When you enter into a contract with a vendor that will access, use or disclose your customer or employee personal information, assume that you are responsible for any unauthorized access to, use, or disclosure of that protected information, whether by the vendor or a third party. This is true if the vendor or its employees misuse the protected information directly or if the vendor is hacked, as with Target’s HVAC provider. In that incident, the HVAC company didn’t even have direct access to protected information; the hackers allegedly worked their way from the HVAC vendor’s computer into Target’s vendor system and then into a protected database.
It is crucial, then, to see all vendors as a potential back door into your protected information. In fact, companies likely must cope with securing an exponential number of back doors, depending on the type of information, their industry, and applicable domestic or international laws. Though this task might seem daunting, there are a few initial steps to take to begin.