Authored by: K Royal, technology columnist for www.AccDocket.com, and director at TrustArc.

This article was published as part of ACC’s “This Week in Privacy” series, a new column for in-house counsel who need advice in the privacy and cybersecurity sectors.

Question:

Do I really have to share all of my policies to customers for their due diligence in vetting me as a vendor? I consider my policies to be confidential.

Answer:

In general, businesses have a legal duty to vet the vendors that fall in certain categories. This includes key suppliers for manufacturing or vendors that will handle any confidential personal information, such as protected health information under HIPAA (Health Insurance Portability and Accountability Act of 1996), sensitive personal data from Europe, student data under FERPA (Family Educational Rights and Privacy Act of 1974), and more.

One of the most basic ways to perform due diligence is to ensure that the vendor has the appropriate measures in place, such as policies. Many companies, however, do consider policies to be confidential.

A happy medium may be to write policies that are high-level and speak to the basics, then implement procedures, guides, playbooks, SOPs, or work instructions to execute on the policies. Those detailed documents may be kept confidential. However, the policies are sufficiently high-level to avoid providing confidential information, but satisfy the due diligence need. You may still need to provide some show of proof that the policies are actually followed, such as logs, dates of training, and more. It’s not a perfect solution, but may help alleviate some burden on both sides.

Another route is to certify or be audited based on policies and practices, such as ISO certification or a SOC2 audit (Service Organization Controls). But no certification or audit processes will be perfectly aligned with what all customers believe they need to see. There should be a standard vetting service, but the ones currently available are not widely adopted.

So yes, potential vendors often spend hundreds of hours in personnel time and effort to answer security questionnaires from every potential customer — taking valuable time and budget away from putting actual security practices in place.

For further reading, download ACC’s White Paper on “What Every GC Needs to Know About Third Party Cyber Diligence.”