By Deborah Shinbein, CIPP/US
Data Law Group, P.C.

This article is the third in a series describing different privacy and security considerations that apply to nonprofit organizations. For Part I of the series, click  here. For Part II, click here.

Most companies, and certainly nonprofit organizations with limited budgets, use third party vendors to host data, process transactions, send mailings, or for numerous other purposes.  However, you may not realize that your third party service providers can pose a substantial risk to your organization’s personally identifiable information (“PII”) of employees, donors, volunteers, grant recipients, or others, or your company’s other confidential information.

It is important to screen vendors to make sure they will safeguard your confidential information and not cause a security breach.  For example, the massive security breach at Target in 2013 was caused by insufficient security of an HVAC vendor, which enabled hackers to access Target’s other systems (however, Target should have segregated their systems to prevent this, as described below). There are steps you can take at each stage of the vendor relationship to improve the odds of choosing the right vendor and avoiding security breaches down the road.

First, do your due diligence when selecting among potential vendors. Create a vendor questionnaire regarding the vendor’s current security policies and procedures, training programs for their employees with access to confidential information, security controls the vendor has in place, procedures for monitoring and testing their security systems, and other applicable questions.  Also ask if the vendor has passed audits and been certified as compliant with any third party security standards such as ISO, SOC, PCI-DSS, SSAE-16, NIST or others.  You may also wish to perform site visits or audits to see if the vendor is complying with its policies.

Next, as you evaluate how to structure the vendor relationship, make sure the vendor does not have any greater access to your PII and systems than needed.  Work with your IT department to segregate systems (so, for example, the system used to manage HVAC is not connected to the system used to process payments) and evaluate how to limit access to only those employees of the vendor who need access in order to perform their duties on behalf of your organization.  Also ensure measures can be implemented to limit access to systems once a vendor is inside your network’s perimeter (many networks guard against intrusion but expect trust once inside the walls).

If PII or other confidential information will be transferred to a vendor for processing, storage, or otherwise, evaluate the optimal point and method of transfer, as the point of transfer can be a vulnerable spot for a breach to occur.  Be sure to design and implement secure methods of transfer and access.   It is also important to determine appropriate data retention and destruction schedules with regard to any PII you are transferring to the vendor, including the required means of disposal (be sure to consider applicable laws).

In addition, to the extent the organization itself is subject to data privacy and security laws or regulations, it may be obligated to ensure compliance on behalf of its vendors.  Some laws require organizations to pass their obligations on to their third party vendors that accesses or receive regulated PII (HIPAA, Gramm-Leach Bliley Act, FERPA, FTC Act enforcements, and more).  Some laws require that entities monitor their vendors with access to PII (the Massachusetts information security law is one example).  Other laws merely require monitoring of vendors but leave the specific procedures up to the entity.

When you are negotiating the contract for services with your vendor, be sure the contract obligates the vendor to comply with all applicable privacy and security laws and regulations to which your information is subject.   Contracts should clarify the ownership and license rights regarding the information, as well as any specific security measures, retention and destruction requirements, who can access the information and when, periodic audit rights, adding your organization as an additional insured on the vendor’s cyber liability policy (to receive coverage if a security breach occurs because of the vendor), requiring the vendor to indemnify your organization for breach related liability, detailed confidentiality obligations, and more.    Be sure you have the ability to terminate the vendor relationship early if you are not satisfied with the vendor’s security performance over time.

In addition to following these measures with new vendors, don’t forget about the vendors you already have in place.  There is nothing restricting you from asking the same questions at this point, as this may impact your decision whether to terminate existing vendors or whether to renew the agreements when the time comes.  Even if a current agreement can’t be modified, vendors may be willing to engage in additional security precautions on your behalf in order to keep their key clients happy (and to prevent a breach, which would harm their own reputation and client relationships as well as their relationship with your entity.

This article should not be construed as legal advice, and no attorney-client relationship is formed by reading this article or contacting the author.

For further information, please feel free to contact Deborah Shinbein at deb@datalawgroup.com or visit www.datalawgroup.com.