Don’t forget to close the back door: Vendor management and privacy

Inside Counsel

Authored Article


Though this task might seem daunting, there are a few initial steps to take to begin

When you enter into a contract with a vendor that will access, use or disclose your customer or employee personal information, assume that you are responsible for any unauthorized access to, use, or disclosure of that protected information, whether by the vendor or a third party. This is true if the vendor or its employees misuse the protected information directly or if the vendor is hacked, as with Target’s HVAC provider. In that incident, the HVAC company didn’t even have direct access to protected information; the hackers allegedly worked their way from the HVAC vendor’s computer into Target’s vendor system and then into a protected database.

It is crucial, then, to see all vendors as a potential back door into your protected information. In fact, companies likely must cope with securing an exponential number of back doors, depending on the type of information, their industry, and applicable domestic or international laws. Though this task might seem daunting, there are a few initial steps to take to begin.

First, identify the back door, or series of back doors, to your protected systems or information. One involves your vendors. Are there any others, such as vendor subcontractors or employees?

Second, assess the risk inherent in each back door. Is any back door located in a target industry, such as financial institutions or government agencies? Are there any offshore back doors? Is there any existing external mitigation of risk, such as regulatory supervision or independent auditing of security functions? What vulnerabilities does each back door have to particular types of hackers or data breach attacks?

Third, decide on how to close, lock and secure the keys to each back door.

The federal cybersecurity framework offers a general methodology for this process, particularly steps one and two. Both U.S. and international data breach security reports also provide a variety of ways to assess and address risk. This includes identifying common types of data breaches or threat actors as Verizon and Symantec do, or providing a specific rubric for developing risk mitigation programs, as seen in this Ponemon report. If the protected information is subject to federal or state law, the related statutes and regulations often provide broad guidelines and requirements addressing vendor risk. More focused guidance may be found at the regulatory or industry level as well, such as the Consumer Finance Protection Bureau’s GLBA exam manuals or BITS vendor management assessment tools.

Identifying and assessing back doors is only two-thirds of the process, however. The final step involves closing and locking them, and securing the keys. This involves contracts and active vendor compliance monitoring. You close the back doors by stipulating in contracts that vendors must adhere to specific security standards and procedures. Contracts should also stipulate specific insurance coverage, and that your company be added as a named insured. You then lock back doors by requiring sufficient reporting by the vendor and frequent monitoring of vendor compliance through regular direct audits and assessments, independent audits, or a combination of both. Provide for self-reporting by the vendor of relevant breaches of data or related systems. Secure the keys by implementing specific remedies for failures, such as suspension or early termination, indemnification, and other breach or termination assistance.

By thinking of vendor information security risk as a series of back doors to your information and systems, you incorporate these vendors into your overall information security program and provide tools for assessment, identification and mitigation of risks. You also provide for greater resilience in the event of a breach.

Republished with permission. This article first appeared in Inside Counsel on June 12, 2014.