Vendor Contract Confidentiality and Security

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Ashley Roberts and I am one of the In-House Paralegals here at Venminder. Today we are going to talk about entering into third party agreements. 

Third party vendor agreements can range anywhere from your:

• core processor 
• to the vendor that provides your internet services
• to your janitorial services provider

Even though each agreement includes different contractual terms, there are 5 security and confidentiality provisions which should always be addressed. 

1. The agreement should first identify what constitutes “confidential information”. For example, customer names, addresses or bank and credit card account numbers. It should also specify proprietary information such as trade secrets or operational instructions.  

2. Second, the agreement should state how your confidential information, as well as your customer’s data, will be protected. The agreement should include the specific steps your vendor will take to safeguard this information such as:

• • Protection against destruction
  • Unauthorized access, or mishandling 
  • And how will they dispose of your data.

Did you know that as a part of the GLBA and the FTC, you are responsible for keeping your customers information secure? 

This bring us to the third Security and Confidentiality provision. 

3. If the vendor were to share your information or your customer's data to a third party such as a subcontractor or an auditor, is there something in place to protect this information? The agreement should also address the vendor's obligation to notify you prior to releasing any information. This will allow you the opportunity to dispute the release or to seek a protective order. 

4. The fourth provision is cyber, security and confidentiality threats. The agreement should require your vendor provide you the Incident Response Plan. This plan should include specific steps to be taken in the event that your vendor detects unauthorized access such as:

• • The timeframe in which they must notify you,
  • The steps taken to ensure the security breach has ceased,
  • How the vendor will investigate and report all findings,
  • The vendors responsible to identify what information was compromised and
  • The mitigation steps to prevent any future breach or intrusion.

On top of providing an Incident Response Plan, the agreement should also state that the vendor will: 

• • Monitor its systems and procedures to detect actual or attempted security attacks
  • Provide you with an annual vulnerability assessment and
  • Your right to audit the vendor on an annual basis or in the event of an intrusion incident 

This will ensure your third parties processes for identifying, investigating and escalating incidents meet your expectations and regulatory requirements. 

5. Finally, the agreement should include what remedies are available in the event of a security breach. The NAFCU released an article in 2015 called Economic and CU Monitor. It stated that institutions “spent an average of $226,000 and an estimate of 1,600 hours on debit and credit fraud issues resulting from merchant data breaches.”

To reduce your potential liability, the contract should state that the vendor is liable for costs and expenses in the event that a security breach is the result of or attributed to: 

• • the vendor,
  • its subcontractors or 
  • any third-party whom they discloses your confidential information or your customer’s data to

The agreement should provide the vendors responsibility for the following defaults:

• • Failures to perform security and confidentiality obligations
  • Mishandling confidential information
  • Breach of confidentiality or data security obligations

Inadequate security and confidentiality provisions can impact your customers, your business operations and expose your business to further liability.

Your vendor's security programs must be consistent with your business policies and practices regarding security and confidentiality.

Whether the vendor is critical or low risk, you have an obligation to safeguard and properly dispose of your customer's data. Entering into a contract without assessing your third party’s security and confidentiality provisions can negatively impact your business and your customers.

Again, I’m Ashley and thank you for watching! Don’t forget to subscribe to next week’s Third Party Thursday video.