Trying to predict the privacy weather report for third party risk?
The dialog on online privacy is heating up in Washington D.C. this week as hearings and industry discussion on the merits of federal privacy legislation were prompted in the wake of the passage of the California Consumer Privacy Act (CCPA). Record snowfall levels have been reported across the country, even in typically sunny California, creating a February for the record books. This month I had the chance to facilitate a teleconference on CCPA to the Shared Assessments Program Regulatory Awareness and Best Practices working groups. Trying to predict the timeline of the implications of CCPA to third party risk is rather like predicting today’s weather report in an era of unpredictability.

For members who may not have participated in the update, I’ll summarize the sunny and cloudy viewpoints on our discussion with a recap: Background on what CCPA is; CCPA Components and Timelines; CCPA Readiness Challenges, and Implications to Vendor Management.

Background on the California Consumer Privacy Act (CCPA)
Since 1972, “Privacy Rights” are considered inalienable rights under the California Constitution. California has been a leader in putting a spotlight on the sharing of data with third parties. As early as 2003, California’s “Shine the Light” law was an early effort to address the practice of sharing customer’s personal information for marketing purposes. While the initial focus triggered updates to online privacy policies, the CCPA goes even farther in putting more rights on the control of information in the hands of individuals.

A ballot initiative was created in 2017 in to address consumer privacy rights by garnering signatures to put legislation on the ballot in the 2018 election cycle. By spring of 2018, the privacy weather forecast changed swiftly with industry disclosures of the sharing of customer data on social media sites. The activist’s ballot initiative had received over 600K signatures generating a storm of effort to draft a compromise bill that could be modified or amended by the legislative process rather than continuing to put privacy regulations out to voters. So faster than a 10-day weather forecast, CCPA was enacted by the state by the June 30th, 2018 deadline. Amendments were issued at the start of fall 2018 to address discrepancies, clarify exemptions and provide a planned timeline for compliance.

CCPA Components and Timelines
Privacy professionals have focused on the extra-territorial nature of GDPR, and California’s CCPA is creating a similar privacy tidal wave in that the focus is on the collection, use, and retention of personal information of California residents.

Scope: CCPA is targeted at for profit organizations, that do business in the state of California, and collect personal information directly from individuals or on behalf of another entity. CCPA defined trigger thresholds, designed to exempt the bulk of small businesses from needed to address compliance. CCPA applies if any one of these parameters are triggered: Annual gross revenue of $25 million, entities that buy, receive, sell or share data of more than 50K consumers, households, or devices for commercial purposes, or entities that derive 50% of its revenue from the selling of consumer data, regardless of the size of the organization.

Given that the state of California is the 5th largest economy in the world and only 34 countries in the world have greater populations than California, CCPA will have global implications to digital marketing.

Key Requirements:
CCPA defines several rights as the primary objective of the legislation. These rights include:

• To know what personal information is being collected about them
• To know whether their personal information is sold, disclosed and to whom
• The right to say no to the sale of personal information
• The right to access their personal information
• The right of deletion if there are not legitimate needs to retain the data
• The right to equal treatment and price if these rights are exercised.

CCPA defines civil penalties for violations of CCPA within defined parameters. The element of CCPA that is driving much of the heated debate is its right of private action. The potential for class action litigation, or the seeking of damages for violations is triggering a road discussion on the differences between self-regulatory standards for digital marketing and state by state requirements.

CCPA is written from a consumer advocacy point of view. The enforcement will be done by the state attorney general. CCPA comes into effect on January 1st, 2020, with ensuing regulatory guidance to be published no later than July 1st, 2020. The CA AG has indicated they will not enforce the CCPA requirements until six months after the final regulatory guidance is published.

CCPA Readiness Challenges
At first glance, such timelines would indicate CCPA compliance would be on the Privacy Farmer’s Almanac predictions for next winter. However, the consumer’s rights regarding treatment of their personal data have a “Look-Back” period of 12 months. Building the processes to address CCPA will need to be assessed and built out into a roadmap for compliance for data that has been collected in 2019. GDPR provided a 24-month timeline for compliance, and CCPA provides a much shorter timeline given the complexities of data usage in the digital landscape.

