What You Don’t Know Can Hurt You: The Risks of Third Parties

It’s a fundamental principle of both privacy and security that you must know what data you have, where it is – both at rest and in transit – and what you’re doing with it. Without a complete knowledge of these three things, you cannot truly say that you’re protecting the data in your care. These are the basics upon which you construct your privacy and security programs, and they’re the basis of your agreements with your customers.

It’s 2021, so let’s assume that you have solid privacy and security programs, and you’ve done inventories and looked at data flows. And because privacy is important now, you’ve made sure what you do with the data is consistent with what you’ve told customers you’re doing with it. You are generally squared away with respect to the things your company and its major vendors are doing. You’ve done risk assessments, and you have appropriate measures in place to protect your data from a range of threats. That’s great; you’re doing well.

However, you probably still have a gap: third parties that have a presence on your website. Almost every site has them; they provide a variety of useful services from page usage data to personalized news feeds to payment pages. They’re critical web infrastructure. You may feel that the risks associated with third party apps are relatively small, but they’re real, they’re becoming more and more of an issue, and you need to know about them and be sure you have them under control. Even if you have a handle on them, chances are you need to fill in some parts of the picture.

Privacy Issues

The fundamental privacy problem with third parties you don’t know about is that your customers don’t know about them either. From a relationship perspective, that can lead to unpleasant surprises if other organizations suddenly seem to know about what they were looking for on your site. If you’re dealing with sensitive topics (if you’re a health site, do you want Facebook knowing your users have looked at a page on getting help with substance addiction?) it’s obviously pretty serious. And tags and cookies do exist on health reference sites, for example.  

It’s even worse if you’re regulated under a jurisdiction where you’re required to notify site users about cookies and uses of their data, for example if you’re dealing with users within the EEA (GDPR) or in California (CCPA, soon CPRA). If you don’t know something is happening, you can’t notify your users, so you may be out of compliance.  Since some of these transfers of data are treated as selling personal information under CCPA/CPRA, or engaging in automated behavioral profiling under GDPR, it is especially important for you to know they are happening as they may trigger additional obligations. And these third parties may not be invisible to your users, either, since there are now public domain tools that will show them at least some of the third-party presence.

Security Issues

From a security perspective, anything that’s happening on your website that you don’t know about is a source of risk. It’s even worse when those activities become a route for attackers to invade your environment. And they can – third parties with a presence on your site may themselves be vulnerable to attacks in ways you would not be, and the fact that they’ve been compromised is often invisible to you.  One example is Magecart, a group of cybercriminals who steal payment card information from people using online payment pages. They do this by compromising third-party code present on the payment page — and there is usually code from many third parties present — either directly or via supply-chain attacks. In other words, it may not even be a third party you know about that gets compromised; it may be one or more levels farther back. This means that you can’t rely on even trusted third parties to warn you, as they themselves may not know until it is too late.  

Business Consequences

Obviously, if privacy or security problems on your site lead to a publicized incident – especially likely if you’re under a regulation with mandatory reporting, or if the incident is big – you can suffer financial damage in terms of remediation, possibly credit protection for affected customers, and lost revenue. You can also suffer brand damage, as customers flee your site to one which hasn’t yet been hit by a breach. Less dramatically, even when some kinds of tags and cookies are working well, they can lead to other sites getting to advertise products to people who viewed those products on your site, thus stealing your customers away.

Lokker’s Technology Helps You See and Protect

Our data controlling technology offers a range of products designed to provide clarity, insights, and practical fixes to completely control 3rd party browser interaction points. Our products will show you what third parties are accessing your users’ data, where they are taking it, and who they are sharing it with. We can go down multiple layers, tracing the chain, which may reveal some surprises. In and of itself, that will give you knowledge about your environment you don’t have today. But we go beyond that: our Privacy Inspection Reports assess threats, help you prioritize actions, and provide you the tools you need to fix problems with specific third parties or across the board. We walk you through the action steps so you can fix your site. Not all third parties are bad, and you can selectively decide which will receive information and which will not. 

And we understand that the web environment is dynamic. The landscape continually changes. A third party which is safe and trusted today could be compromised next week, or tomorrow. Worse yet, some attackers are smart, and only act intermittently, making them harder to spot.  Some even learn to hide from regular scans. This is why Lokker will watch your environment continuously, alerting you to changes in 3rd party apps and data flows which may indicate a problem.

Lokker delivers what you need to fully understand and control your environment, and to protect your customers.

Author:
J.D., CISSP, CIPM, CIPP/E, FIP. Expertise in law, technology, information security, data privacy, healthcare analytics, and healthcare. Develops privacy and security programs; collaborates across the company to deliver creative solutions while ensuring the privacy and security of data. Passionate about creating a culture where all employees understand the importance of handling data correctly, recognize and speak up about potential issues, and are actively engaged in the process. Experience with Privacy Regulations (HIPAA, GDPR, CCPA etc.), Formal Certifications (ISO, SOC, HITECH, EHNAC), and De-Identification of Data.