The SolarWinds hack highlights the critical need for organizations of all sizes to include cyber supply chain risk management as part of their information security program. It is also a reminder that privacy and security risks to an organization’s data can come from various vectors, including third party vendors and services providers. By way of example, the Pennsylvania Department of Health recently announced a data security incident involving a third-party vendor engaged to provide COVID-19 contact tracing. The personal information of Pennsylvania residents was potentially compromised when the vendor’s employees used an unauthorized collaboration channel.

Protecting against these risks requires maintaining and implementing a third-party vendor management policy, a critical and often overlooked part of an organization’s information security program.  Appropriate vendor management helps guard against threats to an organization’s data posed by authorized third parties who have direct or indirect access. Risks can include data breaches, unauthorized use or disclosure, and corruption or loss of data. These risks may come from vendors who provide cloud storage, SaaS, payroll processing or HR services, services using connected devices, IT services, or even records disposal.

Robust vendor management policies and practices typically involve three components: conducting due diligence to ensure the third party vendor or service provider with whom the organization shares personal information or to whom it discloses or provides access, implements reasonable and appropriate safeguards to ensure the privacy and security of that data; contractually obligating the third party vendor or service provider to implement such safeguards; and monitoring the third party vendor or service provider to ensure compliance with these contracted provisions.

While vendor management is a best practice, it is also required by certain U.S. federal laws including the Gramm-Leach-Bliley Act and HIPAAstate laws in Massachusetts, Illinois and California, and municipal laws such as the New York Department of Financial Services Cybersecurity Rules (NYCRR 500). In the EU, the European Data Protection Regulation (GDPR) specifically requires a data controller to only use processors (e.g., third party service providers) who provide sufficient written guarantees to implement appropriate technical and organizational measures that ensure the privacy and security of the controller’s personal data.

Aside from mandated vendor management practices, over twenty states including Florida, Texas, Massachusetts, New York, Illinois have laws requiring businesses that collect and maintain personal information to implement reasonable safeguards to protect that data. These states have been joined by the recently enacted California Privacy Protection Act (CPRA) and Virginia Consumer Data Protection Act (CDPA).  Although the majority of these statutes do not define reasonable safeguards, similar to data retention and storage limitations practices, vendor management practices may constitute a “reasonable safeguard.”

The Federal Trade Commission (FTC) took such a position in a Consent Agreement resolving alleged violations of the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. In its complaint, the FTC alleged several violations including a failure to take reasonable steps to select service providers capable of maintaining appropriate safeguards for personal information provided by the company and a failure to require service providers by contract to implement appropriate safeguards for such personal information. The Consent Agreement required the company to establish, implement, and maintain a comprehensive data security program that protects the security of certain covered information (i.e., reasonable safeguards). This requirement specifically includes selecting and retaining vendors capable of safeguarding company personal information they access through or receive from the company, and contractually requiring vendors to implement and maintain safeguards for such information.

Over recent months, companies have faced heightened risks to their information security from threat actors, increased remote work arrangements, and outsourced activities involving sensitive data. These threats, combined with a proliferation of proposed and enacted data protection laws, underscore the importance of implementing, maintaining, and monitoring a robust vendor management program.