Conducting a readiness or preparation phase for CCPA readiness will tend to focus on self-assessment and review of business processes for the collection and sharing of data. Implementing a full readiness plan will be challenging until final guidance is completed. A six-month timeframe for executing a compliance program may be too short a timeline unless preparation activities have occurred to scope and shape the depth and breadth of CCPA compliance needs.

Organizations that were required to build out business processes and infrastructure will likely have a sunnier outlook for CCPA compliance since they are simply extending capabilities to the new CCPA requirements.

Key themes for preparation activities:

• Data Governance: Creating and maintaining adequate data inventories and data flows, including third parties for data with a “marketing/selling” point of view
• Consumer Advocacy: Developing the business process enablement and automation of consumer rights to access and delete data typically in unstructured data stores.
• Digital Marketing Disruption: Assessing the marketing, brand, and customer satisfaction risks for implementing limitations on the “selling” of customer data. Organizations may make business decisions in 2019 to change how or if they share customer data,
• Vendor Management: Identifying contract provisions with third party vendors and then defining sufficient due diligence based on the service they perform.
• Reasonable Security: Conducting reviews or self-assessments for data security safeguards. With the expanded focus on information security controls for marketing data – beyond the traditional “PII” focus, security controls will focus on the digital landscape, mobile and device at a much greater level of detail.

Implications to Vendor Management Functions
The digital marketing landscape has layers of third-party relationships. CCPA will trigger the need to identify the applicable third parties that will require affirmation of their obligations to limit the use of personal data beyond the terms of the contract.

3 Things to Think About

1. A “service provider” for the purposes of the CCPA, is an entity that processes personal information “on behalf” of a business.
   The vendor or “service provider” must be bound by a written contract that prohibits the use of personal information for other purposes
2. CCPA requires that for the in-scope service provider that the contract includes: A “certification” that the entity receiving the personal information understands the restrictions in the contract, and will comply
3. These obligations will require updates to key third party risk governance processes to address the contract terms and limitations, but also the corresponding third-party assessment process for due diligence and testing of the controls.

CCPA Vendor Readiness Focus Areas
The final rulemaking for CCPA will be initiated by the CA Attorney General after a series of workshops, hearings, and outreach to the industry. While final interpretations and the potential for additional amendments make final scope and timeframes a bit cloudy, there are preparation and readiness steps organizations can do this year.

For businesses that use third parties, particularly in the online or digital marketing landscape, a starting point is to assess the current vendor inventory and contracts to create a baseline. For vendors who support their clients in the digital marketing landscape, they can begin to assess their role and what data they process and be prepared for additional scrutiny in the due diligence process.

The privacy landscape will continue to evolve, and CCPA dialog will likely continue thru spring and summer of this year. The bottom line is that CCPA is creating momentum for the U.S. to adopt a different approach to digital privacy practices, and that will impact the third-party providers that enable the digital ecosystem.

The Shared Assessments Program’s Privacy Committee will be monitoring CCPA developments to identify impacts to standardized questionnaires, privacy tools, checklists, and testing procedures for the next 24 months. If you or your organization would like to participate in the Privacy Committee or CCPA sub-committee, please click here to sign up to participate in the committee.

Linnea Solem is Founder and CEO, Solem Risk Partners, LLC, a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management. Linnea serves on the Shared Assessments Advisory Board.

Last August, Governor John Kasich signed the Ohio Data Protection Act into law. 

The law creates a safe harbor that insulates “covered entities” from tort liability under Ohio state law if they “create, maintain, and comply with a written cybersecurity program” that “reasonably conforms” to one of the specified cybersecurity frameworks (including several NIST and ISO controls, and other relevant laws that may apply such as HIPAA, GLBA, and FISMA). 

Being the first of its kind, the law is, by definition, a precedent setter.  But how much of an impact will it have on its own?

In short, not much.  The scope of the law is limited to liability under Ohio law – and only tort law at that – in Ohio courts.  In other words, the law only creates a safe harbor against being sued for negligence or some other form of tort malfeasance in Ohio.

Despite all this naysaying, this law should be good news at least for covered companies already operating in Ohio, right?

