Maintaining Your Data Security in Vendor Relationships
Many organizations seek to lower costs and improve efficiencies by using third-party vendors to provide information technology (IT) and data-related services. Doing so, however, runs the risk of data breaches that could damage operations, sour customer relations, and expose the organization to liability. Remember: you cannot outsource accountability.
Allowing third parties access to your IT systems and personal information could potentially render ineffective any of your organization’s privacy and information security compliance initiatives, if there’s a vendor deficiency in those areas. Because of this, organizations must take specific oversight steps to ensure their vendors and service providers comply with all applicable laws and regulations, as well as their own and industry standards.
Pre-Engagement Due Diligence
Before hiring a vendor or service provider, run through all of an outsourcing’s potential implications for internal operations. This usually entails counsels’ review as well as extensive communication between data security staff and all applicable business or operations groups.
Determine what types of services your organization wants the vendor to perform and how much access to IT or data systems it will require. You may wish to explore ways to lower risks by minimizing exposure to any highly sensitive data or systems. If outsourcing means a third party will access a crucial database and its exposure could prove catastrophic for your organization, carefully review and weigh the risks with stakeholders, including executive leadership.
After assessing your internal risks, turn to the potential vendor. Examine its policies, procedures, internal controls, and training materials to determine whether it’s capable of adapting to constantly changing data security obligations. Make sure that it’s in compliance with all relevant privacy-related laws, regulations, and industry standards.
Vendor Assessment Questionnaires
One good way to accomplish this task is to create a privacy and data security vendor assessment questionnaire. Among the critical questions to ask are:
- How will the services be provided? How will the vendor deliver the proposed services: what IT systems, data, and network design will it use?
- What protections do these offer? What are the vendor’s current information security procedures?
- Will the vendor subcontract any services? If so, what are the subcontractor’s security procedures?
- How often, and to what extent, does the vendor perform risk assessments? Do they use automated tools for some aspects of risk assessments? Which tools and how to they use them?
- What is the vendor’s incident response plan? If it’s had data breaches in the past, how effectively and how quickly did it respond?
- Has the vendor been subject to regulatory enforcement actions related to data privacy? Is it engaged in any litigation related to data privacy issues?
Contract Drafting Strategies
Exercise caution before signing vendor agreements. Vendors will often seek to minimize their risks by limiting their privacy and data security commitments and pushing liability back onto the organization. They will argue that they need to use their own privacy and data security terms and conditions.
Even if business circumstances dictate using a vendor’s terms, the contract provisions should at least:
- Require the vendor to comply with all applicable regulations and standards. For example, if you handle personal data for EU individuals, data protection regulations impose extensive obligations on organizations that transfer personal information to third parties.
- Require the vendor to meet a minimum standard of care for privacy and data security that matches your organization's risk tolerance, which could be more prescriptive than current applicable laws and standards.
- Require the vendor to dispose of or at least properly secure all its copies of organization-related data upon termination of the agreement
- Require the vendor to mandate the same privacy and data security obligations for its subcontractors or other service providers and work to ensure their compliance.
- Set tight timeframes for identifying and addressing cyber vulnerabilities and risks, based on criticality levels, and for reporting security incidents, such as data breaches.
Some organizations, during vendor negotiations, will treat privacy and data security as being secondary to getting good terms on business requirements and pricing. That could be a costly error.
Instead, organizations should negotiate privacy and data security terms at the same time they address other contract provisions. If IT-related discussions are left until the end, organizations may feel pressure to compromise on these issues to close the deal.
By addressing data privacy issues up front, organizations can simplify compliance activities throughout their vendor relationships. One way to do this is to better formalize the vendor selection process. Create a request for proposal, for example. Using an RFP may encourage vendors to submit more comprehensive, detailed proposals. It’s also a way for organizations to compare a range of vendors and assess their willingness to support industry standards and best practices.
Oversight is not over when an organization signs an outsourcing contract. It's just starting! Monitoring a vendor’s risk potential on an ongoing basis is crucial. Conducting routine vendor oversight can help organizations demonstrate that they acted reasonably, if a data breach or another type of security incident results in regulatory action or litigation.
Periodic reviews and assessments of vendor performance are important tools. How these are accomplished should be agreed-upon contract terms. Options include:
- Onsite visits and testing conducted directly by the organization or its representatives.
- Vendor self-assessments, subsequently verified by the organization.
- Third-party audits, assessments, and certifications.
Have a degree of flexibility in oversight methods. Internal audits often take up significant vendor resources, especially if the vendor serves a large customer base, such as with cloud computing services. Service providers may be willing to accept a multi-tiered approach, such as combining third-party audits or certifications and self-assessment questionnaires that focus on the organization’s specific requirements not addressed by third-party reviews.
Organizations may also propose partnering with the vendor for incident response planning. For example, contract terms should require the vendor to maintain its current incident response plan, notify the organization of any material changes, and allow the organization to renegotiate or terminate the agreement if it objects to the changes.
Regardless of the provisions and compliance methods an organization ultimately chooses its vendors, they must be thorough and formalized. Data protection and privacy should be essential, not an afterthought, in the outsourcing process.
This article was excerpted from information and resources contained in the Managing Privacy and Data Security Risks in Vendor Relationships. The full practice note, one of more than 65,000 resources, is available with Thomson Reuters Practical Law.