The Company You Keep:  When It Comes to Security, Are Your Vendors the Weakest Link?

These days, there is much discussion regarding data breaches, privacy, and information security – and the amount of chatter on these topics can sometimes be overwhelming.  This article, which is a brief recap of a presentation given at Baird Holm’s recent 2021 Technology and Data Protection Forum, is intended to help you and your organization to identify potential security risks posed by your third-party vendors, understand how such risks may manifest, and adopt policies and procedures to mitigate those risks.

Increasing Risks Associated With Third-Party Vendors

For the past several years, a handful of states have adopted personal privacy legislation that imposes obligations on organizations that collect, use, and share consumer information.  Some of these new laws specifically distinguish between the organization that collects, uses, or shares consumer information (the controller), and other third-party organizations with which the collecting organization shares that information (processors and sub-processors).  Notably, many of the new privacy statutes impose affirmative obligations on data controllers to regulate what its processors and/or sub-processors may do with consumer information.  While the “flow-down” concept with respect to privacy and security obligations is not itself novel – a similar construct exists under HIPAA’s treatment of covered entity and business associate relationships – the new consumer privacy laws are greater in scope with respect to both the information covered and, as a result, a larger number of organizations are impacted by their terms.

Additionally, as innovation continues to provide solutions to business and organizational challenges, the use of third-party services and solutions has experienced significant growth in recent years.  With the increased prevalence of third-party access to consumer information, the risk of privacy and security breaches similarly increases.

What Are The Risks Posed By Third-Party Vendors?

As mentioned above, the new state privacy laws (as well as some older privacy statutes, such as HIPAA) impose affirmative obligations on organizations that collect consumer information, as well as their third-party service providers, such that a violation of those obligations would constitute a violation of law.  Many of the state laws include enforcement mechanisms, such as fines and monetary penalties, private rights of action, attorney general action, and the like.  Other types of risk exist and, in some cases, can pose a far more serious threat to your organization.  For example, third-party vendor breaches can cause operational downtime, reputational harm, and, perhaps most importantly, significant financial injury.  In 2020, the average cost of a breach caused by third-party vendors was over $4,000,000!  Suffice it to say that, no matter the type of risk, the risks posed by your third-party vendors, in many cases, become your risks.

What Can Your Organization Do to Protect Itself?

Put simply, the best way to protect your organization against the risks posed by  third-party vendors is to adopt a vendor risk-management framework that identifies the third-party vendors and service providers used by your organization, quantifies the risks posed by each vendor and service provider, and implements procedures to reduce risk.  In adopting a risk-management framework, it is important to keep in mind that not all vendors and service providers are equal.  For example, in most organizations, there are both “critical” third-party vendors that receive more sensitive consumer information or perform a critical service, and service providers that do not have access to more sensitive information.  Naturally, the amount of risk acceptable to an organization in the case of “critical” vendors is likely going to be less than the amount of risk that is acceptable with respect to “non-critical” vendors. 

Other Practice Considerations for Dealing With Vendors

1. Start with the procurement process. As your organization engages third-party vendors and service providers to assist with its business operations, it is important to keep risk mitigation in mind from the outset.  Before entering into any agreement, perform due diligence on prospective service providers – such as by requesting security audits and assessments, inquiring about penetration testing, and performing site visits.  The more you are able to learn about a service provider, the better able your organization will be to mitigate and reduce the risks the service provider presents.
2. Negotiate contractual agreements appropriately. In drafting the terms that will govern your relationship with a third-party service provider, be sure to include provisions that will address the risks that your due diligence has identified.  For instance, include clear terms that provide for the permitted uses of consumer information, baseline safeguards to securing such data, remedies in the event of a breach, and the relative obligations with respect to data upon termination of the agreement.  The structure and content of these provisions will likely vary with the criticality of the service that the vendor is performing, as well as the sensitivity of the data shared with the vendor.
3. Restrict access as needed. As you begin to onboard your new third-party service provider, implement mechanisms that will prevent the third-party service provider from accessing data to which it is not entitled or that is unrelated to the services that the provider will perform.  This will help to further reduce the possibility of breaches.
4. Trust, but verify. At each stage of your relationship with a vendor, periodically verify that the vendor is in compliance with the terms of the agreement.  Ensuring that your organization has adequate protections within the contract is of little value if the contract’s terms are disregarded.  Additionally, continue to monitor and reassess the risks that you previously identified, and implement additional safeguards as necessary based on any newly-discovered risks.