Unfortunately, not as much as one may think.  In determining whether a company was negligent in a data breach, courts already look at that company’s compliance with industry standards. 

The new law doesn’t cut out any steps to asserting such compliance as a defense to negligence.  It still forces companies to go to court and litigate whether they were compliant with the named industry standards and thus eligible for the safe harbor – which is very likely what they would have done regardless of the new law.

Granted, the law does insure against Ohio courts increasing their expectations, such that compliance with industry standards is no longer enough, but the likelihood of that happening in the foreseeable future is dubious at best.

The law, then, doesn’t make a lot of immediate waves in the cybersecurity legal landscape.  That may change if other states – or more importantly, the federal government – enact similar laws, in which case, Ohio would be the trendsetter for a potential new nationwide standard.

Given that the law only took effect this past November, it remains to be seen how the law will actually play out, or whether it will have any impact whatsoever.

Each year on January 28th, the world celebrates Data Privacy Day (DPD), led by the National Cyber Security Alliance in North America. This international effort creates awareness about the importance of respecting privacy, safeguarding data, and enabling trust. The focus this year is on the value of information. Whether you look at data privacy from an individual point of view, or from the lens of the business that is collecting, using, and storing personal data, remember:

Personal Information is like money. Value it. Protect it.

Last year the focus on Data Privacy was on readiness for the EU General Data Protection Regulation and the implications that emerged following the social media testimony in Congress on data sharing. This year, the spotlight is on the new California Consumer Privacy Act. In each of these areas, there is an impact to vendor management that is driving a new era for third party risk governance.

If personal information is like money – then we need to treat that asset with the same level of value and protection if it is stored in our own privacy piggy bank, or in the locked vault of a vendor or service provider. Let’s put the numbers into perspective:

• 66% of U.S. consumers want companies to earn their trust by being more open and transparent with how their information is being used
• In a survey by Blue Fountain Media, web users surveyed that they overwhelmingly objected to how their information is being shared with and used by third-party vendors. 90% of those polled were very concerned with internet privacy.
• A PwC survey found that only 52% of U.S. companies that will need to comply with the CCPA expect to be compliant by January 2020.

The Shared Assessments Program Vendor Risk Management Maturity Model was updated for release in 2019 to include the heightened expectations driven by new privacy regulations, high profile data breaches and updated external audit standards. The 2018 Shared Assessments Program and Protiviti Vendor Risk Management Benchmark study used the expanded maturity model. Early highlights of the 2018 were shared with Shared Assessments Program Members this past month. In the latest Shared Assessments Program and Protiviti Vendor Risk Management Benchmark study 55% of organizations surveyed indicated they were likely to “de-risk” or move away from high risk third-party relationships in the next 12 months, up 2% from the previous year. Further, considering all six privacy related measures in the survey, fully 43% of those surveyed had either fully functional or advanced privacy practices in place, the second highest result of any focus area in the survey. 22% of respondents reported they had only ad-hoc privacy practices in place and 9% had no active privacy efforts.

Both GDPR and CCPA drive the need for enhanced data governance strategies, including data flows, data maps and data inventories. Whether the data is stored locally or at a third- party service provider, the data must be protected. International Privacy regulations will continue to advance triggering the need to continually assess the effectiveness of each third party risk governance program for new privacy requirements.

Key steps in building your third-party risk roadmap for privacy protection:

• Update vendor classification, scoping, and inventories for third party relationships
• Enhance contract provisions for the protection and usage of data
• Maintain a data inventory to manage and process data access requests
• Broaden due diligence processes for assessing and identifying corrective actions of third parties
• Deploy effective ongoing monitoring of vendor relationships
• Maintain documentation of processing of the personal data
• Understand data transfers and authorizations at both third and fourth parties

While the numbers seem daunting, given the pace of technology and complexity of third-party relationships, there are action steps service provider organizations can take to mature their internal processes for third party risk governance.

