Skip to main content

Know thy vendor's vendor.....

Written by Amy Malone

Amy Malone is attending the Data Protection & Privacy Law Conference in Arlington, Virginia this week and will be providing updates.

The pre-conference workshops at the Data Protection & Privacy Law Compliance Conference have begun!  The first workshop covered managing the risk of third party vendors.  An important element of ensuring the security and privacy of your vendors is finding out what vendors your vendors are using.  As we all know, you can out-source the work, but not the responsibility.  And all too often the vendors we are entrusting our information to are also using vendors, increasing the risk that a data breach will occur.   As reported in the workshop, 39% of data breaches involve information held by a third party. While a solid business practice is to include language in your vendor agreement restricting your vendor from using vendors, this often only works for the biggest of organizations.  An avenue for smaller companies is to request that your vendors provide a material list of the vendors they use and the security controls implemented by those vendors.  This will help you analyze the level of risk associated with your vendor and determine if you are in compliance with regulations applicable to your organization.   In addition, the risk level will dictate the frequency of security audits and on-site visits.  They key to managing the risk of using vendors is reducing the number of unknowns!

Mintz Levin will be producing a series of Privacy webinars starting in the fall.   Vendor management will be a key topic.  Stay tuned for further information!


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.