For vendors or suppliers or other companies providing outsourced services or components or supplies and for the customers of such services or suppliers, 2016 means an increased demand on your limited time and manpower to respond to or review risk information security assessments, host or perform audits, and generally oversee or be subject to oversight.

Companies often hire third parties to perform a range of on-site or remote services, from landscaping, security, plant care or cleaning, HR screening, onboarding payroll or benefits, product development, to office, treasury or IT services. In addition, many companies have component or material suppliers with whom they share proprietary information and trade secrets.  Leveraging the talent and resources of an experienced niche developer, vendor or supplier can often be the key to a company’s success.  And while working with or as vendor or supplier frequently reduces a company’s costs and provides it flexibility, these relationships can also create information security risks for both parties, including the risk that a data security incident involving the vendor or its employees will result in a loss or theft of the company’s critical valuable information or adversely affect deadlines, deliveries or lead times.  These delays or losses could put company in breach of its contracts with its customers, or at odds with its shareholders or regulators.

The growing realization that “outsourcing the project or the function does not mean outsourcing the risk” has prompted companies (as the customer) to increasingly focus on assessing, minimizing and managing these information security risks.  The focus begins with information security assessments when initially selecting a vendor or supplier, and continues throughout the relationship through audits, site visits and periodic review. We expect to see an even heightened focus on information security risks in 2016.  For the company as customer, this focus is usually just an extension of a company’s larger quality control or risk management group.  For many niche vendors and suppliers, where people wear multiple hats, this focus can be an unexpected unbudgeted cost.  Additionally, without some planning, an outsourcing organization working with multiple accounts can find itself in constant audit mode in response to these requirements.

On the flip side, while there are costs and resources required, strengthening or adopting better information security practices often comes with several benefits. Vendors and suppliers often reduce their risk of a data security incident or breach by making some changes as part of a customer’s risk assessment process or as part of a third party certification process such as ISO 27001 which is designed to help organizations keep information assets secure.  Vendors and suppliers who have taken these steps can market their efforts and certifications in RFP responses and proposals, which may help them obtain even more business.  Additionally, vendors and suppliers who play a particularly strategic role in a customer’s services or product development, and/or who share their own proprietary information with a customer also may want to know more about the customer’s information security practices.

As there is little chance the increased focus on information security will go away anytime soon, taking the time early in 2016 to strategize about how to better respond to the increasing focus on information security risks will undoubtedly benefit vendors, suppliers and their customers.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.