A data breach at State Street Corp. disclosed by the financial services firm in May provides lessons in contractor security and data handling, security experts said.
Boston-based State Street said a contractor hired to conduct data analysis lost a disk drive containing the personal information of 5,500 employees and 40,000 customers. The firm disclosed the breach four months after it learned of the incident and notified employees and customers of the former Investors Bank & Trust Company (IBT), which it acquired last year.
IBT had contracted with a legal support service to review its electronic records and compile data for federal regulators during the acquisition. The data was initially encrypted but the contractor unencrypted the information and stored it on computer equipment, which was stolen from its facility.
State Street took many technical precautions but protecting sensitive data also requires non-technical measures, said John Moynihan, president of consulting firm Minuteman Governance and former deputy commissioner and internal control officer at the Massachusetts Department of Revenue.
"When sharing data with third parties, administrative controls are very important. In this situation, it appears that the breakdown was in the administrative area," he said.
Administrative controls, he explained, include: clear, written standards governing vendor use, storage and transport of data; vendor background checks; making sure vendor employees are aware of the standards; and monitoring compliance through on-site inspections.
Sudbury, Mass.-based security consulting firm SystemExperts Corp. works with financial services firms to ensure their third-party processors are effectively protecting their data, said Jonathan Gossels, president and chief executive.
"They have a formal partner evaluation in place," he said. "They determine from a risk analysis basis the value of the information that's being shared and come up with appropriate controls. That's the right way to handle it."
Policies for data handling should be specific, said Richard Mackey, vice president of consulting at SystemExperts. "Any time this [data] is put on a disk, it needs to be encrypted in this manner. Anytime it's transmitted, it needs to be transmitted in this manner. This is how keys need to be managed and what algorithms are acceptable," he said.
In addition to auditing third parties' security practices before engaging with them, companies should include contractual provisions that allow for periodic audits during the engagement, said Randall Gamby, analyst at research and consulting firm Burton Group.
"A lot of contractors are sight unseen. [Organizations] really need to go back and do an audit, especially if highly sensitive information [is involved] to make sure proper procedures and protections are in place," he said.
On-site inspections often deter blatant violations, Moynihan said. And vendor background checks are critical because "you don't want an individual convicted for fraud having access to your data," he said.
One way companies can avoid data breaches with contractors is to simply keep the data in-house whenever possible, Gamby said. "Why do you need to export your sensitive data anyway? Why not create a pipe that allows them to look, in a restricted way, at the data natively?"
Paul Rohmeyer, industry assistant professor at the Howe School of Technology Management at the Stevens Institute of Technology, agreed. In the State Street case, the contractor was providing a specific type of data analysis; why couldn't they have just come to the firm to do the analysis onsite instead of taking possession of the data, he asked.
"As soon as you let it [data] out the door, you could have any instance of incompetence, mischief, or technical failure pop up that could cause your data to be breached," Rohmeyer said.
If data does need to be shared with a contractor, it should be restricted only to the specific information needed for the job, Gossels said.
"All too often, when companies share information with business partners, they tend to take a bundle of data, even if all the elements aren't needed for that particular relationship," he said.
Some financial services firms SystemExperts works with only share Social Security numbers when absolutely critical, Mackey said.
Despite the best of intentions, breaches can occur and companies need to plan for them. Gamby advised that organizations review their breach processes and policies and make sure they account for third parties.
"A lot of breach documentation deals with the corporation itself having a breach but doesn't deal with outside contractors or partners…They need to make sure breach processes reflect the current business environment they're working in," he said.
Also, contracts should include provisions that require third parties to pay for costs associated with breaches they cause, he said.