|
META TOPICPARENT | name="FirstPaper" |
|
|
< < | Third Party Services and Privacy Risk: Establishing a Framework for Mitigating Risk |
> > | LexisNexis? Third-Party Data Sharing With ICE and Potential Human Rights Violations |
| |
|
< < | -- By AliJimenez - 11 Mar 2022 |
> > | -- By AliJimenez - 9 May 2022 |
| |
|
< < | The Need for Third Party Vendor Services |
> > | Third-Party Data Sharing & Implications |
| |
|
< < | Companies have increasingly relied upon vendors for services. Third party vendor use has been defined as “a person or company that provides services for another company (or that company’s customers).” These services range from providing assistance with cloud web hosting services, cloud-based software solutions, equipment maintenance, HVAC servicing, and contractors to name a few. Companies often seek to establish vendor relationships because services are unavailable in-house, or because they are attempting to minimize costs. Yet, the use of these services bring issues to individuals and company privacy. |
> > | Companies have increasingly relied upon vendors for services. Third-party vendor use has been defined as a person or company that provides services for another company (or customer). These services range from assisting with cloud web hosting services, cloud-based software solutions, equipment maintenance, and contractors, to name a few. |
| |
|
< < | Privacy Concerns Within Third Party Vendor Services |
> > | Since Third Party vendors are companies with written contracts to provide products to customers on behalf of an organization, they typically have access to sensitive data like company, customer, and employee information. Even though companies consciously outsource their needs and data to third-party vendors, privacy risk is considerable for individuals who engage with their database because their data can land in hands they did not intend. Making matters worse, the law tends to protect the outsourcing of data provided by individuals. Thus, individuals must consciously check how their data is being utilized to ensure they willingly give their information in ways they deem acceptable. |
| |
|
< < | Third Party Vendors are Prone to Hacking |
> > | Background on LexisNexis? Data Sharing Contract With ICE |
| |
|
< < | With the rise of outsourcing to third party vendors, there has been an additional need to establish safe vendor relationships. This is because the choice to utilize vendors has led to significant cyber breaches. Essentially, while a company themselves can establish high-security standards and effective risk management policies, a vendor that does not have similar considerations can leave the company in a compromised position. Additionally, cybercrime has risen during thel COVID-19 pandemic. Remote work has simultaneously left companies and vendors more at-risk of cybersecurity threats. |
> > | On April 2nd, 2021, LexisNexis? signed a $16.8 million contract to sell private data information to U.S. Immigration and Customs Enfrocement. While LexisNexis? has been known to many in the legal profession as a legal research tool, this expansion in their role as data brokers for ICE meant that LexisNexis? can provide the government with access to large amounts of personal data information. |
| |
|
< < | Risk Extends Beyond the Primary Vendor |
> > | With the help of LexisNexis? ICE specifically uses the information provided to aggregate data and build profiles on individuals they deem may be acceptable targets for deportation. They compile these profiles by stitching together criminal records, credit and employment history, utility bills, and license plate numbers, among many other data points. This has dire consequences for immigrant communities. |
| |
|
< < | Despite the fact that companies outsource their needs to third-party vendors and consciously enter this decision to outsource their data, the scope of privacy risk is large because third-party vendors also utilize their own third-party vendors. Thus, organizations must understand how their data is being outsourced. Making matters worse, third-party risks are not limited to attacks on the vendors themselves, With the frequent use of cloud storage, companies are even more susceptible to privacy breaches and data exposures by their vendors. |
| |
|
< < | Risk Relating to Third Parties Retains with the Primary Company |
> > | The Legal History of Third-Party Data Sharing |
| |
|
< < | Despite the fact that companies outsource their needs to third-party vendors and consciously enter this decision to outsource their data, the scope of privacy risk is large because third-party vendors also utilize their own third-party vendors. Thus, organizations must understand how their data is being outsourced. Making matters worse, third-party risks are not limited to attacks on the vendors themselves, With the frequent use of cloud storage, companies are even more susceptible to privacy breaches and data exposures by their vendors. |
> > | Precedent on privacy rights and data is outlined in Katz v. US. In this case, the Court held that the Fourth Amendment protects people, not places. Essentially, when a person knowingly exposes information to the public, that information is not subject to Fourth Amendment protections, but what they seek to preserve as private if even in an area as publicly accessible, may still be constitutionally protected. The two-part test that came forth from this case law was information would be constitutionally protected if “first that a person has exhibited an actual (subjective) expectation of privacy and, second, that the expectation is one that society is prepared to recognize as 'reasonable.' This essentially set the history for the privacy cases that followed. |
| |
|
< < |
These two sections are duplicates. The clear implication is that you didn't proofread at all.
|
> > | Looking forward, in United States v. Miller, the Court further expanded on this case law to provide the proposition that “the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third-party will not be betrayed." |
| |
|
< < | Risk Relating to Third Parties Retains with the Primary Company |
> > | Thus, legally speaking, once third-party disclosure occurs, any fourth party who can evade that legislation is free to hand such information to the government. |
| |
|
< < | While data breaches are not always at the hands of the original organziation, for customers, these breaches will always be associated with the company they are doing business with. Thus, even if a breach is a result of a third-party services provider, the organization is seen as the source of that privacy concern. This also presents legal issues since the organization itself often will have difficulty showing the steps it took in risk mitigation and will retain responsibility even if a third party handled its data. Thus, it is essential for organizaitons to set up strong cyber vendor management procedures. Not only for customers, but their own safety.
