How in-house counsel can help the business maintain data security in vendor relationships
As in-house counsel, the guidance you provide your client in selecting a third-party information technology (IT) or data services vendor is vital to the welfare of the business.
That’s because allowing third parties access to IT systems and personal information can potentially render an organization’s privacy and information security compliance efforts ineffective if a vendor is deficient in those areas. Using third parties can also increase the risk of data breaches or other cyber incidents, potentially damaging operations, souring customer relations, or exposing the business to liability.
Therefore, general counsel (GC) must help their clients take specific oversight steps to ensure that vendors and service providers comply with applicable laws and regulations, as well as the business’ own standards and industry requirements.
Pre-engagement due diligence
Before the business you advise hires a vendor or service provider, you must help them consider the potential privacy and data security implications. Does the vendor have the right privacy and information security practices in place to reasonably protect your client? Determining this usually entails legal review and communication between technical or data security staff and affected business stakeholders.
The first step is to determine what types of services the vendor will be performing and how much access to IT systems or data — including personal data — it will require. Carefully review and weigh any risks with key stakeholders, including leadership and owners. You may wish to explore ways to lower risks by restricting the vendor’s exposure to highly sensitive data or systems unless that access is strictly necessary to meet specific business requirements.
Next, help your client examine the potential vendor’s policies, procedures, internal controls, and training materials and perform a review of the vendor’s privacy and data security history. This helps determine whether the vendor can manage changing data security risks and helps you and your client conduct necessary training and oversight. It will also provide insight into the vendor’s ability to comply with your client’s privacy and data security policies, as well as any relevant privacy-related laws, regulations, and industry standards.
Vendor assessment questionnaires
A good way to perform due diligence is by creating a privacy and data security vendor assessment questionnaire. The questionnaire should address both your client's unique business situation and needs and any applicable laws, regulations, and industry standards. This tool also helps compare vendors and supports vendor tracking.
Include questions like the following in your survey:
- How will the vendor deliver the services and which IT systems, data, and network design will it use?
- What are the vendor’s current information security and compliance policies and practices and what assurances do they offer?
- How does the vendor intend to comply with your client’s privacy and security practices?
- Has the vendor been involved in any privacy or data security incidents, data breaches, or related cyber risk remediation efforts? If so, what were the results?
- Has the vendor been subject to any privacy or data security-related litigation or regulatory enforcement actions?
Contract drafting strategies
As GC, it’s crucial that you create, negotiate, and help your client execute privacy and data security contract terms that protect them. These terms should ensure vendor privacy and data security practices meet or exceed the business’s own practices and comply with relevant laws, regulations, and industry standards. Vendors often press the businesses they perceive to have less choice or leverage into using their standard privacy and data security terms and conditions. Even if business realities lead you to use a vendor’s agreement, you should still develop client-specific contract terms and negotiating positions, to help ensure the vendor’s provisions reasonably align with your client's needs and that your client understands any risks or tradeoffs made.
Client-favorable contract provisions should:
- Require the vendor to comply with applicable laws, regulations, and standards, including any relevant international obligations.
- Require the vendor to meet a minimum standard of care for privacy and data security that matches your client’s risk tolerance, which may be more prescriptive than current applicable laws and standards.
- Require the vendor to mandate the same privacy and data security obligations for its subcontractors or other service providers and work to ensure their compliance.
- Prohibit the vendor from accessing systems and data for other than the prescribed purpose, unless authorized, and prohibit them from disclosing data to third parties unless explicitly authorized to do so.
- Require the vendor to dispose of — or at least properly secure — all copies of your client’s data upon termination of the agreement.
- Set tight timeframes for identifying and addressing cyber vulnerabilities and risks — based on criticality levels and for reporting security incidents — such as data breaches.
- Define incident reporting and response requirements.
- Provide your client with the right to audit and assess the vendor’s data privacy and security practices.
- Address risk allocation if an incident occurs.
During vendor negotiations, some in-house counsel treats privacy and data security as secondary to getting good terms on business requirements and pricing; that can be a costly error.
Instead, you should negotiate privacy and data security terms at the same time you address other contract provisions. Leaving these discussions until the end may make you feel pressured to compromise on privacy or data security issues to close the deal.
By addressing privacy and data security issues up front, businesses can simplify compliance activities throughout their vendor relationships. One way to do this is to formalize the vendor selection process through a request for proposal (RFP). Using an RFP may encourage vendors to submit more comprehensive, detailed proposals. It’s also a good way to compare a range of vendors and assess their willingness to support industry standards and best practices.
Businesses can also partner with vendors for incident response planning. A security-aware vendor may have a plan in place that can integrate with your client's current plan. You should review this plan and can include contract terms that require the vendor to maintain its current incident response plan, notify your client of any material changes, and allow them to renegotiate or terminate the agreement if they object to the changes.
Remember to exercise caution when using vendor agreements and to leverage publicly disclosed security incidents to address any potential issues at the negotiation stage.
Oversight and review
Monitoring a vendor’s performance and ensuring contractual compliance on an ongoing basis helps minimize risks. Periodic reviews and assessments of vendor performance are important tools and should be part of the contract terms.
The method and timing for vendor reviews should align with your client's resources and capabilities and vendor risk levels, which are determined by:
- The amount and sensitivity of the data the vendor is handling
- Whether the vendor is accessing the business’s IT systems
- Whether the vendor has experienced previous data privacy and security incidents
Review options include:
- Onsite visits and testing
- Vendor self-assessments
- Third-party audits, assessments, and certifications
In addition to protecting your client from undue risks, routine vendor oversight can help them demonstrate that they acted reasonably if a data breach or another type of security incident results in regulatory action or litigation.
You can further add value and help your client simplify privacy and data security oversight by suggesting that flexibility is incorporated into their methods, such as combining third-party audits or certifications and self-assessment questionnaires that focus on their business’s specific requirements.
Regardless of which provisions and compliance methods you choose for the business, those provisions and methods must be thorough and formalized. Privacy and data security should be essential elements of the outsourcing process, not an afterthought.
This article was excerpted from information and resources contained in Managing Privacy and Data Security Risks in Vendor Relationships. The full practice note, one of more than 70,000 resources, is available with Thomson Reuters Practical Law.