A continuing series highlighting developments in privacy and security.
Do you give vendors access to your networks and systems? Use a third party to host your website, records, or an app? Use cloud-based services to store or process personal or confidential information? If so, a third party likely has access to personal data about your customers, employees, or other valuable company information. Moreover, they may have sent your information further downstream to their own service providers. Using state of the art cybersecurity controls in your IT systems will not minimize your risks of a data breach if you don't also consider protections for your data in the hands of third parties. Do you know where your data is right now?
This is not a hypothetical concern. Third party vendors have been blamed for data breaches at Target, Lowes, Goodwill, AT&T, Legal Sea Foods and Auto Nation. Regulators are paying attention, and issuing guidance or rules that include adequate third party service provider security measures (see for example the draft New York State Department of Financial Services proposed Cybersecurity Requirements for Financial Services Companies, 23YCRR 500).
Reduce the risk that your data will be lost, corrupted or misused in a vendor's hands by instituting or updating a good vendor management plan.
Elements of a Good Vendor Management Plan:
- Understand what data assets the vendor will touch, whether through hosting, support or otherwise. How do these assets fit into your own risk assessment?
- Extend your own security expectations, based on your risk assessment, for that data to the vendor. For example, if you would encrypt the data at rest in your systems, outline the same expectations for the data when it is in the vendor's systems.
- Conduct diligence on the vendor's ability to meet your security expectations. Include the vendor's administrative controls and processes, physical security and technical security.
- Work with a knowledgeable security professional to ask the right questions. If the vendor resists diligence on the basis that it conducts an annual audit or maintains a security certification, make sure the requirements of the audit or certification program match your security expectations.
- Consider reasonable contractual protections:
- Obligate the vendor to meet your security standards. If you are relying on third party certifications, require that the vendor maintain those, and notify you of any change in status.
- Control downstream transfers of your data, whether to subcontractors, hosts, processors or other technology partners.
- Require that the vendor give you timely reports of any security incidents. Include provisions regarding your right to control any responses and communications to third parties including government officials.
- Include the right to terminate without penalty if you believe the vendor's security practices are not adequate.
- Mandate appropriate insurance, and understand how it will apply to losses of your data.
- Do not forget about contingency planning and disaster recovery. Define the vendor's role in backing up data. Where will back-up copies be maintained, and for how long?
- Ensure that the vendor cooperate so that you receive copies of your data at termination, in the form and format you prefer.
- Include provisions discussing whether the vendor will delete or destroy your data at termination, and if applicable, the manner of destruction.
- Conduct periodic audits of the vendor's compliance with your security requirements.
- Verify whether your own insurance will provide any protections for incidents under a vendor's control.
- Include data incidents involving vendors in your own data breach response plans.