A future data breach may not be the most top of mind issue for entities engaged in contract negotiations with vendors who, in the course of their work for the entity, will have access to or possession of the entity’s confidential data. But taking the time to address data breach concerns before the contract is signed, when the entity may have the most leverage, can pay big dividends should a breach involving the vendor take place. The following are some of the key issues entities generally should consider to protect themselves before and at the time of contracting with vendors. Industry-specific laws, regulations and standards also should be carefully considered.
Pre-contracting due diligence: Entities should conduct thorough technical compliance-focused due diligence to access a prospective vendor’s security infrastructure and environment. Security issues can be exposed up front and vendors that are not up to the job can be disqualified. Note that healthcare providers may need to enter into Business Associate Agreements with prospective vendors during this stage.