Inside: Effective vendor management for data governance and security control
Management must work to build processes and procedures to ensure that the organization can fully implement a vendor management process that can adequately address privacy and security risk.
February 24, 2014 at 03:00 AM
8 minute read
The original version of this story was published on Law.com
The first three articles in this series focused on the creation an internal environment that would enable a strong culture of privacy and data protection to flourish within the organization. The previous articles in the series provided suggestions on specific measures organizations could take to create the foundations for adoption of strong privacy and security controls. Once this has been accomplished to a reasonable degree by the organization, the focus can shift to movement of data outside of the control of organization.
Now, we will focus on ensuring that third parties such as vendors, contractors and subcontractors that receive or may have access to the organization's data are properly screened so that privacy and data security controls are not compromised as a result of a failure to properly select these third party vendors, and the organization has reasonable assurances that their data is properly being maintained by the third party.
Some examples of the types of potential vendors that might require heightened scrutiny are more obvious, such as IT outsourcing vendors providing cloud services for software, platform and infrastructure as services. Companies that have outsourced marketing and customer engagement services, human resources management services and property management services to third parties should also consider apply heightened scrutiny to these existing relationships and new relationships.
Creation of a vendor management process
Vendor management is a multi-functional process involving elements of the IT, legal, compliance and risk management departments, and the internal business owner.
As previously discussed, it is essential that these parties are working in concert in an attempt to identify and mitigate the potential risks created by engaging a third-party vendor that may have access to or receive data from the organization. Assuming the organization has been successful in developing an internal culture of data responsibility and accountability, these elements will work in unison to credibly, methodically and defensibly identify and determine an acceptable level of risk to the organization. Only through mutual cooperation and alignment of these individual business units can this process properly function.
Depending on the organization's risk tolerance, this program can be scaled to achieve the desired level of scrutiny that fits the organization. For example, a small business owner or non-profit organization may not find it necessary to apply the same program as a Fortune 500 company, assuming their data risks are different. Moreover, different organizations may be more mature when it comes to overall data governance. The point is, the program has to fit the organization or it will not be successful. Simply drafting policies without really understanding how they fit within organization will not work.
Is failure to address vendor management an option?
The risks of failing to establish an appropriately scoped program include the potential loss of ownership rights to the organization's data, lack of data security, lack of data privacy protections and controls, loss of data backup and recovery, inappropriate or incomplete incident response, failure to notify of data loss or data breach, brand erosion or collapse, loss of shareholder confidence, increased regulatory scrutiny or action, and potential class action litigation.
Who owns vendor management?
Effective vendor management requires organizational commitment from senior executive leadership of the organization. In reality, organizations must assign ownership of vendor management to all employees.
If you have the authority to select and hire a third party who can access or will receive data from the organization, you are responsible to ensure that everyone internally is acquainted with and comfortable with that vendor party. An internal audit must assure that adequate controls are in place and can be tested to demonstrate a reduction in risk to the organization.
How is vendor management governed?
The governance process is a key element of the vendor management program, as it provides the oversight and control mechanism established by the organization over the policies and procedures, and standards for the engagement, evaluation and ultimate approval or rejection of the vendor. Lack of adequate governance standards and organizational controls over the vendor management process can lead to disruption, data compromise, data loss, financial loss, brand damage, and for public companies, diminished shareholder value.
The organization must develop a variance process in the event that the internal business owners cannot, out of necessity or some other equally plausible scenario, engage in the vendor management process. An oversight role must be part of any variance process and variance must be reviewed regularly.
Initiation of this process may encounter resistance, as increased diligence is likely to interfere with the agility of the contracting process. For this reason, it is critical to establish clear ownership and governance responsibility at the management level. The risk management owners (IT, legal, compliance) of the vendor management program must convincingly make the case that conducting this type of due diligence is as essential to the contracting process and offer as acceptance itself. It requires considerable education, training and communication of the risk and the overall value the process brings to the organization from a risk mitigation perspective.
While an effective program may never adequately be monetized, the costs of an unsuccessful program will most certainly be.
The legal perspective to protecting data: Key contractual components
This list is not exhaustive and the contractual language needs to be specifically tailored after a comprehensive risk assessment. The purpose of providing these elements is solely to identify the core elements that should be a starting point as part of the negotiations with the third-party vendor.
1. Qualified counsel and clear definitions. The organization must engage qualified counsel to draft the appropriate provisions specific to the transaction. These elements can be included as part of the original agreement or as part of an addendum or amendment to an existing agreement. The key elements of the essential contractual provisions should focus on providing a clear definition of personal information.
2. Vendor compliance. The organization should, at a minimum, require the third-party vendor to represent and warrant compliance with all applicable federal, state and local laws, rules and regulations that pertain to the possession or use of personal information. The language should require the third-party vendor to comply with the organization's privacy and information assurance policies and the organization's notice of privacy practices.
3. Security programs. The third-party vendor should be required to maintain, to the extent feasible, its own privacy and information security program, and conduct regular risk assessments of its security and information assurance practices. There should be a very clear requirement that the third-party vendor provide notification of a privacy or information security event and require the third-party vendor to take immediate steps, to the extent possible, to immediately address the event.
4. Audits. The organization should insist on audit rights and insist on the right to hire third parties, as necessary, to conduct the audits.
5. Safeguards. Organizations should require by contract that their vendors are capable of maintaining appropriate safeguards for the organization's data.
6. Indemnification and cyber liability insurance. Third-party vendors should be capable of providing broad based indemnification for their failure to comply with applicable privacy laws, for loss of the organization's data, for negligence, gross negligence or bad faith, or any security breach involving the organization's data. Additionally, the vendor should maintain appropriate coverage for loss in the event of a cyber attack, employee errors or omissions and any other insurance coverage the organization considers appropriate in light of the risk. This coverage will be critical to pay for notification and remediation in the event the vendor causes a data loss that effects the organization.
7. Confidentiality. Finally, the organization should require a confidentiality provision ensuring adequate protection of the organization's data. There should be specific provisions to address protection, destruction and return upon conclusion of the agreement.
Practical takeaways
At minimum, an organization must conduct a full inventory and accounting of all third-party vendors that have access to or receive data from the organization. Once this inventory is complete, management must work to build processes and procedures to ensure that the organization can fully implement a vendor management process that can adequately address privacy and security risk and can lay a strong foundation for engaging future third-party vendors.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Why ACLU's New Legal Director Says It's a 'Good Time to Take the Reins'
'Utterly Bewildering': GCs Struggle to Grasp Scattershot Nature of Law Firm Rate Hikes
GCs Jettisoning Zero-Based Budgeting in Quest to Be Nimble, More Efficient
3 minute read
Foley & Lardner Litigator Joins Brewers Roster as Legal Chief
Trending Stories
- 1Trump's Return to the White House: The Legal Industry Reacts
- 2Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 3Climate Disputes, International Arbitration, and State Court Limitations for Global Issues
- 4Election 2024: Nationwide Judicial Races and Ballot Measures to Watch
- 5Judicial Face-Off: Navigating the Ethical and Efficient Use of AI in Legal Practice [CLE Pending]
- 6How Much Does the Frequency of Retirement Withdrawals Matter?
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
