With all the advice we see these days about hardening security, this might be a good time to remember the importance of both having stringent security standards written into any contractor agreements and actually monitoring compliance with any contracts or policies. A recent breach reported by Vonage serves as a useful example.
On December 23, Vonage notified the New Hampshire Attorney General that it had recently discovered that an employee of an unnamed telesales contractor had violated Vonage’s policy of not recording sensitive customer data outside of its own computer system. The agent was recording contact data — including credit card number, CCV, or bank account number and routing information on Googe Notebook.
Vonage got the information removed from Google Notebook, but in response to the incident:
Vonage has required that all of its third party vendors that handle credit card data provide Vonage with a description of their methodology for detecting data leaks. In addition, Vonage has required that third party vendors, with sales or support agents serving Vonage, block access to a number of web sites including Google Notebook.
That’s a good start, and kudos to Vonage for catching the breach and trying to address it in a proactive way, but of course, that is just one piece of a more comprehensive security approach. Hopefully, more entities will take a closer look at what they are requiring from vendors in the way of security and what they are requiring of the vendors and themselves in terms of monitoring.