Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2021-cropped
State of Third-Party Risk Management 2021

Venminder’s State of Third-Party Risk Management 2021 survey provides insight into how organizations are managing third-party risk management in today’s increasing regulatory and risky climate.

DOWNLOAD NOW

Ballard Spahr's Privacy and Data Security Group

Ballard Spahr LLP, an Am Law 100 law firm with more than 500 lawyers in 15 offices in the United States, provides a range of services in litigation, business and finance, real estate, intellectual property, and public finance. Our clients include Fortune 500 companies, financial institutions, life sciences and technology companies, health systems, investors and developers, government agencies and sponsored enterprises, educational institutions, and nonprofit organizations. The firm combines a national scope of practice with strong regional market knowledge. For more information, please visit www.ballardspahr.com.

Legal Insight: Colorado Enacts Groundbreaking Privacy and Cybersecurity Legislation

Ballard Spahr attorneys David Stauss and Gregory Szewczyk will host a webinar on Monday, June 4, 2018, at noon PT/1 p.m. MT/3 p.m. ET to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance. Messrs. Stauss and Szewczyk are uniquely situated to discuss the new law, having assisted in developing the legislation, including Mr. Stauss testifying on the bill in front of the House Committee on State, Veterans, & Military Affairs. Click here for more information and to register.

The most notable provisions of the new law are discussed below.

Data Security Requirements

For the first time, covered entities that maintain, own or license “personal identifying information” (PII) of a Colorado resident are required to implement and maintain reasonable security procedures and practices that are “appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”

The law defines PII broadly to include a social security number; personal identification number; password; pass code; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student or military identification number; or financial transaction device (as defined in C.R.S. § 18-5-701(3)).

Covered entities also must take measures to protect PII when transferring it to third parties. Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the covered entity “shall require” the third-party service provider to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the PII disclosed and reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction. A “third-party service provider” is defined as an entity that “has been contracted to maintain, store, or process personal information on behalf of a covered entity.”

The law also requires covered entities that maintain electronic or paper documents that contain PII to develop a written policy for the destruction of such documents when they are no longer needed.

The Attorney General’s office is authorized to enforce these new requirements and may bring an action in law or equity to ensure compliance or recover direct economic damages resulting from a violation.

As a consequence of these new requirements, covered entities should consider developing and implementing written information security programs that include appropriate administrative, technical and physical safeguards for the types of PII that they maintain, own or license.

Changes to Colorado’s Breach Notification Law

The new law strengthens and expands Colorado’s data breach notification law. Perhaps the most significant change is that covered entities now must notify affected individuals within 30 days after determining that a security breach occurred that resulted in, or is likely to result in, misuse of personal information. Colorado’s 30-day deadline is the shortest of any state. Florida also has a 30-day deadline but allows for an additional 15 days under certain circumstances.

The new law drastically expands the types of information that will trigger a breach notification obligation if compromised. Specifically, the law defines “personal information” to mean a Colorado resident’s first name or first initial and last name in combination with any of the following data elements: social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data. The definition also includes a Colorado resident’s username or e-mail address in combination with a password or security questions and answers that would permit access to an online account or a Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account. However, a covered entity does not need to provide notice if the information was encrypted unless the encryption key also was compromised.

Importantly, the law does not create exemptions for entities subject to reporting requirements under the Gramm-LeachBliley Act or HIPAA. Rather, if there is a conflict between the 30-day time period for providing notice under Colorado law and a time period in another federal or state law, the law with the shortest time frame for providing notice controls.

The law also specifies what type of information must be included in the notice, such as a description of the PII involved in the breach, the date or estimated date of the breach, and contact information for the Federal Trade Commission and credit reporting agencies. If the breach involves the compromise of login information, a covered entity also is required to notify individuals to change their login information for that account and any other account that uses the same login information.

A covered entity must notify the Colorado Attorney General’s office if it provides notice to 500 or more Colorado residents, and it must notify credit reporting agencies if it is provides notice to more than 1,000 residents.

If a third-party servicer provider experiences a data breach, it must notify the covered entity “in the most expedient time possible, and without unreasonable delay.”

As with the new data security requirements, the Attorney General’s office is charged with enforcing violations of the notification requirements. However, a covered entity that maintains its own notification procedures as part of an information security policy that is consistent with the new law is in compliance with the law’s requirements if the covered entity follows those procedures. Therefore, to ensure compliance, covered entities should consider developing and implementing incident response plans that are consistent with the new law.

Finally, the law adds new provisions that create similar obligations for government entities.

The law will become effective on September 1, 2018.

In light of all the recent attention to cybersecurity, it's a good idea to verify your vendor's approach to keeping your data safe. Download our infographic now.

Creating an Effective Vendor Contract Management System eBook

Read

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo