Survey: Third Party Data Breaches Are Increasing, Many Companies Not Prepared

In November 2018, Ponemon Institute released a report on Data Risk in the Third Party Ecosystem based on a survey of 1,038 IT and IT security practitioners in the U.S. and UK. Their report focused on challenges companies face when sharing confidential or sensitive information with third parties, noting that companies are increasing the number of third parties with whom they share data, and that data breaches involving third parties are increasing year-over-year.

Ponemon found that “[i]n high performing organizations, third party governance is a priority with sufficient resources allocated,” though concluded that “[i]n many organizations, managing outsourced relationship risk is not a priority.” Among other things, the survey found the following:

  • 59% of respondents confirmed that their organizations had experienced a data breach caused by a third party.
  • Few companies (34%) maintain a comprehensive inventory of all third parties who receive the company’s sensitive and confidential information.
  • Only 35% of respondents rated their organization’s third party risk management program as highly-effective, and only 39% indicated that they regularly report to the board of directors regarding the effectiveness of their program.
  • Only 42% of respondents said their organizations frequently assess third parties’ programs and policies to ensure they meet changing risks and regulations, and 54% said they do not monitor the privacy and security practices of their third party vendors.

TIP: As third parties increasingly handle company data, companies need to proactively implement strategies and protocols to manage this risk as part of their information security and trade secret protection plans.

This entry has been created for information and planning purposes. It is not intended to be, nor should it be substituted for, legal advice, which turns on specific facts.