A study by Ponemon Institute found the percentage of US and UK companies that faced a data breach because of a vendor or third party is growing. In the US alone, 61% of surveyed respondents confirmed that their organisation had experienced a data breach caused by a third party, which is up 5% from last year and 12% from 2016.
Ponemon Institute’s research also found that 22% of surveyed respondents admitted they did not know if they had a third party data breach during the past 12 months and more than three quarter of companies thought third-party cyber security breaches were increasing.
These research findings suggest to us that businesses must do more to guard against third party data breach risks. This may involve:
- conducting due diligence on third party vendors to assess their security and privacy practices as part of a procurement process and throughout the ongoing vendor relationship;
- including robust privacy and data security clauses in contracts with third parties, including the requirement that the third party notify you of actual and suspected data breaches; and
- keeping a register of all third party vendors your business engages and the types of personal, sensitive of confidential information the third party vendors accesses, stores or shares on behalf of your business.
The third party landscape is becoming increasingly complex and businesses need to better manage and understand what exactly their vendors are up to and doing to protect their data.
Copyright 2025 K & L Gates