With the recent AudienceView breach and ongoing investigation, CampusGuard has been working with several of our customers to determine the appropriate organizational response while awaiting further details from the vendor. AudienceView is not the first third-party service provider to experience a security incident, and it will definitely not be the last. With an increasing reliance on outsourced third-party applications and services, vendors have also become a more attractive target for cybercriminals due to the increased amount of hosted information now available to compromise.
Outsourcing to a third-party vendor can shift many of the required security and compliance controls away from your organization, but you will still own the overall compliance responsibility, and a third-party breach can still have a significant impact on your organization’s customers, name, and reputation.
Ensuring your incident response plan incorporates how your organization will respond in the event one of your third parties experiences a breach is important so you are prepared to take action quickly. Proposed response steps can vary according to your organizational structure, but below is the CampusGuard team’s general guidance.
Once you are notified of a potential breach or compromise involving your organization’s data or customers, initiate your Incident Response Plan (IRP). The next steps in the event of a third-party breach should include:
1. Consult legal counsel:
- Review the organization’s contract with the vendor, specifically review any language regarding data breaches, such as whether the vendor vs. your organization will notify impacted parties, whether the vendor will reimburse customers for credit card re-issuance, etc.
- Review institutional policies referencing data breach notification requirements.
- Confirm state breach reporting requirements.
- If payment card information is involved, review the organization’s merchant bank agreement (if applicable, depending on MID ownership) for breach notification requirements to the merchant bank. Review notification requirements from the major card brands accepted and notify accordingly.
2. Notify the risk management office and evaluate any involvement of cyber insurance.
3. Consult with the communications team for any notifications to be sent or messaging to be posted publicly/online. Any messaging will need to be reviewed by legal/consistent with policy, including any details on card replacement, ID theft protection or monitoring services, etc. as relevant.
The vendor may be responsible for sending notifications directly to the affected individuals. However, a public announcement from your organization to the campus community may still be recommended depending on the scope of the breach. This announcement should include:
- What happened (Organization was informed that a third-party vendor, [fill in the blank], has experienced a security breach with a specific product, service, etc.)
- Who may have been impacted (specifically individuals that purchased tickets after an identified date, attendees of a specific event, etc.)
- Steps the institution has taken (suspended online sales, set up alternative purchasing methods, etc.)
- What customers should do (if identified as an impacted individual, you will be receiving a communication directly from the vendor via email; recommend all customers review payment card transaction statements for any sign of fraudulent charges, contact banking institution regarding any suspicious transactions, etc.).
- Provide a contact email address or phone number for additional questions.
4. Decisions about whether to have a staffed hotline for questions, whether the university should notify the affected parties directly, whether the university should pay for upfront costs of card replacement, etc., will need to be determined by your organization’s response team and leadership.
5. Press the vendor for details regarding the breach, determine whether they can be confident that the threat has been mitigated, and confirm any identified timelines or details are accurate. Sign up for any alerts and verify the appropriate team members within your organization are receiving updated information immediately as it becomes available. Your organization should proactively address the situation and provide timely resources to your customers as much as possible.
It is now more important than ever for organizations to ensure all service providers are properly vetted and approved, the appropriate contracts and agreements are in place, and the relationships are monitored and assessed on an ongoing basis.
If you have been fortunate enough to not have to exercise your incident response plan in a real-world third-party incident yet, we encourage you to plan a simulated tabletop exercise and walk through a potential third-party breach to ensure all relevant stakeholders and response team members understand their role in this situation and are prepared to act quickly.
Please don’t hesitate to reach out to your dedicated CampusGuard team with additional questions or for assistance in drafting or practicing your incident response plan.