Why IT Governance Is Critical for Cybersecurity & Data Privacy Success
No business wants to hear that their cybersecurity procedures are insufficient. Unfortunately, with increasing infrastructure and regulatory complexity, this is often the case. Most organizations view IT security as a tactical, technology-driven end-goal. Few regard it as a process of governance and strategic initiatives. This disconnect hinders long-term progress towards a more secure working environment. Take the case of LabCorp, a biomedical company in the midst of a third-party breach lawsuit. They are facing severe legal repercussions due to subpar IT Governance practices.
Learn Why IT Governance Is So Critical to Data Privacy, and What Other Businesses Can Learn from the LabCorp Case:
The LabCorp Suit
LabCorp, a biomedical firm headquartered in North Carolina, has recently drawn attention in a derivative suit over the breach of third-party data. As outlined in the suit, LabCorp "breached their duties of loyalty, care, and good faith" by failing to:
Implement and enforce a system of effective internal controls and procedures
Exercise their oversight duties by not monitoring the [Third-Party Vendor's] compliance with its own procedures and federal and state regulations
Ensure that the [Vendor], as well as its business associates, utilized proper cybersecurity safeguards
Have a sufficient incident response plan to immediately respond to data breaches
Consciously disregarding, delaying, and failing to ensure that the [Vendor] notified all potentially affected individuals and entities in a timely manner upon discovering the data breaches
Allowing the [Vendor] to violate state and federal laws and regulations
This is one of the first domestic suits filed against a company for a third-party breach, although the treatment of third-party data has been clearly outlined in the European Union's GDPR. Rather than exploring the legal nuance of the case, I would like to examine the role of IT Governance in security and data privacy, and how a situation such as LabCorp's could have been avoided through strategic IT planning.
What Is IT Governance?
At its core, IT Governance is simple. It's the operation manual for the delivery and management of technology in an organization. Governance encompasses the policies and procedures, control points (i.e. how we confirm things are taken care of), and the checks and balances (i.e. ensuring things are being completed). Lastly, your organization needs a way of measuring your security program's success. The Department of Defense has a standard measurement called the Cybersecurity Maturity Model Certification (CMMC). The CMMC can provide a benchmark for your cybersecurity, governance efforts, and maturity.
Both the CMMC and this understanding of IT Governance shed light on the LabCorp lawsuit. Ultimately, a third-party vendor didn't meet responsible standards of data privacy. While "responsible" is open to interpretation, they failed to meet extant security fundamentals. The third-party did not encrypt payment information, which is required (cut and dry, not open for interpretation) under PCI-DSS. IT Governance could have addressed this issue in two ways: vendor due-diligence around technology and controls, and independent verification. If LabCorp used data flow mapping (a diagram of how data moves between points), the vendor's vulnerability would have been identified from the outset. Secondly, there should have been independent verification of the system. For example, websites that process payments should have some form of certification, such as PCI, to indicate compliance (while self-certification is not ideal, it can be used as a statement of compliance).
The Importance of Third-Party Vendor Management
Both of these actions fall under governance and vendor management. LabCorp either didn't have these policies in place or didn't follow them, demonstrating the need for checks and balances. LabCorp also failed to report the data breaches as required by federal and state law in a timely fashion. Each state has a notification requirement, in most cases between 15 and 45 days once the breach has been identified. As per the filing, LabCorp failed to do so.
Part of IT Governance is backup, recovery, and incident response. It's possible that LabCorp has strong IT Governance and Risk Management in place, but didn't follow their own processes. The suit calls out the audit committee's responsibility for reviewing the vendor's cybersecurity and IT risks, on a twice yearly basis. This statement underscores the importance of measuring the policy and procedural efficacy of the program in place. As mentioned above, the most practical model is the CMMC. The framework has 17 domains and five levels of maturity, from level one (performed/basic cyber hygiene) to level five (optimizing/advanced progressive). Each level requires twice yearly review, which would have met the requirements outlined by the audit committee charter. If this model had been used, the issues would have been identified and addressed.
Key Takeaways for Businesses
All organizations, regardless of size, should invest in IT Governance.
Measuring your governance and cybersecurity programs is critical to their success.
Use a framework that fits your business, such as NIST, CSF, or CMMC. Although the CMMC was designed for organizations that service the government, it's an outstanding framework that covers multiple domains like CSF, while fostering ongoing maturity.
Ensure your third-party vendors are compliant. Set up a monthly meeting with key vendors to discuss data privacy and security.
For more information about implementing compliance frameworks such as CMMC and NIST, reach out to iCorps for a free IT consultation.