3 Action Steps to take in 2019:

1. Develop a Roadmap for maturing your third-party risk governance program: Benchmark your organization’s third-party risk governance program by downloading and using the 2019 version of the Shared Assessments Program Vendor Risk Management Maturity Model
2. Expand data governance tracking tools to protect personal data: Download the Free privacy templates in the Shared Assessments GDPR tools. The Target Data Tracker template can enable your organization to document the tracking of target data by third and fourth parties to address the broader third party and data transfer obligations driven by privacy regulations.
3. Enhance your Training and Awareness Program: Leverage the free resources for data privacy at https://staysafeonline.org/resources/

In today’s market landscape, all organizations utilize third party relationships to run and operate their business. Ensuring that the right privacy protections are in place in your third-party risk governance program demonstrates your commitment to treat your client’s privacy data as your own.
Protecting data in your Privacy Piggy Bank is important not just on Data Privacy Day, but every day!

Personal Information is like money. Value it. Protect it.

#PrivacyAware

Linnea Solem is Founder and CEO, Solem Risk Partners, LLC, a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management. Linnea serves on the Shared Assessments Advisory Board.

Shared Assessments has released its updated 2019 Third Party Risk Management Toolkit which serves organizations for vendor risk management, regardless of size and industry. The Toolkit elements help both outsourcers and providers to meet regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities.

Shared Assessment keeps a close eye on emerging regulations, guidelines and standards for a wide range of industries, such as: NIST 800-53r4, NIST CSF 1.1, FFIEC CAT Tool and PCI 3.2.1. That knowledge is used to update the new Toolkit, which embodies multiple Tools for a comprehensive “trust, but verify” approach for conducting third party risk management assessments, using a substantiation-based, standardized, efficient methodology.

The 2019 Third Party Risk Management Toolkit includes:

• 2019 Standardized Information Gathering (SIG) Questionnaire Tools
• 2019 Standardized Control Assessment (SCA) Procedure Tools
• 2019 Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools
• 2019 General Data Protection Regulation (GDPR) Privacy Tools

Changes to the Toolkit were determined by the collective intelligence of our membership, bringing a diversity of views from;

• Outsourcers, service providers, licensees, assessment firms and regulators.
• Organizations from start-ups to large, global corporations.
• Industries such as Financial, Insurance, Consumer Packaged Goods, Services, IT and Healthcare.
• Subject experts in cybersecurity, privacy, supply chain risk, compliance, regulation, enterprise risk management and third party risk.

The updates for 2019 are a response not only to the changing regulatory and risk landscape, but to our hundreds of members and tool purchasers looking to perform vendor risk assessments that provide assurance but are also efficient and fast. The 2019 Toolkit was built to allow that standardize excellence in content but also to make assessments easier to create, customize and manage. The Toolkit is also built to work together to follow the typical process a third party risk practitioner would use to implement their program.

2019 Standardized Information Gathering (SIG) Questionnaire Tools

The 2019 SIG has undergone a major functionality and content reorganization. The SIG now functions as a questionnaire management tool that allows you to build, customize, analyze and store questionnaires.

• Architecture – Questionnaires are now created from within the SIG Management Tool. Along with streamlined code, this makes the 2019 SIG size smaller, enabling questionnaires to be created more quickly. You can now create a SIG with questions all on one tab, or with a tab for each risk domain.
• Content Library – There is no longer a “Full” SIG, but rather a database of member-vetted questions called the Content Library. The Content Library includes the SIG Core and the SIG Lite questions, but also houses industry-specific questions. You can even add custom questions to be treated and scored as any other included question.
• Custom Scoping – Custom Scoping allows you to create the questionnaires you need without losing the benefits of standardizations by drawing from the Content Library. You now have three ways to edit a questionnaire – by control domain, by external requirement or by control category and subcategory.
• Saved Questionnaires – A SIG questionnaire can now be saved as a template to be modified later, making it easy to create questionnaires for new vendors.
• SCA Integration and Scoping – the 2019 SIG is now integrated with the Standardized Control Assessment (SCA) Procedure Tools for onsite and virtual assessments. You can now take a completed SIG and automatically create a SCA.

