Vendors and Your Data… Are You Protected?

5 Practical Tips For Protecting Your Business Priorities With The Right Agreement

 By Pat Bohnenkamp

By Pat Bohnenkamp

1. There is no cookie cutter approach. But there is a systematic approach.

How you protect your data depends entirely on your specific situation.  It depends on the type(s) of data you are processing, the nature of the product or service you’re buying, and the regulatory environment in which you operate.  There is no one right answer.  As such, to be able to contract effectively for external or third party-related data protection, you must have a reasonably mature internal data protection infrastructure with appropriate policies and processes. This will form the basis for the approach you take with your third-party suppliers regarding data protection. With that said, there are two key terms to secure when negotiating SaaS or Cloud-type agreements with vendors.  First, secure the right to review key attestations, like the Soc2 Type 2 report, as well as penetration test results.  Its paramount to secure a resource with sufficient expertise to review and assess these documents.  Second, secure the right to terminate the agreement if: 1) timely access to the attestations is not provided, 2) the vendor doesn’t promptly remedy deficiencies identified in the attestations, or 3) if there is a data breach.  Finally, ensure that the agreement obligates the vendor to communicate with you, in a timely manner, in the event of an actual or suspected data breach.

2. Do your due diligence BEFORE the clock pressures you into a bad contract.

As with any vendor contract, it is in your best interest to allow yourself time for proper due diligence.  With very few exceptions, rushing into a vendor relationship creates more danger to your strategic business priorities than benefit because important details will be missed.  Invest the necessary time in assessing the nature of the data being processed by any third-party vendor, and understanding specific regulatory requirements for data protection. In my recent work for a large, multinational professional services firm, we worked a contract for an IT-security Software-as-a-Service product. The Client was under a tremendous pressure that they artificially imposed on themselves.  In digging into the terms of one of the specific service offerings, it became clear that the service involved the vendor scanning every email communication of our Client…a highly sensitive issue, particularly in light of the nature of some of their services.  I set up a call to talk through the vendor’s data protection and security protections, specifically whether they were compliant with the EU privacy directive. They acknowledged they were not compliant, a non-starter.  When I communicated this to the Client, their response was “but they’re an IT Security vendor!  They have to offer adequate data protection!”.  No….no they don’t.  Don’t assume that IT security vendors know more about data protection than any other IT vendors. Leave yourself time to properly vet your vendors. A few days or weeks of appropriate due diligence is a far better investment of time than the months or years of lost time and damage done as the result of data breach, accidental or otherwise.

3. Make your mountain into a mole hill. “War game” your worst-case scenario with each vendor. 

As part of your due diligence, have the vendor describe to you in detail how they work to avoid, or mitigate the effect of, data protection breaches. Also require them to walk you through exactly what a data protection breach means to them.  What is their communication plan (see below)?  What forensic activities would be performed to assess the scope and scale of the breach, and the impact on your data?  What are the specific backup and disaster recovery activities that would be performed, and how quickly would you be back up and running?  If the first time you talk through these things is during a data breach crisis, you’ve already lost.

4. Write your communication plan expecting a data protection issue.

In the event of a data breach, communication is key.  As mentioned above, you will want to ensure that your agreement obligates the vendor to communicate with you, in a timely manner, in the event of an actual or suspected data breach.  When, a few years ago, it leaked that Adobe had suffered a large breach that included source code for several products, two of our Clients, who both happened to be Adobe customers, were frantically trying to speak to someone at Adobe to gather more details about the breach (to better understand the potential impact to their data).  Even though I’d drafted their agreements to require communication, both found it very difficult to get answers, and both identified it as one of the most frustrating times for their data protection teams…because they didn’t know the nature or scope of the risk.  Eventually, each used its own backchannels to get the information they needed.  Which brings us to our second point…while it is prudent to secure contract language obligating communication, that doesn’t guarantee communication (especially a level of communication that you find satisfactory).  So, for critical services, ensure that you have a good relationship, not only with your sales rep, and applicable VP of sales, but, to the extent possible, with executives as well.  This may very well be the path to proper communication in a crisis.

5. When in doubt, get out.

Our discussion has been largely focused on due diligence and proactive protections.  However, a very sharp CIO once told me that she treats vendor contracts like a prenup. And we all know that the only time a prenup matters is if there’s a divorce.  If there is a data breach, or if you’re not receiving reasonable opportunity to review attestations, or if deficiencies identified in the attestations aren’t being remedied in a reasonable timeframe, then you must have the right to terminate the agreement, without penalty, and move on.  Having the right to terminate doesn’t mean you must terminate. But having the option to do so gives you leverage with the vendor that you might be able to use to your advantage and, of course, it gives you the freedom to choose to move on, if needed.  Without that lifeboat, however, you could find yourself stuck on a sinking ship.

What questions or comments do you have? Share in the comments section. Also, if you found this post valuable, be sure to share this post in your feed.

Stay tuned next month for our next installment

Video: How to protect your data and cybersecurity when negotiating IT vendor contracts