Does your business work and share confidential information with third-party vendors? If so, there are several things that you should keep in mind about the vendor relationship to protect yourself and your business. Because you are obligated to ensure that your vendors keep your information secure, issues may arise if their business practices and standards aren’t necessarily the same as yours. There are a few ways to protect you and your business on this front.
To begin with, it’s always good to be clear about the details of your contract. Make sure that you understand the language and the provisions that are included or that need to be added. You should review your contracts carefully to paying close attention to the details of the agreement and how they apply to your business. For example, how does the contract address your liability versus your vendor’s liability? If problems arise, does the contract require the vendor to cover or indemnify you?
Your next step should be to research your vendor’s data security practices, which should be as good or better than your own. For instance, your business may be careful about sharing information online, but that doesn’t necessarily mean that a third party will do the same. To help avoid issues, you should become familiar with your vendor’s data security policies and procedures and make sure that the vendors comply with them. You should do this at the beginning of the relationship and should monitor periodically throughout the contract term. Additionally, your contract with third-party vendors should require that they adhere to their specified security standards and procedures and that they indemnify (i.e., cover) you for any losses that you suffer because of their failure to protect information. Since you will be depending on your vendor’s security to protect the personal and financial information that you share with them, it makes sense for you to be mindful of their standards, to make certain that they are followed and to compensate you if you suffer a loss because of their failure to do so.
Finally, your third-party vendors should also confirm that they have the cyber insurance appropriate and necessary to cover you in the event of a breach. In fact, if and where possible, the vendor should name your business as an additional insured on its policy.
In sum, when working with third-party vendors is necessary for your business, you should consider the expanded liability that may accompany that relationship. In addition to making sure that the vendors you work with are qualified and responsible, you may want to consider working with a knowledgeable business and data security lawyer to ensure that liability is properly addressed and your business is protected. However, it’s important to remember that consultation with an attorney is most beneficial to you and your business before the contract is signed. Once you’ve signed on the dotted line, so to speak, the extent to which a lawyer can help you protect your business may (depending on the contractual terms) be somewhat limited.
The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.