GLBA Safeguards: Third-Party Risks
With limited internal resources, many organizations are moving away from supporting and managing various services and applications themselves, and we have seen an increasing reliance on third-party service providers. Outsourcing to vendors can shift many of the required security controls to the third-party, but organizations still own the overall compliance responsibility. It is not as simple as finding a vendor that can provide the services you are looking for. It is now more important than ever for organizations to ensure all service providers are properly vetted, the appropriate contracts and agreements are in place, and the relationships are monitored and assessed on an ongoing basis.
With regard to the Gramm-Leach-Bliley Act (GLBA), any financial institution disclosing non-public information to a third-party acting as a service provider must enter into a contractual agreement with the third-party that prohibits the vendor from disclosing or using the information other than to carry out the purposes for which the institution disclosed the information.
GLBA requires organizations to take reasonable steps to select and retain service providers who have implemented and are maintaining appropriate safeguards for covered data. While using third parties may alleviate some GLBA scope and requirements for the institution, you are now formally responsible for monitoring and verifying that vendor’s compliance. Depending on the third-party’s role, there are also additional requirements, for example, if the third-party provides any of the financial aid services, such as disbursement, they are also defined as a third-party servicer and may require reporting to the DOE.
Many colleges and universities use service providers for collections, payment plans, and loan processing. As discussed above, it is a requirement that any third-party that is given access to customer information provide adequate safeguards. Departments should work with the campus GLBA Committee or coordinator to ensure due diligence during service provider selection, and ensure required contract language is in place that defines confidential information, how it can be accessed, how it is protected, how it is destroyed, etc., as well as all liability/responsibilities in the event of a breach. Ensure that both technology and process constraints are included. You may even want to have vendors agree to and comply with your organizational policies for things like employee training and personnel security (refer to related article here).
When possible, work with your procurement and security teams to help flag any contracts that mention processing of any financial data, student information, personally identifiable information, etc. so the GLBA Committee can be involved in the early stages of the review process. On an ongoing basis, your organization should also conduct routine audits to monitor service provider compliance and verify they are maintaining proper safeguards. The organization should also consider how other third-party platforms like web conferencing tools, file-sharing, etc. might be utilized for sharing student or financial information so you can assess whether these applications have the appropriate safeguards in place for this use.
The FTC can and does hold organizations accountable for their third-party relationships. Just last year, the FTC announced a proposed settlement with Ascension Data and Analytics, a Texas-based mortgage industry data analytics company, to resolve allegations that Ascension violated the GLBA Safeguards Rule by failing to develop, implement, and maintain a comprehensive information security program, and failing to ensure that one of its vendors was adequately securing the personal information of mortgage holders. The vendor was hired to process tens of thousands of mortgage documents that contained personal information of more than 60,000 consumers. The vendor stored the documents on a cloud-based server without adequate security measures, and the sensitive information was accessible by unauthorized individuals for almost a full year. It was discovered that Ascension failed to review the vendor’s security practices before providing access to their customer information. Having a third-party management program in place to properly vet all vendors with access to sensitive data could have prevented this loss of data (and the subsequent settlement!).
In a recent global study, it was revealed that 92% of US organizations surveyed had experienced a cybersecurity data breach caused by a third party. And, unfortunately, only one-third of those organizations even have an inventory of the vendors with whom they are sharing sensitive data.
In 2020, several universities were victims of data compromise when a third-party they used for collecting college applications experienced a data breach. Even though the schools were not at fault for the compromise, they still remained responsible for the data they collected or shared with the third-party. A breach occurring at a third-party vendor can have a significant impact on your organization as it is your organization’s customers, name, and reputation that is on the line. Be sure your staff understand that any new vendors must be reviewed and approved by the appropriate authority. It is also important to ensure your incident response plan incorporates how your institution will respond in the event one of your third-party vendors experiences a breach, so you are prepared to take action quickly.
Reach out to your dedicated Customer Advocate Team if you would like a copy of our GLBA service provider contract language template, have questions about an existing vendor, or would like some help reviewing the security posture of a prospective vendor.
Some additional guidance from the CampusGuard Security Advisor Team:
[King]: Managing third party service providers comes down to who you trust with your data and why. We often see vendors chosen simply because the solution is in place at another institution and with the assumption that proper vetting was completed. But the use of solutions and security programs vary between institutions, and one size does not fit all. Each institution must perform due diligence on each third-party agreement to manage risks for their own environments. Whether your institution is considering a new agreement or reviewing current agreements, your CampusGuard support team is ready to assist you in determining and managing risk in third party engagements.