Potential Solutions to Maintaining Privacy Amidst Third Party Vendor Use
As a result of all of these risks and implications, the Department of Financial Services issued guidance identifying several areas of heightened cybersecurity risk as a result of the COVID-19 crisis. Under the four-step gradually phased plan, companies must comply with stricter cybersecurity regulations. Applicable to mitigating vendor cyber risks, under the fourth phase of this plan, companies must maintain a third-party service provider policy. To do so, companies must certify implementation of a vendor diligence program that includes procedures to identify and assess vendor risks. |
| |
|
< < | Vendor Management Framework |
> > | Legality of LexisNexis? ’s Contract |
| |
|
< < | Identifying the Risk |
> > | Since ICE uses LexisNexis? in immigration enforcement, the question then naturally arises is this a privacy violation? LexisNexis? acquires information on immigrants from third-party digital intermediaries that transmit and store their information. LexisNexis? then provides this information to ICE, a governmental agency. Thus, when looking at the case law, it seems as if LexisNexis? and ICE are within the realms of legal action under privacy law. Once a third party provides this information to an additional company, this information can legally be provided to the government. |
| |
|
< < | To establish an effective framework, a company should identify the risks associated with engaging with its vendors and rank its vendors by risk levels.
To identify risk levels, the company must first identify vendors and potential vendors that will obtain access to its internal systems and its confidential data. Based on this information, the company should initiate the process to evaluate the level of risk involved in working with the vendor through the use of questionnaires. After administering questionnaires, companies should assess and rank vendors by the level of risk presented—low, medium, or high. |
> > | This is yet still concerning. This data sharing has implications for immigrant communities that are extremely harmful and even life-threatening. Thus, the question of how to correct this course of action remains. |
| |
|
< < | Implementing Controls |
> > | Potential Solutions to the Issue |
| |
|
< < | With established risk levels in place, the company should then consider implementing necessary controls. These controls should be included in the cybersecurity vendor management policy and should be curated to mitigate the distinct risks posed by each differentiated risk level. Not all risk levels necessitate the same controls. For example, a vendor that is identified as high-risk since they require social security and payment information of customers would need more stringent controls than that of a low-risk company that requirements minimal amounts of personal information. Once controls are determined, companies must outline cybersecurity expectations through contractual provisions.
Outlining Contractual Provisions |
> > | While data breaches are not always at the hands of the original organziation, for customers, these breaches will always be associated with the company they are doing business with. Thus, even if a breach is a result of a third-party services provider, the organization is seen as the source of that privacy concern. This also presents legal issues since the organization itself often will have difficulty showing the steps it took in risk mitigation and will retain responsibility even if a third party handled its data. Thus, it is essential for organizaitons to set up strong cyber vendor management procedures. Not only for customers, but their own safety. |
| |
|
< < | If the company chooses to engage with medium and high-risk vendors, it is essential to implement adequate contractual provisions. Outlining clear cybersecurity expectations can ensure that a company has proper protections in place to mitigate risks involved with medium- and high-risk vendor relationships. To safeguard company interests, ensure your contractual provisions cover expectations such as: cyber standards, incident management controls, and risk mitigation procedures. |
> > | Potential Solutions to Maintaining Privacy Amidst Third Party Vendor Use |
| |
|
< < | Conclusion |
> > | Another means for correcting these privacy violations is declaring these human rights violations. According to regulations put forth by the United Nations Human Rights Council, all businesses have a responsibility to respect human rights. LexisNexis? is also held responsible for these guidelines. The Guiding Principles on Business and Human Rights details what companies must do to meet their international human rights responsibilities. |
| |
|
< < | As previously stated, cybersecurity threats are becoming more prominent. Preventing these threats from occurring is impossible, but establishing an effective vendor management framework that takes on a risk-based approach to vendor obligations can minimize these threats and potential breaches. Establishing an effective vendor management framework that takes on a risk-based approach to vendor obligations can minimize these threats and potential breaches. |
> > | A business must evaluate how the actual or potential adverse human rights impact connects to the business. For example, suppose a business itself does not directly harm human rights, but an impact is linked to its operations, products, or services and caused by a party with which it has a business relationship. In that case, the business must use its leverage to mitigate the impact and, if unsuccessful, consider ending the relationship with the violating entity. |
| |
|
< < |
I don't understand why this draft seems so altogether at sea. It hasn't anything much to do with what we've discussed in the course, or with any particular legal or technical issue in our range. The language is blowsy, even if we leave aside the apparently unconscious repetition of an entire section. You could put the whole of this idea in one paragraph, with (I would hope) a link to the only document to which you (sort of) refer. |
> > | There is likely a potential means to correct this significant privacy issue through human rights violations. The company is contributing to human rights violations for immigrant individuals within the US by subjecting their information to ICE through their data analysis technology. Since LexisNexis? has not stopped or prevented its contribution, human rights remedies are likely in store. |
| |
|
< < | Perhaps we should talk about this at office hours?
|
|
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. |