The Weekly Breach Breakdown Podcast by ITRC - Chances Are - S4E5

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for March 3, 2023. Each week, we look at the most recent events and trends related to data security and privacy. This week, we focus on third-party data breaches and their impact on businesses. We will start the conversation by turning to a time-worn phrase (or a Nat King Cole song if you prefer) to discuss the spike in supply chain attacks. Here’s where the phrase (or song title) comes in: “Chances Are…” you do business with a vendor who has had a data breach, but did they tell you?

Less Information Included in Data Breach Notices

We have discussed how fewer companies include actional information in data breach notices unless they are required to do so by state law. That’s if they issue a data breach notice at all. Sixty-six (66) percent of all data breach notices in 2022 did not include details of the attack and the number of victims impacted.

Supply Chain Attacks on the Rise

This comes at a time when the number of third-party data breaches is increasing. It means more businesses are having their data compromised – but not by a direct attack. Instead, cybercriminals are attacking single entities in a supply chain to gain access to the data of multiple organizations.

The number of supply chain attacks tracked by the ITRC so far in 2023 is already 40 percent of 2022’s total after just two months. If you are an average-sized business, what are the chances you do business with a third-party vendor who has had a data breach?

New Report Shows Most Firms Impacted by Third-Party Data Breach

It’s a virtual certainty based on a survey of 230,000 organizations worldwide. The Cyentia Institute found that 98 percent of firms had at least one third-party vendor that suffered a data breach. When you look at fourth-party relationships – your vendors vendors – the number jumps to 200 organizations that have had a data compromise with relationships to your average company.

Will You Be Informed of a Third-Party Data Breach?

Whether you are informed depends on how good your lawyers were when they wrote your service agreements or the state where your business is located. If you have a clause that requires you to be notified of a breach at a vendor or a vendor’s vendor, you may be covered. However, most state laws do not require businesses to be alerted when their information is compromised in a third-party data breach. 

Why is this important? The current trend of states passing comprehensive privacy laws like California’s often means businesses governed by a new law must certify they have good cyber protection. So do their vendors, which based on the latest research, they may not.

ITRC Breach Alert for Business Coming Soon

Later this month, the ITRC will launch a beta test of a new service for businesses who want to ensure they receive a notice when a data breach is entered into the ITRC’s data compromise database. Stay tuned for more details.

Contact the ITRC

If you want to know more about how to protect your personal information, or if you think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

We’ve posted a lot of great podcast content in the past few weeks, from our 2022 Annual Data Breach Report to five podcasts and a webinar produced in cooperation with the Federal Trade Commission for Identity Theft Awareness Week. Give them a listen. We will be back next week with another episode of the Weekly Breach Breakdown.