Five little vendors access your data.
The first one said, "For this company, vendor management doesn't seem to matta."
The second one said, "No audit provision in the contract, they don't really care."
The third one said, "Silly company, in the event of a breach, it will be a nasty affair."
The fourth one said, "Regulation requires vendor control."
The fifth one said, "Compliance is clearly not their goal."
Wooooo went the malware.
And out went the apps.
And the five little vendors knew their customer hadn't discovered their gaps (in security).
In honor of Halloween, it seems appropriate to address one of the scariest issues facing organizations today: vendor or supplier management. With over 59% of all data breaches being traced back to a third-party vendor or supplier, companies need to be laser focused on their vendor management programs. And while this is one of the biggest issues, it is also an area in which companies tend to struggle.
Organizations have been quick to include data privacy and security provisions in their supplier management contracts, especially in light of requirements from the EU's General Data Protection Regulation (GDPR) or the California Consumer Privacy Act of 2018 (CCPA). But still, few actively or appropriately audit their suppliers.
It is noteworthy that some of the most well-known data breaches were caused by vendors or suppliers. For example, the Equifax data breach was caused by a vulnerability in the open-source software Apache Struts. In that particular data breach, approximately 147 million consumers had their information compromised, including personally identifiable information (PII) like names, Social Security numbers, and birth dates. Moreover, the Target data breach that exposed 41 million customers' PII was caused by what many might consider on the surface as a harmless third-party HVAC vendor.
As a matter of context, you may recall I recently discussed in a fair amount of detail the litigation aftermath caused by the Target data breach. As any ardent fan of Halloween movies knows, a seemingly harmless afterthought is usually the one that creates the most fright. In the case of Target, it was one vendor that set off a hair-raising chain of events, to the tune of 41 million pieces of consumer data compromised that was then followed by hundreds of millions of dollars in settlements. And just when the nightmare was about to end, regulatory penalties were imposed as the end credits camp up and the regulatory bodies rolled in. Talk about scary.
The question thereafter follows: what can an organization do to address this evolving and terrifying issue before being unknowingly cast in one of these nightmares? First, simply stop ignoring the problem. The creaking stair and ominous figure in the corner of the room all foreshadow the same thing. The vendor is already accessing your PII. When you are addressing your vendors or suppliers, it is best to keep in mind and acknowledge that they are already in. In other words, the call is coming from inside the house, office, warehouse, or whatever the case may be. Granted, vendors are necessary to every business, and in a post-COVID world, your company is of course relying on vendors to move the growth of your business forward. But remember that reliance does not have to include blind faith. Most of us "trust" that we are fairly safe in our homes while watching that aforementioned scary movie, but some of us "verify" by locking our doors and turning on the lights just to make sure.
Step 1: Audit your existing supplier management program
Let's face it, you don't know what you don't know. Before you do anything else, examine what you are currently doing from an operational standpoint. Implement as a first step a data privacy and security assessment of your existing vendor/supplier management program, looking at the data your organization collects, the vendors it is sharing that data with, and any and all regulations and laws that apply to that data.
For example, the New York Department of Financial Services (NYDFS) Cybersecurity Regulation 500 requires financial firms with a presence in New York to ensure that their suppliers' cybersecurity protections are up to par. To make a long story short, the regulation implicitly requires vendor due diligence. And the only way to establish vendors' due diligence is to audit those vendors. Just having a straightforward contractual provision which makes an allowance for auditing will likely be insufficient if a data breach indeed comes from the vendor. Always looking ahead defensively to future litigation, contractual provisions will allow the organization to bring a lawsuit but not save that organization from the wrath of NYDFS regulators and their stiff enforcement.
In addition, the GDPR requires data controllers to appropriately vet any processor that it brings into the relationship. Article 28(1) states that "the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures" to comply with the GDPR. Further, it creates a responsibility on any data processor to only use sub-processors that comply with the GDPR. Article 28(4) provides, "Where a processor engages another processor for carrying out specific processing activities," the same data protection obligations shall be imposed on that processor. Meaning, once your organization understands the landscape, you can then begin to formulate your defensive battle plan.
Step 2: Create/update the supplier management program
Any organizational program requires policies, parameters, guidelines, and procedures. You need to give your team the necessary framework and structure to address vendors. Departments should take care not to be dazzled by the latest and greatest shiny piece of technology. Sometimes a shortcut in the short term can mean litigation and extended difficulties in the long run. Discipline is key, and not only for sports teams. You need to set general parameters for your organization on what type of vendor departments should be considered.
Next, you should consider what type of information security and physical security your organization's vendors should be following. Do you need your vendors to be ISO certified? Following NIST guidelines? CCPA/GDPR compliant? This is not, of course, a one-size-fits-all playbook. Your organization needs to ascertain laws and regulations impacting the data it is collecting and sharing. It also needs to consider its risk tolerance and select its vendors accordingly.
Finally, there need to be consequences for a vendor/supplier that fails to comply with your organizational standards. After all, and as any good trial attorney knows, if there are no contractual consequences, what incentive does the vendor/supplier have to comply and what leverage does your organization have in the face of non-compliance? This clearly leads me to my next point: contracts.
Once an organization creates a supplier management program, make sure to memorialize those requirements directly into the vendor/supplier contracts. A good rule of thumb is that contractual provisions should be standardized and tracked. In other words, to the extent possible, an organization should try to set standard data privacy and security provisions for every supplier with access to PII or other sensitive data. Now, to the extent a contract deviates from that standard language—and just like those scary movies, it would be naïve to think a contract never will—such deviation should be tracked alongside all other supplier contracts. Your organization should have ready an up-to-date list of its suppliers and the applicable security and privacy provisions in those supplier contracts. As I like to say in preparing for complex litigation, an ounce of prevention now is a pound of cure that can be strategically used later to keep the other side off balance in the throes of a contentious deposition or trial.
Step 3: Start TODAY
I saved this for last because it could really be first. Start today! Vendor/supplier management is an area that needs to be addressed. So don't wait—unless you want to be the organization that gets the ultimate Halloween fright.
The legal information presented in this article should not be construed as providing legal advice or creating the attorney-client relationship.
Rebecca L. Rakoski is the co-founder and managing partner at XPAN Law Group, a boutique international and domestic cybersecurity and data privacy law firm. Rebecca counsels and defends public and private corporations, and their boards, during data breaches and responds to state/federal regulatory compliance and enforcement actions. She advises her clients on a proactive, multi jurisdictional approach to identify and address data privacy and cybersecurity compliance gaps and potential liabilities. If your organization has any questions regarding its liability or regulatory obligations, please feel free to reach out to Rebecca at email@example.com.