For the first time in weeks, you slept well last night, confident that your expensive consultant found every hole in your company’s data-security program. The board of directors was thrilled with your report on the robust, new data-security policy that you personally approved. But, did your consultant look deep enough? Did she realize that although your company encrypts emails containing personally identifiable information, one of your vendors does not encrypt their responsive emails containing the same information? Did she understand your business well enough to realize that a service provider collects and stores customers’ personally identifiable information on its servers through the app it designed for your company?
Implementing reasonable security measure to avoid civil and regulatory liability requires a careful audit of all points of vulnerability. One of those points is your vendors. As such, any data-security audit should examine your vendors’ data security protocols.
Not every company is that careful, however. We routinely read in the press about companies facing scrutiny because their vendors exposed sensitive customer information. For example, Allison Grande at Law360 recently reported that a vendor breach exposed the names, dates of birth, and social security numbers of more than 5,000 patients of a health care provider.
Regulators have taken note, though, and are going after vendors responsible for data breaches. One such enforcement action occurred in 2016, when the FTC required a dental-practice software vendor to pay $250,000 to settle FTC charges that it falsely advertised the level of encryption it provided to protect patient data.
Many companies are pushing back against vendors who refuse to improve their data-security systems. In the February 2017 edition of Financial Planning Magazine, Suleman Din, Managing editor of SourceMedia’s Investment Advisory Group, wrote a great article discussing how financial advisers can ensure that their vendors adequately protect client data. According to the article, the financial advisory firm Heron Financial Group regularly reviews its vendors’ data security practices. The article reports that Heron is unwavering and has fired vendors whose security was inadequate.
Five Key Steps to Protect Data Shared with Vendors
Although you can never be certain about your vendors’ practices, there are ways to better protect your data:
- Perform due diligence. How much do you really know about your vendors’ data security systems? Ask questions and verify the answers.
- Limit third party access. Only grant access to data that your vendors must have to service your business. When doing so, provide access solely through a secure, encrypted portal. Additionally, segment that portal from the rest of your network. Finally, limit the number of vendor employees granted access to your data.
- Encrypt communications. Require that your vendors encrypt all emails containing sensitive data.
- Verify compliance. Don’t just take their word for it. Instead, perform periodic audits of your vendors’ data-security systems.
- Put it in writing. Include provisions in vendor contracts to protect your data. These clauses should establish minimum data-security standards. Your contracts should also permit audits of your vendors’ data-security protocols. Importantly, these contracts should require that your vendors immediately report all data breaches.
These are just a few steps to consider. However, they will go a long way toward better protecting sensitive information shared with vendors. In future posts, I will offer useful data-security clauses for your vendor agreements.
Photo courtesy of wistechcolleges on Flickr.
