The Weakest Link in Internet Privacy: Security and Compliance Risks in Third-Party Vendor Data Handling

Abstract

The new internet economy relies on third-party sellers, such as cloud computing service providers, SaaS and services, payment processing services, and marketing services. On the one hand, such sellers make scaling and innovativeness possible, and, on the other hand, such sellers endanger the safety of personal data and the sanctity of the law. This paper discusses the vulnerabilities inherent to vendor ecosystems using case studies of the Target and SolarWinds breaches to provide examples of the weaknesses present in systems. It also talks about the regulatory frameworks such as GDPR, CCPA, HIPAA, and PCI DSS, and outlines the impediments to implementation and lapses in responsibility. This empirical study proposal of the best internet company practices on vendor risk is provided to contribute to benchmarking in this under-researched field. Lastly, there are technical safeguards, organizational measures and policy recommendations, and finally a call to a global Vendor Privacy Assurance Standard. The results show that vendors are the least strong link in privacy protection, and that there is a need for concerted efforts across the industry, regulators, and academia.