Vendors are a leading source of privacy risk and must be properly vetted and managed. The following strategies are important considerations for any vendor risk management program:
1. A requirement that the vendor maintain a written privacy program that covers the company’s data
A company should require that its vendors have not only a written security program, but also a written privacy program. This requirement ensures that a vendor is addressing all of the inherent privacy risks existing within its data processing activities, including management, notice, choice and consent, data subject access requests, monitoring and enforcement, third-party disclosures, collection, use retention and disposal, and data quality. It is not enough to merely require a vendor to have a security program.
2. A requirement that the vendor assist with fulfilling access requests if any responsive data is stored in the vendor’s systems
A company that has delegated data processing activities to a vendor still has the ultimate responsibility for fulfilling access requests from data subjects, law enforcement, and court subpoenas. Generally, in vendor relationships, the vendor stores and maintains personal information in its systems rather than in the systems of the company. The company must ensure that its vendors will cooperate and assist in fulfilling the access requests.
3. The right to physically inspect the vendor’s physical premises, including the data center facilities
It is the responsibility of a company to implement physical safeguards to ensure the security of its personal information. Physical safeguards are especially important in the data center facilities, where servers are operated and maintained. A company may want to ensure that a vendor is satisfactorily safeguarding its physical premises against unauthorized individuals. To do so, a vendor must agree to submit to a company’s request to inspect the premises. This clause is typically included in the privacy and security provisions of vendor agreements.
4. A requirement that the vendor comply with applicable privacy laws
Maintaining a written privacy program is not enough to ensure that a vendor is complying with all applicable privacy laws. Further, a vendor could be compliant with the privacy laws of its jurisdiction, while failing to comply with the privacy laws of the company’s jurisdiction. It is the responsibility of the company to determine which laws are applicable to all of its processing activities, including those that are performed by a vendor. A company may require that its vendor comply with the privacy laws applying solely to the company.
5. A requirement to promptly notify the company of any potential privacy incidents
Notification of a data breach is one of the most important controls that can be used in a vendor relationship because under most regulatory models, the company is still ultimately responsible for the data breach of its vendors. Further, depending on the nature of the breach, a hacker’s entry into the network infrastructure of one party, may mean that the hacker has also entered the systems of the other party. Notification by a vendor, in the case of a data breach, will allow the company to timely respond to any impacts on its systems, and comply with state data breach notification laws.
6. The vendor shall not engage a sub-contractor without prior written authorization of the company
A company should always know who is processing the personal information of its consumers. Generally, a vendor or contractor that is conducting processing activities on behalf of a company, may enter into an agreement with its own vendor or contractor to assist in those activities as a subcontractor. A company must be able to evaluate the third-party risks of the subcontractor in the same way that it has evaluated the risks of the vendor. But if a vendor is not required to notify or seek the company’s approval allowing the subcontractor access to personal information, then the company has not been given an opportunity to mitigate these risks.
7. Vendor will only process and store data in specified countries
For a company to fully understand its privacy compliance obligations, it must know where it is processing personal information, especially if data localization laws are applicable which require personal information collected in a particular jurisdiction to be maintained solely in that jurisdiction. These obligations are typically clear when it is a company processing its own data, however, when a vendor, for example, a cloud services provider or data center, maintains data processing facilities in various jurisdictions around the world, then the company may want to limit the vendor’s data processing on its behalf to only specified locations. To accomplish this, a vendor’s systems must be able to control where it processes data, rather than sending data to any or all of its data centers.
8. The requirement that the vendor makes available to the company all information necessary to demonstrate compliance with the vendor’s contractual obligations
New vendor relationships may be fraught with risks, especially where a vendor does not have a long history of compliance that can be relied upon by the company. To help build trust, a company may require that a vendor show evidence of its compliance in the form of various documentation. For example, if a vendor is contractually obligated to enter into privacy and security agreements with all of its vendors, then a company may require that the vendor provide copies of those executed agreements to review and audit them.
9. Where a vendor engages a subcontractor for carrying out specific processing activities on behalf of the company, the same data protection obligations shall apply to the subcontractor, as are set out in the contract between the company and the vendor
When vendors enter into their own vendor relationships, a company many not just merely request an agreement be in place, but that the content of the agreement meet minimum standards. At the very least, a company will likely want a vendor’s third-party agreements to meet or exceed the obligations that the vendor has agreed to.
10. A requirement that the vendor purchase and maintain a cyber-liability insurance policy
Cyber-liability insurance policies are becoming more popular among companies as a way to mitigate the costs of a data breach. However, a company can only obtain a policy covering its own operations, which does not include the operations of its vendor. Therefore, a company may require that a vendor purchase and maintain its own policy that will be payable to company in case the vendor is subject to a breach.