Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Data Breaches, State Notification Requirements and Third Parties

4 min read
Featured Image

Data breaches are not a new phenomenon impacting consumers, but based on the increased frequency reported in the media, the volume of reported breach incidents is likely to increase. The risks of a data breach are commensurate with the sheer volume of our digital footprints.

State Breach Notification Laws

As financial services companies embrace additional layers of technology to push the consumer experience, there may be an increase in reliance on third party vendors accessing and storing consumer personally identifiable information (PII). To this end, consumer data may be shared across multiple affiliated or unaffiliated businesses as part of the behind the scenes process to process a transaction. 

The implications of a data breach aren’t limited to the reputational fallout. Nearly all states now have a data breach notification law, and while each state has different requirements, it’s important for both the financial services company and the third party vendor to be aware of each regulation. Check out your state's security breach notification laws here.

Failure to understand your regulatory commitments under these state regulations is worrisome. In one recent survey, it was disclosed that over 34% of organizations felt that their third party vendor would not disclose a data breach to them. This number increased significantly to over 70% as it related to the level of mistrust if a fourth party vendor suffered a breach and would most likely fail to report it.

It’s important to recognize that while a data breach is commonly associated with perhaps, a cyber attack, data breaches may occur for both intentional and unintentional reasons by internal staff. Sending an email to the wrong email address containing PII would warrant a review and accessing consumer data with the intent to resell the data is easily achieved at the internal level.

To put the dangers of a data breach into context, let’s look at the Commonwealth of Massachusetts. Based on our research, prior to 2007, there were no records maintained by MA regarding data breaches. 

According to the Massachusetts AG Website it states:

Since November 2007, the AG’s Office has received notice of more than 21,000 breaches, with 3,821 breaches reported in 2017 affecting more than 3.2 million residents.

Earlier this year, MA implemented an online data breach notification portal so a business can more efficiently report data breaches. The Massachusetts Data Breach Notification Law M.G.L. c. 93H also requires that third parties not only report the breach to the state but to the impacted consumer. You can visit the data breach notification link for Massachusetts here. 

Examples of Recent Data Breaches and Vendor Involvement

If we take the most recent Equifax breach for instance, this would require a wide spread notification effort and while notification efforts may be communicated electronically or via mail, there are other regulations which must be complied with such as the E-SIGN regulation, which requires a consumer to elect to agree to receive email notifications. Data breaches, therefore, can be a headache for the compliance department of any institution who must manage through this nightmare (and I think we can agree this is a nightmare scenario). It can result in changes in leadership, a hit to financial strength and reputational and increased litigation risk.

The Target breach in 2014, is another example of the increasing propensity of not only breaches, but how third parties are connected. The MN based retailer stated that approximately 70 million customers were impacted by the breach and was traced back to a third party vendor.

In both cases of the aforementioned data breaches, each incident was traced back to a third party vendor of the organization. This demonstrates the importance and responsibility that we must adopt in effective third party risk oversight programs.

The Notification Laws Are Changing

While more states in recent years have adopted data breach notification laws, it’s notable that several states are also amending the laws to include items as offering free credit identity theft protection. Much of this is in response to the fallout from the Equifax data breach, which impacted over 143 million consumers.

Other amendments include the "who" and "when" to report the data breaches. Some states require the breach to be reported to the state attorney general office, law enforcement or Internal Revenue Service prior to the individual. 

Data breaches do not discriminate and, therefore, it’s important that each financial services company and third party understand the notification requirements. Failure to do so can have a catastrophic impact to both of your organizations.

As you know, it's important to verify your vendor's approach to cybersecurity to mitigate third party risk. Download our helpful infographic to learn how.

Creating an Effective Vendor Contract Management System eBook

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo