I recently attended the 10th Annual Legal and Compliance Forum on Privacy & Security of Consumer and Employee Information in Washington, DC. It featured a particularly lively panel on “Oversight of Third-Parties and Vendors: Managing and Controlling Relationships Through Effective Due Diligence and Contract Negotiation.” Below are some key points the panelists discussed; some may seem obvious, but they are nevertheless important measures to consider as part of your vendor relationships:
- Be able to terminate the relationship without cause. A company’s contract with a vendor should include the ability to terminate the agreement without cause and should guarantee continuing assistance from the vendor after termination.
- Use experienced vendors. Do not be the first (or even second) company to contract with a vendor for a particular service. There are too many bugs to work out of new services before you know they are safe and secure.
- Obtain and talk to references provided by the vendor. Consider hiring a consultant to facilitate conversations with companies that have used a particular vendor and are not provided as references.
- Have the vendor explain its services in detail and down to the molecular level. Vendors should be able to go into detail about their procedures—a company should understand what the vendor is doing with its data down to the IT level.
- Verify vendor data security measures. The vendor’s laptops should be encrypted, along with USB drives, memory sticks, portable hard drives, etc.
- Insist on robust notice in the event of a breach. The vendor should be obligated to provide immediate notice to the company of any actual or suspected breach of the company’s data.