The first three articles in this series focused on the creation an internal environment that would enable a strong culture of privacy and data protection to flourish within the organization. The previous articles in the series provided suggestions on specific measures organizations could take to create the foundations for adoption of strong privacy and security controls. Once this has been accomplished to a reasonable degree by the organization, the focus can shift to movement of data outside of the control of organization.
Now, we will focus on ensuring that third parties such as vendors, contractors and subcontractors that receive or may have access to the organization's data are properly screened so that privacy and data security controls are not compromised as a result of a failure to properly select these third party vendors, and the organization has reasonable assurances that their data is properly being maintained by the third party.
Some examples of the types of potential vendors that might require heightened scrutiny are more obvious, such as IT outsourcing vendors providing cloud services for software, platform and infrastructure as services. Companies that have outsourced marketing and customer engagement services, human resources management services and property management services to third parties should also consider apply heightened scrutiny to these existing relationships and new relationships.
Creation of a vendor management process
Vendor management is a multi-functional process involving elements of the IT, legal, compliance and risk management departments, and the internal business owner.
As previously discussed, it is essential that these parties are working in concert in an attempt to identify and mitigate the potential risks created by engaging a third-party vendor that may have access to or receive data from the organization. Assuming the organization has been successful in developing an internal culture of data responsibility and accountability, these elements will work in unison to credibly, methodically and defensibly identify and determine an acceptable level of risk to the organization. Only through mutual cooperation and alignment of these individual business units can this process properly function.
Depending on the organization’s risk tolerance, this program can be scaled to achieve the desired level of scrutiny that fits the organization. For example, a small business owner or non-profit organization may not find it necessary to apply the same program as a Fortune 500 company, assuming their data risks are different. Moreover, different organizations may be more mature when it comes to overall data governance. The point is, the program has to fit the organization or it will not be successful. Simply drafting policies without really understanding how they fit within organization will not work.
Is failure to address vendor management an option?
The risks of failing to establish an appropriately scoped program include the potential loss of ownership rights to the organization’s data, lack of data security, lack of data privacy protections and controls, loss of data backup and recovery, inappropriate or incomplete incident response, failure to notify of data loss or data breach, brand erosion or collapse, loss of shareholder confidence, increased regulatory scrutiny or action, and potential class action litigation.
Who owns vendor management?
Effective vendor management requires organizational commitment from senior executive leadership of the organization. In reality, organizations must assign ownership of vendor management to all employees.
If you have the authority to select and hire a third party who can access or will receive data from the organization, you are responsible to ensure that everyone internally is acquainted with and comfortable with that vendor party. An internal audit must assure that adequate controls are in place and can be tested to demonstrate a reduction in risk to the organization.
How is vendor management governed?
The governance process is a key element of the vendor management program, as it provides the oversight and control mechanism established by the organization over the policies and procedures, and standards for the engagement, evaluation and ultimate approval or rejection of the vendor. Lack of adequate governance standards and organizational controls over the vendor management process can lead to disruption, data compromise, data loss, financial loss, brand damage, and for public companies, diminished shareholder value.
The organization must develop a variance process in the event that the internal business owners cannot, out of necessity or some other equally plausible scenario, engage in the vendor management process. An oversight role must be part of any variance process and variance must be reviewed regularly.
Initiation of this process may encounter resistance, as increased diligence is likely to interfere with the agility of the contracting process. For this reason, it is critical to establish clear ownership and governance responsibility at the management level. The risk management owners (IT, legal, compliance) of the vendor management program must convincingly make the case that conducting this type of due diligence is as essential to the contracting process and offer as acceptance itself. It requires considerable education, training and communication of the risk and the overall value the process brings to the organization from a risk mitigation perspective.
While an effective program may never adequately be monetized, the costs of an unsuccessful program will most certainly be.
The legal perspective to protecting data: Key contractual components
This list is not exhaustive and the contractual language needs to be specifically tailored after a comprehensive risk assessment. The purpose of providing these elements is solely to identify the core elements that should be a starting point as part of the negotiations with the third-party vendor.
1. Qualified counsel and clear definitions. The organization must engage qualified counsel to draft the appropriate provisions specific to the transaction. These elements can be included as part of the original agreement or as part of an addendum or amendment to an existing agreement. The key elements of the essential contractual provisions should focus on providing a clear definition of personal information.
2. Vendor compliance. The organization should, at a minimum, require the third-party vendor to represent and warrant compliance with all applicable federal, state and local laws, rules and regulations that pertain to the possession or use of personal information. The language should require the third-party vendor to comply with the organization’s privacy and information assurance policies and the organization’s notice of privacy practices.
3. Security programs. The third-party vendor should be required to maintain, to the extent feasible, its own privacy and information security program, and conduct regular risk assessments of its security and information assurance practices. There should be a very clear requirement that the third-party vendor provide notification of a privacy or information security event and require the third-party vendor to take immediate steps, to the extent possible, to immediately address the event.
4. Audits. The organization should insist on audit rights and insist on the right to hire third parties, as necessary, to conduct the audits.
5. Safeguards. Organizations should require by contract that their vendors are capable of maintaining appropriate safeguards for the organization’s data.
6. Indemnification and cyber liability insurance. Third-party vendors should be capable of providing broad based indemnification for their failure to comply with applicable privacy laws, for loss of the organization’s data, for negligence, gross negligence or bad faith, or any security breach involving the organization’s data. Additionally, the vendor should maintain appropriate coverage for loss in the event of a cyber attack, employee errors or omissions and any other insurance coverage the organization considers appropriate in light of the risk. This coverage will be critical to pay for notification and remediation in the event the vendor causes a data loss that effects the organization.
7. Confidentiality. Finally, the organization should require a confidentiality provision ensuring adequate protection of the organization’s data. There should be specific provisions to address protection, destruction and return upon conclusion of the agreement.
At minimum, an organization must conduct a full inventory and accounting of all third-party vendors that have access to or receive data from the organization. Once this inventory is complete, management must work to build processes and procedures to ensure that the organization can fully implement a vendor management process that can adequately address privacy and security risk and can lay a strong foundation for engaging future third-party vendors.