Third-Party Security Risks Cause Problems for the VA

Theft is still a major cause of data breaches. Mobile devices, especially laptops, are the main culprits. Tens of thousands of laptops are stolen each year. Often these have sensitive data that require public disclosure as a data breach.

The Veterans' Administration (VA) knows about stolen laptops. A Web search of "VA stolen laptops" takes me to articles as old as 2006. In response to that 2006 theft, Susan Hall reported last year that:

the VA agreed to a $20 million settlement with veterans whose identities were compromised in the theft of a laptop loaded with Social Security numbers and other sensitive data.

The VA tried to put security measures in place, including mandating that all VA-issued laptops are encrypted.

However, not everything works the way you plan. InformationWeek reported the theft of an unencrypted laptop that had personal information, including Social Security numbers, of over 600 veterans. This computer belonged to a contractor who had access to sensitive data.

Working with contractors and other third-party vendors has created a huge security hole for many companies. Too many companies don't have security-related requirements in place when a contractor is hired, a problem that faces the VA, according to the article written by J. Nicholas Hoover:

A seven-month cybersecurity review undertaken last year at the behest of VA secretary Eric Shinseki found that more than 28% of the VA's vendor contracts were missing required clauses about information security, and contractors on 578 contracts actually refused to sign the clauses.

This latest VA theft reinforces the need for enterprises to protect themselves from security flaws from third-party vendors. I had the opportunity to speak with several security officers on the topic recently, and they agreed on the following points:

• Security departments should work closely with the business department hiring the contractors and with the legal department to make sure security-related language is written into all contracts before any agreements are made.
• A regular checklist or survey should be presented to potential third-party vendors during the negotiation stages. The checklist could include topics such as who will have access to sensitive company information or how often security software is upgraded.
• If there are any concerns about the security liability of a potential third-party vendor, or if the vendor refuses to participate in a security survey, take it as a red flag and move on.