Vendor Data Breach: Next Steps to Take With Your Third Party, Organization, and Customers

In the world of third-party risk management, vendor data breaches continue to dominate headlines. Healthcare and the financial services industries are frequent targets because of the abundance of sensitive data they handle. However, any organization that uses vendors can be impacted by a data breach and expose consumer data.

In general, it’s best to have the assumption that a data breach is inevitable, so you’re better prepared on how to respond. When a data breach occurs, you’ll need to perform certain actions on three separate fronts – with your vendor, your customers, and internally.

After a Data Breach: What to Do With Your Vendor

After your vendor has confirmed a breach, it’s important to act quickly to protect your brand and customers. Here are some actions you’ll need to take with your vendor:

• Confirm vendor is protecting data. The details of this process should already be documented in an incident response plan, so you’ll want to make sure the vendor is taking the right steps. You’ll also want to follow up with your vendor on an ongoing basis to make sure the data remains protected.
• Refer to your contract. Ideally, data breach notification requirements will be included in your vendor contract. Trust can be easily broken during a data breach and it’s a good idea to refer to your contract to ensure that the vendor is meeting their obligations.
• Set expectations about the next steps. When the data breach originates with your vendor’s system, you’ll want their cooperation in performing deep audit testing. A vendor that isn’t willing to do this should be a red flag that this partnership isn’t healthy. 

After a Data Breach: What to Do for Your Customers

A vendor data breach that impacts your customers may seem catastrophic in the moment, but there are steps you can take to limit the impact and protect your reputation:

• Notify your customers. One of the worst things you can do is delay notifying your customers about the breach. News travels quickly and you don’t want your customers to see negative headlines before you’ve even notified them.
• Offer credit monitoring. Your customers will understandably be concerned if their non-public personal information (NPPI) has been exposed in a breach. Certain information like social security numbers is generally unchanged throughout a person’s lifetime, so you might consider offering credit monitoring services to decrease the risk of identity theft. 
• Strengthen user authentication. If your customers have access to online tools, make sure that the user authentication procedures are updated to be more robust. This can mean implementing multi-factor authentication (MFA) if not already in place. 

After a Data Breach: What to Do In Your Organization 

Even though the breach occurred externally in your vendor’s system, there are several things you’ll need to do internally with your organization. The following activities should be included in a remediation policy that will lessen the impact after a breach: 

• Verify the scope. Whether the breach affected one individual or multiple customers, you’ll need to understand how many people are involved. 
• Notify external parties. Depending on your industry, you may need to contact law enforcement, regulators or the State Attorney General after a breach occurs. 
• Analyze the root cause. It’s essential to understand why and how the vendor data breach occurred so you can use that information to strengthen your information security system. 
• Assess your security processes. Take the time to review your current processes to identify any other gaps that may have been overlooked. 
• Document the incident. Dealing with a breach can be stressful, but don’t forget to document all the details along the way. It’s a good idea to include the initial communications with your vendors and customers and any internal updates you make within your security processes.

Cyberattacks and data breaches are constantly evolving and it’s unrealistic to think that you can fully prevent one from impacting your vendors and organization. The key is to understand what to do when one occurs so you can quickly respond and protect your customers’ data.