Third Parties in Data Breaches

by Doug Pollack

The VA this week announced that they will pay up to $20 million to veterans whose personal information was exposed in 2006 when a laptop was lost by an employee of Unisys, a government contractor that was handling claims processing for them.

USA Today reported that while the laptop was later recovered, it had personal information such as social security numbers for over 26 million veterans and active duty troops. This exemplifies a growing trend in data breaches in that almost half of the data breaches reported in 2008 were caused by so-called “3rd parties”, outside information agencies, facilities, integrators and consultants who are entrusted with personal data from their corporate and government clients.

Given this trend, organizations must look harder at how they certify and validate the security and privacy policies of 3rd parties to whom they entrust information on their customers, patients and constituents.