E-commerce, the internet and the countless ways technology expands your business come with the trade-off of having to provide all the more security for your business. However, you must go further and have a plan and procedures ensuring security by vendors and other business partners. If you don't, you and your customers could pay the price for a security breach.
Technology, especially e-commerce, may require you to work with vendors or business partners to make your business work. All business operations might not be under your roof anymore. You may outsource to provide your product or service, or for services supporting your business. Vendors might handle financial transactions, manage your web site or business data. Each function or operation assigned to a vendor presents a chance for a security breach.
Vendors can be located anywhere, and might provide services via access to your systems, or by doing work literally a world away. A vendor can also appear to have a local presence, but where is the actual work done or service performed? It could be next door, a few states or an ocean away.
Your business' procedures for securing personal, private and sensitive information should cover the bases on how it is collected, used, stored, accessed and disposed of. One of the first issues to decide is whether you need to have certain data, and who can access it. These questions apply when using vendors - what do you need to share with them to get the job done? The goal is to minimize the risk for a security breach.
What Is Your Business' Duty to Keep It All Secure?
How far you have to go to meet your duty to protect your business, your customers and avoid claims against you can depend on several sources of law and your business contracts. Using care and diligence in choosing the right vendors is just as important.
Privacy laws. Laws can provide structure for your vendor relationships, including mandates protecting privacy. Laws governing your location or jurisdiction, the vendor's and finally, your customers' locations may apply. For example, if your business is located in one state, your vendor is abroad and your customers are in yet other places, pinpointing which laws apply can be complex. Each set of laws could require something different and to different degrees. Enforcement of these laws is another issue. A foreign country could appear to have stringent security and privacy laws, but lack meaningful enforcement.
Your contract controls. Laws of the places connected to your business, vendors and customers may be unclear. Your vendor contracts, however, can help secure the protection and certainty you're looking for. Your vendor contract could include:
- Threshold privacy provisions based on your business' duties under the law
- Mandates for compliance with your local privacy laws
- Compliance with your company's privacy and security policies
- Disclosure provisions, for example, notice that the vendor is using subcontractors
- Provisions for indemnity if the vendor's breach of privacy or security causes losses to your business
- Clauses stating which law will control if there's a conflict, and in which court claims will be addressed
Draft Your Compliance Plan and Put It in Action
Draft a plan to guide you as you do business with new and existing vendors. Your internal privacy and security policies are a good place to start as you decide what you'll demand from vendors. Compare a vendor's practices and policies to your company's, and pay attention to areas where your company is more stringent. Find out how a vendor will prevent security breaches, and what their response plan is should a problem arise. Also find out how and when you'll be notified should any data or work for your company be compromised.
Demand compliance with your well-planned policies. Reports and updates on your vendor's work, vendor staff training and incidents can help ensure your business is safe and secure.
Questions for Your Attorney
- I canceled a vendor contract due to data security concerns. I don't think there were any privacy or security breaches, so do need to tell my customers about it?
- I use an out-of-state vendor for data processing and record keeping. Does it have to follow our state's privacy laws?
- Do I need to tell my customers if I'm using a vendor and it has access to their personal information?