This might be true, anyway, for as far as it might relate to their own in-house systems. But not many will tell you whether the third parties they contract with, have been subjected to the same rigid information security process.
Take for instance the large insurance houses. They utilise panel beaters, glass repairers and loads of other service providers that might log onto their systems, or maybe have access to their systems for various reasons, being it invoicing, customer processing or call centre access.
The recent Target data breach (one of the biggest in recent history) is a prime example of what can go wrong when your third parties are not subjected to proper due diligencies.
In a media article by ITWorld, the following was revealed:
A contractor for Target said Thursday it was also a victim of a cyberattack, supporting the retailer's (Target) claim that hackers gained entry to its network via a third party.
The contractor, Fazio Mechanical Services of Sharpsburg, Pennsylvania, issued a statement after the business was mentioned in several media reports as the possible weak link that allowed attackers to eventually steal 40 million payment card details.
"Like Target, we are a victim of a sophisticated cyberattack operation," according to astatement attributed to Fazio's president and owner, Ross E. Fazio.
The company specializes in designing and installing supermarket refrigeration systems, according to its website. A spokesman said Fazio provided refrigeration services to Target.
The company revealed it had a "data connection" with Target, which was used for submitting electronic bills, contracts and project management material.
Condition 7 of POPI clearly puts the onus on Responsible Parties (as defined in the Act).
It states that a responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures as referred to in section 19 .
The security meaures referred to in POPI's section 19 states:
A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent--
(a) loss of, damage to or unauthorised destruction of personal information; and
(b) unlawful access to or processing of personal information.
One of the first things we concentrate on when conducting POPI remediation, is the identification of third party relationships.
We then subject such relationships to:
Proper due diligence;
Contractual clauses; and
Audit provision.
The biggest threats to the succesful proptection of personal information are:
Lack of awareness amongst employees;
Disgruntled employees; and
Third Parties.