activities of children (under 13 years of age in the U.S., or presumptively under 16 years of age in the E.U.) the enterprise may have violated COPPA and/or GDPR.  The enterprise bears a significant portion of liability because the activity took place as a result of a digital vendor authorized to execute code or engage in other activities on their digital asset and they did not monitor those activities or otherwise manage vendor risk.; Failing to explicitly detail, monitor, and enforce authorized digital asset activities and prohibit unauthorized ones could have significant legal, operational, and trust implications for the enterprise.

Evaluating these two critical areas highlights both the types and levels of risk posed by failing to manage third-party digital vendors. Furthermore, the answers point to the need for developing a specialized digital asset policy(ies), which should be shared with digital service partners and providers to make sure that they, too, are aware of their compliance obligations and for the risks associated with non-compliance. This policy should address regulations (national and international), industry best practices and company-specific data policies.

Rein in risk exposure for websites and mobile apps

The digital ecosystem is riddled with security and compliance hazards, and U.S. and international regulators are increasingly aware of the risks posed by third-party digital vendors and the absence of enterprise awareness. Emerging regulatory frameworks, including GDPR, place an increased emphasis on vendor management and thus provide a rare opportunity for legal and compliance consultants to educate their clients about the hidden vulnerabilities in their digital assets and the importance of risk mitigation. Now, more than ever, IT, security, risk and compliance departments must collaborate to effectively govern their digital assets.

At a high level, the process for controlling digital asset risk involves three steps:

  1. Discover and classify: Identify all digital vendors and analyze all digital vendor code executing on websites, mobile apps and social media platforms.
  2. Communicate and comply: Once the digital vendors have been identified, share your digital asset management policy with them, set parameters to measure their compliance with relevant policy directives, and establish contracts delineating authorized activity. Pay particular attention to real-time cookie drops, pixel fires, other data tracking elements that identify users and/or their devices, and data collection and sharing activities.
  3. Monitor, resolve and report: When monitoring discloses an unauthorized digital asset activity, the enterprise should block the code and remediate the unauthorized activity with the offending vendor. Create an audit trail by documenting the entire cycle and vendor ability (and willingness) to abide by stated policies.

If digital or online vendor risk management seems like a lot of work, or an unnecessary extension of existing compliance practices, then security, privacy, risk, legal and compliance professionals should ask themselves: “Would we allow a stranger to enter our office building and carry out unauthorized activities such as taking our customer information, sending our customers to our competitors, or violating our policies and procedures?” No, you wouldn’t. Therefore, it only makes sense to exercise the same caution for your digital assets.