Chris Allyn of Ally Law member firm Moye White, located in Denver, Colorado, offers some basic guidelines on how to reduce your cybersecurity risk profile. The steps she outlines can be taken with minimal resources and without significant amounts of technological sophistication. She suggests three basic areas of inquiry as you engage third-party vendors who will have access to your systems.
First, perform vendor due diligence before the engagement. Consider creating and consistently using a standard data privacy and security vendor assessment questionnaire. Include basic due diligence questions as well as simple technology questions. Tailor the questionnaire to address issues important to your organization as well as any applicable laws, regulations, and/ or industry standards of which you are aware.
Second, ensure that appropriate contractual provisions are in place. While most vendors will want to use their own terms and conditions, they are not geared to protect your organization. Consider creating and consistently using a standard data privacy and security addendum that includes appropriate terms to ensure your vendors are protecting your data and systems in a manner that, at least: (1) meet or exceed your organization’s own practices; (2) adhere to your organization’s policies and procedures; and (3) comply with applicable laws, regulations, and industry standards.
Finally, manage your vendor and the relationship once established. This will include monitoring performance and compliance, identification of potential issues that could impact your data privacy and security, and determining a process for protection of your organization after the relationship has ended.
Data privacy and security laws and regulations vary by jurisdiction, and your vendor should be well aware of any and all that might impact your business. Considering the sensitivity of putting your data in the hands of outsiders, and the complexity of many such vendor contracts, you would be well advised to speak with the data privacy and security attorneys at your Ally Law member law firm. For more information about our services in this area, contact us at firstname.lastname@example.org.