Whenever a business entrusts sensitive information to its vendors, it must ensure that the vendors safeguard the information at least as rigorously as the business is required to do. We give such information to a multiplicity of vendors, often without fully realizing we are doing so. Some examples include email providers, cloud storage, software-as-a-service applications, copy rooms, couriers, professional service providers, and so on.
Businesses frequently entrust sensitive information to vendors without critically considering whether we should do so, and without knowing how to ensure we are doing so appropriately. Consequently, vendor management is one of our biggest cybersecurity risks and challenges.
Not all vendors pose the same risks, nor should they be managed identically. Effective vendor management requires categorizing, and addressing different types of vendors differently.
For example, we entrust certain vendors with large amounts of highly sensitive information, such as cloud storage, record retention, professional service, information technology, and benefits administration providers. To fulfill our obligation to ensure that these vendors properly safeguard the information we give them, we must conduct appropriate due diligence. That can include reviewing documents, such as their written cybersecurity policies, training materials, and insurance. That also can include asking them to complete written questionnaires and answer follow up inquiries. In addition to due diligence, we must enter into meaningful information security agreements with these vendors.
We give other vendors similarly large quantities of sensitive information, but due diligence is not feasible. Examples include Microsoft, Google, Amazon, health insurance providers, banks, etc. These vendors commonly offer industry-accepted certifications that we can rely-on in lieu of due diligence, and will enter into their own form security agreements.
Many vendors fall into a middle category. These include vendors that we give lesser amounts of sensitive information or that we provide sensitive information only episodically, such as landlords, cleaning services, couriers, and document storage and destruction companies. Likewise, vendors we entrust with meaningful amounts of information that is not particularly sensitive can fall into this middle category. For them, moderate due diligence (such as just reviewing their cybersecurity policies) and entering into appropriately tailored information security agreements often suffices.
Finally, vendors fall into the lowest risk category if they receive information that is confidential but is not legally protected, or if they do not have direct access to information. Examples include a website host, business development consultant, and food service vendor. While we should enter reasonable confidentiality agreements with them, due diligence is typically unnecessary.
Though diligence and agreements are required, persuading some vendors to cooperate can be challenging. Diligence should be thoughtfully tailored to not overwhelm vendors, but nonetheless be sufficient to determine whether they truly implement cybersecurity safeguards appropriate to the quantity and sensitivity of information entrusted to them. Businesses may have to decline to retain vendors that refuse to comply with reasonable diligence requests or have not adopted sufficient cybersecurity protections.
Negotiating effective information security agreement requires equal parts perseverance and foresight. For example, such agreements must select an appropriate legal regulation, achievable industry standard, or otherwise defined set of cybersecurity criteria that the vendor must meet. The agreement also must artfully address issues that are commonly divisive and contrary to the vendor’s form services agreement, such as limitation of liability, breach notification, termination of the services agreement, ownership and return of information, and cyber insurance.
While challenging, vendor management is both critically important and manageable. Success is achievable through patience, flexibility, resourcefulness, and experience.
Cam Shilling chairs McLane Middleton’s Information Privacy and Security Practice Group. Other members of the team include attorneys John Weaver, Annie Cho, and Katelyn Burgess and technology paralegal Dawn Poulson. Founded in 2009, the group assists businesses and private clients to improve upon their information privacy and security compliance, and address any security breach or incident that may arise.