I. Third-party vendors pose a significant risk

What is the greatest data privacy threat to companies in 2023? It is commonly thought that a company’s employees are the greatest data privacy threat, as they may fall prey to phishing attacks, click bait, lost devices and other situations that can compromise company data. Employees can be a threat, but in reality, this threat can be effectively mitigated within the company by implementing solutions such as tighter controls on company devices, employee trainings and internal safeguards.

The greatest data privacy threat companies actually face in 2023 is their vendors: the third-party businesses a company must do business with. Companies are increasingly engaging third-party vendors to provide a host of services. It is often cheaper to outsource key services and infrastructure to cloud services rather than develop and maintain such services and infrastructure inhouse. Yet, these vendors are a data privacy threat. Consider the numbers:

• 63% of data breaches are tied to or directly caused by third-party vendors.
• The average cost of responding to largescale third-party breach is $10 million.

In addition to response costs, data breaches can lead to a number of other challenges for companies, such as:

• Increased operational costs associated with asset recovery and system downtime.
• Regulatory investigations or actions.
• Litigation.
• Reputation harm.
• Customer loss.
• Decrease in shareholder value.

II. The concept of vendor management

Can companies manage vendor risk in a way similar to how they have begun to manage employee risk? The answer is yes, if they follow a comprehensive third-party vendor management program. Many companies rely on their procurement department to gather information on vendors and/or to establish a risk profile through vendor assessments. But as more and more vendors have cloud-based or Internet of Things components (even for the most mundane products and services), it is time to pull vendor management away from the procurement team and implement different measures.

Vendor assessments and surveys are no longer enough to protect a company, as they may not provide a complete picture. Assessments and surveys are often based on moments in time (i.e., what the vendor is doing or not doing at that particular moment when they complete the assessment or survey). Vendors rarely go back and update customers when they make changes to their security policies. Assessments and surveys are a great way to get to know your vendors from a technical standpoint as of the date of completion of the assessment or survey, but the vendor selection process cannot stop there. Additionally, there might not be repercussions associated with assessments or surveys if the vendor experiences a data breach. This is where written agreements between your company and its vendors can protect your company in ways that an assessment or survey cannot.

III. The information security agreement

Based on the type of company and what it does, the company must be the party establishing parameters for its risk tolerance and legal and regulatory obligations. But how does a company do so while contracting with hundreds of vendors each year?

We recommend a written document, whether a stand-alone agreement or an exhibit or addendum to the underlying relationship agreement, that sets forth specific physical and technical standards as well as ongoing obligations by your vendors to keep your data safe. There should also be legal remedies in the event vendors fail to keep their obligations. This document is commonly referred to as an information security agreement (“ISA”).

At a minimum, an ISA should address the following:

• Certifications. Certain industries have required certifications (e.g., the Health Information Technology for Economic and Clinical Health Act), while others follow industry standards (e.g., SOC2). Vendors should provide copies of their certifications.
• Data breach notification. How will the vendor notify you if your data is breached? When must the vendor notify you of a breach? What does the vendor have to do for you and the data subjects post-breach?
• Encryption of data. Does the vendor encrypt data only at rest or also in transmission? What level of encryption is used?
• Audits. Do you want to be able to audit the vendor’s compliance with the ISA? What about after a data breach?
• Employee/subcontractor management. Do vendor employees need background checks? Can the vendor engage subcontractors without your approval?
• Data storage/destruction. Where can and can’t the vendor store your data? What happens to your data when your agreement with the vendor is over?
• Malware. What internal processes does the vendor have in place to detect malware and prevent cyberattacks? Does the vendor regularly scan its systems (and make the results of those scans available to you upon request)? What happens if the vendor passes a virus on to you?
• Disaster recovery/business continuity. If the vendor experiences a major interruption in business, how long will it need to recover? This is particularly important to infrastructure vendors.
• Regulations. Examples may include the European Union’s General Data Protection Regulation and the California Consumer Privacy Act.
• Insurance. Does the vendor have sufficient insurance in place that will make you whole in the event the vendor experiences a data breach? Is the vendor properly capitalized to stand behind its liability?
• Liability. What is the minimum liability your company will be comfortable with accepting in the event of a vendor’s data breach or breach of the ISA? The vendor’s liability for breaches must be higher or uncapped for regulated businesses.

IV. The vendor management process

Prework. Draft a template ISA that reflects your company’s actual needs, considering various factors such as the company’s industry, data collected, regulatory environment, and products or services. With the onslaught of new data privacy legislation both domestically and abroad, Polsinelli recommends consulting with your privacy counsel on any data privacy provisions. Prework action steps:

1. Establish written criteria that define when vendors will be required to sign an ISA (i.e., when the vendor will have access to your data, infrastructure or network).
2. Work with the legal and information security teams to draft a form ISA.
3. Establish written parameters for tolerance on vendor-requested changes to the ISA. Your Polsinelli attorneys can assist with ISA prework, including drafting an ISA that includes requirements and risks your company is comfortable with.

Internal rollout. When rolling out the ISA to your company, you must educate those who are part of the vendor selection process and work with vendor management and legal and compliance to ensure all individuals understand what the ISA is, what it does and the importance of it. Polsinelli recommends hiring an external party to present required trainings for all relevant internal stakeholders for maximum impact and adoption. Internal rollout action steps:

1. Educate internal stakeholders about the ISA, its purpose and its effectiveness.
2. Modify the company’s internal process so that an ISA is now provided to any new vendor that meets the established criteria.
3. Establish who has authority within the organization to approve vendor-requested deviations to the ISA.

External rollout. Sending the ISA to prospective vendors is easy. But what will you do when vendors request to negotiate certain provisions, or decline to review your ISA altogether and instead provide their own set of information security terms (which may not be in the form of a legally binding agreement)? Polsinelli recommends establishing a relationship with outside counsel that has expertise in data privacy and information security and who can assist in identifying and quantifying the risk associated with a vendor’s changes or terms. External rollout action steps:

1. Send the ISA to vendors with clear messaging that explains the ISA’s purpose and relationship to other legal documents.
2. Create a process for the receipt of vendor changes and establish who will negotiate with the vendor.
3. Establish a repository of ISAs that can be called on easily when there is an issue with the vendor.

Your Polsinelli attorneys can assist with responding to any proposed changes by vendors and determining the risk associated with such changes.

V. Conclusion

Facing a regulatory body or your customers after you experience a data breach will be less painful when you can point to a comprehensive, all-encompassing vendor management process. And the process will be even less painful when you can get relief from the vendor that is responsible for the breach instead of paying out of your own pocket.