Content updates to the 2019 SIG Tools include;

•  Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
• Industry-Specific Content – Content Library additions including FDA content for Consumer Packaged Goods (CPG) and Life Sciences, Insurance industry-specific content and IoT (Internet of Things) content.
• Mapping – The following nine mappings to Authority Documents are now included within the body of the SIG and can be used for creating questionnaires.
  • FFIEC APPENDIX J – Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook – Appendix J: Strengthening the Resilience of Outsourced Technology Services, February 2015
  • FFIEC CAT Tool – FFIEC Cybersecurity Assessment Tool (CAT), May 2017
  • FFIEC MANAGEMENT HANDBOOK – FFIEC IT, IS & Outsourcing Examination Management Handbooks, November 2015
  • GDPR – EU General Data Protection Regulation (GDPR), April 2016 (Effective May 2018)
  • HIPAA – S. Department of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA) Simplification, March 2013
  • ISO 2700X – International Standards Organization (ISO) 27001/27002, 2013
  • NIST 800-53r4 – NIST 800-53r4 Security & Privacy Controls for Federal Information Systems and Organizations, January 2015
  • NIST CSF 1.1 – National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), April 2018
  • PCI 3.2.1 – Payment Card Industry (PCI) PCI DSS V.3.2.1, February 2018 –

2019 Standardized Control Assessment (SCA) Procedure Tools

The SCA Tools are a standardized set of assessment procedures. When combined with the scoping features of the SIG, the 2019 SCA is a quick and efficient way to assess service providers during onsite or virtual assessments.

Enhancements to the 2019 SCA include;

•  Updated Guidance Documentation – The main SCA document includes new reference material that helps users complete assessments faster and with better understanding about the controls being assessed.
• SCA Report Template – SCA reporting template is now in spreadsheet format, making it easier to document findings while onsite, copy and paste data and use on a mobile device.
• Executive Summary Template – A new Executive Summary Template is included that will assist in creating a lightweight summary report of the SCA findings for management without all the detail of the full report.
• SIG Integration and Automatic SCA Scoping – Using the SIG with its embedded SCA content, automatic customization is available to make SCA assessment procedures match just the SCA questions that were scoped and answered by the Assessee in a SIG.
• SCA Assessment Standards for Distributable Reports – Due to the requirements within the SCA Standards for distributable reports, the outsourcer can be assured that the procedures in an SCA will be performed consistently, regardless of which certified organization performs it.

• Content Updates
  • Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
  • SIG Alignment- The SCA has been thoroughly reviewed and updated to align more closely with the SIG, using matching terminology and making it simpler to follow the “trust, but verify” model of third party risk management.
  • GDPR Privacy Tools Alignment- The GDPR Toolkit aligns completely with the SCA, ensuring SCA-based assessments address the most current privacy considerations.

2019 Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools

The VRMMM, available since 2013, is the longest running third party risk maturity model, and has been vetted and refined by hundreds of the most experienced third party risk management professionals.

 2019 saw significant updates to the VRMMM content, including;

•  Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
• Inclusion of recent guidance regarding Third Party Risk Management from:
  • The American Institute of Certified Public Accountants (AICPA) which sets guidelines for public auditing principles.
  • The Office of the Comptroller of Currency (OCC) which audits the safety and soundness of U.S. banks.
  • New York Department of Financial Services Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the state of New York (NYDFS 23 NYCRR 500), which is a cybersecurity regulation mandated for any financial services company doing business in the U.S. state of New York.
  • Privacy requirements including the European Union General Data Protection Regulation (GDPR).

The VRMMM is important to third party risk, and we made it free to members and non-members. It can be download here.

2019 GDPR Privacy Tools

The GDPR Privacy Tools help meet the requirements imposed on how Controllers (i.e., outsourcers) must appoint and monitor Data Processors (i.e., third parties/vendors) as a part of GDPR.

Enhancements to the 2019 GDPR Privacy Tools include;

• The GDPR Tool kit was originally released prior to the GDPR compliance deadline of May 25, 2018. The focus and narrative were on preparation for the upcoming deadline. Now that the deadline has passed, the leading practices incorporated in the tools have been updated based on the experiences of dozens of Shared Assessments member companies.
• The template tools were enhanced to better allow tracking of issues over time.

Download this free tool.

To learn more about the Toolkit updates, and to learn how the tools work together for a Third Party Risk Management Program, you can;

• View a short demo of the 2019 SIG Questionnaire Tools changes.
• View a short demo of how the Toolkit works together.
• Attend a Live Demo