Key tips for managing privacy and cybersecurity risks with vendors

As organizations increasingly outsource services to vendors, the need to effectively manage vendor risks has grown.

Failure to manage vendor risks can result in business interruptions, financial losses, lawsuits, reputational damage, and regulatory investigations and proceedings. This is particularly the case because you are accountable for all personal information you transfer to service providers. You can reduce these risks by performing due diligence, putting appropriate contractual safeguards in place and conducting ongoing monitoring.

Due diligence and risk assessment

Completing appropriate due diligence activities prior to selecting a vendor helps you determine the risk of doing business with a vendor.

Due diligence activities help verify whether the vendor:

  • is reputable and honest
  • has the experience, skill and resources to carry out the contract
  • has reasonable compliance programs and internal controls in place
  • has conducted external assessments or certifications
  • has a history of incidents or non-compliance

Due diligence activities help you assess the vendor’s privacy and cybersecurity program by determining what information the vendor receives, how it will be stored, who has access to the information, whether the vendor’s employees receive appropriate training, and whether appropriate safeguards are in place for the information.

By identifying any “red flags” or gaps as part of this review, you can determine whether and how you would like to proceed with the vendor, and how to best manage these risks going forward.

Put appropriate contractual safeguards in place

Contractual safeguards can further reduce the risks arising from your relationship with the vendor. Examples of such safeguards include, among other things:

  • Providing a clear requirement that the vendor take steps to comply with applicable laws
  • Requiring the vendor to maintain policies and procedures acceptable to your organization
  • Authorizing your organization to monitor and audit the vendor on an ongoing basis
  • Requiring the vendor to immediately notify and cooperate with you in the event of an incident
  • Requiring the vendor to have insurance coverage for privacy or cybersecurity incidents
  • Limiting the vendor’s ability to sub-contract and assign its obligations
  • Indemnifying your organization and limiting its liability for any damages stemming from incidents experienced by or on account of the vendor’s action or inaction
  • Establishing consequences for the vendor’s failure to meet its obligations with respect to privacy and cybersecurity
  • Including clear rights to terminate for convenience where appropriate

Conduct regular monitoring

Conducting due diligence is an ongoing task – the job does not end when a contract is executed. Periodic reviews and audits should be completed to verify that contractual requirements continue to be met. Any incidents or allegations of misconduct should be investigated, with steps taken to ensure compliance with applicable laws. As gaps are identified throughout the life of the contract, they should be addressed.

Takeaways for your organization

The risk associated with storing personal and other confidential information is heightened when the information is transferred to service providers. By properly vetting your vendors and carefully drafting contractual protections, you can reduce these risks significantly. Likewise, by putting procedures in place to monitor the contract following its execution, you can verify that vendors continue to meet their contractual obligations.

The lawyers in the MLT Aikins Privacy, Data Protection & Cybersecurity group have extensive experience advising on and assisting with due diligence activities as well as reviewing and drafting contracts to mitigate risks from a privacy and cybersecurity perspective. Our group can also help you choose the right vendor management program for your operations. Contact us to learn more.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.