A new Ponemon study emphasizes the risk of third party vendors which have access to company data. According to the survey “Data Risk in the Third Party Ecosystem,” companies are concerned about their third party vendors, but more than 1/3 of the companies surveyed do not believe that the vendor will notify them if a data breach occurred.

The study showed that companies have difficulty with managing their third party vendors, and even more challenges exist when trying to manage fourth-party vendors (and so-on) which may have access to their data through the vendor, and might not even be on the company’s radar.

Although it is common practice to include data privacy and security measures in third-party contracts to ensure vendors have appropriate security measures in place to protect company data, it is more difficult to evaluate how the vendor is protecting the data from unauthorized access, use and disclosure by its vendors and if it has appropriate contractual measures in place with the down-stream vendors.

The Ponemon survey concludes that 73% of companies do not believe that a fourth-nth° vendor will notify them of an unauthorized access, use, or disclosure of company data.

Vendor management, including downstream vendors to the nth degree, is essential to risk management and the protection of company data.  Companies may wish to review the Ponemon study and consider making vendor management a high priority in their risk management program.