Welcome to this week’s Third Party Thursday! My name is Ashley Roberts and I am one of the In-House Paralegals here at Venminder. Today we are going to talk about entering into third party agreements.
Third party vendor agreements can range anywhere from your:
Even though each agreement includes different contractual terms, there are 5 security and confidentiality provisions which should always be addressed.
1. The agreement should first identify what constitutes “confidential information”. For example, customer names, addresses or bank and credit card account numbers. It should also specify proprietary information such as trade secrets or operational instructions.
2. Second, the agreement should state how your confidential information, as well as your customer’s data, will be protected. The agreement should include the specific steps your vendor will take to safeguard this information such as:
Did you know that as a part of the GLBA and the FTC, you are responsible for keeping your customers information secure?
This bring us to the third Security and Confidentiality provision.
3. If the vendor were to share your information or your customer's data to a third party such as a subcontractor or an auditor, is there something in place to protect this information? The agreement should also address the vendor's obligation to notify you prior to releasing any information. This will allow you the opportunity to dispute the release or to seek a protective order.
4. The fourth provision is cyber, security and confidentiality threats. The agreement should require your vendor provide you the Incident Response Plan. This plan should include specific steps to be taken in the event that your vendor detects unauthorized access such as:
On top of providing an Incident Response Plan, the agreement should also state that the vendor will:
This will ensure your third parties processes for identifying, investigating and escalating incidents meet your expectations and regulatory requirements.
5. Finally, the agreement should include what remedies are available in the event of a security breach. The NAFCU released an article in 2015 called Economic and CU Monitor. It stated that institutions “spent an average of $226,000 and an estimate of 1,600 hours on debit and credit fraud issues resulting from merchant data breaches.”
To reduce your potential liability, the contract should state that the vendor is liable for costs and expenses in the event that a security breach is the result of or attributed to:
The agreement should provide the vendors responsibility for the following defaults:
Inadequate security and confidentiality provisions can impact your customers, your business operations and expose your business to further liability.
Your vendor's security programs must be consistent with your business policies and practices regarding security and confidentiality.
Whether the vendor is critical or low risk, you have an obligation to safeguard and properly dispose of your customer's data. Entering into a contract without assessing your third party’s security and confidentiality provisions can negatively impact your business and your customers.
Again, I’m Ashley and thank you for watching! Don’t forget to subscribe to next week’s Third Party Thursday video.