Vendor Risk Management – Ten Questions to Ask Your Technology Vendors

February 18, 2021

By
Lynn H.Wangerin
Member, Stoll Keenon Ogden PLLC
(502) 560-4283
lynn.wangrin@skofirm.com

With the current focus on data privacy and security as well as the growing use of technology in your business, do your agreements with vendors contain the protections you need? Simply because you engaged a vendor for a particular task will not necessarily protect you from the potential for losses. Unfortunately, liability related to data breaches through vendors is common. Thus, it is all the more important that vendor engagements be drafted and entered into carefully, considering the vendor’s obligations to you for protection and compliance.

There should always be an assessment of what information/data a vendor will have access to, what data a vendor will store and process, and whether and how a vendor may use that data. For example, is personal information included and is that personal information particularly sensitive? Is there confidential business information involved, and how confidential is it – “bet the business” information or simply something you would like to keep confidential?

There is often an assumption that the agreement a vendor presents is non-negotiable, but that is not always the case. Even if the agreement is non-negotiable, the following questions should be asked and answered to assess any potential risks– sometimes another path is better. Also, in some cases certain risks can be mitigated by, for example, using a numeric system instead of including identifying information of individuals.

Here are ten questions to ask your technology (and perhaps other) vendors:

1. If there is a need to add users or otherwise broaden the scope of the services during the term of the agreement, is the cost to add users, etc. covered in the agreement or is the addition at the “then-current” price? Are the additions co-terminus with the term for the initial scope?
2. What security measures does the vendor have in place and what are the security obligations, if any, in the agreement?
3. Are there sufficient limits on the access to and use of your data by the vendor? Can the vendor, for example, use your data for its own business and contact your customers?
4. Is the vendor’s access to and use or processing of your data sufficiently covered in your privacy policy?
5. If the vendor’s system is breached, is there a requirement to notify you? To provide you updates on the status? Can the vendor notify your customers of the breach? What, if any, are your remedies for the breach?
6. Is the vendor required to make backups of your data? How long are they kept?
7. Is the vendor providing any warranty (many technology agreements do not provide any warranty and disclaim all implied warranties)? If so, what is the remedy for breach of the warranty?
8. Is there a service level obligation of some sort included – both with respect to responding to issues and, if applicable, an uptime obligation (that is the percentage of time the vendor represents the system will be useable and not off line), or an availability commitment? What are the remedies for failure – are only “credits” allowed with no right to terminate for significant downtime?
9. What are the limitations on the vendor’s liability for breach (most vendor agreements provide for significant limitations on what you might recover)? Is the vendor required to carry insurance and, if so, is your business listed as an additional insured?
10. At the end of the term of the agreement, how do you get your data back if needed? In what form is it provided? Do you need the vendor‘s help and, if so, is there a cost? Also what is the vendor’s deletion/destruction or ongoing protection obligations?

If you would like to further discuss these contracting issues, please contact us.

****

Stoll Keenon Ogden understands that these are trying times for our clients and our country. Our firm operations have continued uninterrupted and our attorneys are equipped to serve as we always have – for more than 120 years.

The firm’s Privacy & Information Security practice helps its clients identify risks and mitigate their exposure and liability when engaging service providers and when criminal activity or internal technology failure results in lost or compromised customer and/or company data. When working with vendors there may be additional risk in the event of a data breach, and it’s imperative to show reasonable steps were taken to protect data.

Please also be sure to consult the Stoll Keenon Ogden Coronavirus Resource webpage for additional articles and information related to the latest information on new laws and directives enacted by federal, state, and local governments in response to the Coronavirus pandemic.