Published in the October 2008 Privacy & Data Security Law Journal.
© 2008 Alex eSolutions, Inc.

Vendor Management:
Maintaining Privacy Compliance in
Outsourced Business Relationships

BENJAMIN GERBER AND ADAM C. NELSON

The authors discuss vendor management topics prevalent throughout the year.

Last year, we authored “Protecting Outsourced Data: The Role of the Vendor Management Office,”1 in which we discussed current issues centering around utilizing vendors who receive, maintain, and/or utilize organizations’ data—in particular personal data of customers and employees. This article is a sequel of sorts. Throughout the year we have had the opportunity to work with numerous customers—as they created their new vendor management organizations, implemented vendor management programs, performed audits and assessments, evaluated results and figured out what to do next. We also regularly have the opportunity to address privacy and security issues from the perspective of an international vendor—interestingly this is often when we have the opportunity to help customers best understand their needs.

This article discusses major themes we found prevalent and some pointers our clients found most useful throughout the year. For the purposes of this article, we use the term “organization” to refer to the group that is utilizing the outsourcing services. First, we will revisit and expand upon our major recommendations from last year.

Vendor Management Review

Vendor Management Office as part of Vendor Management Framework

Identify and classify data

Classify and categorize vendors

Vendor Assessment Activity

Prevalent Issues

Handling Sensitive Data Provided by Vendors to Your Organization

Vendors’ sensitive data is as valuable to them and their employees as your organizations’ is to your customers and employees. Your organization may routinely or even occasionally find that it has a business need—or a perceived business need—to collect sensitive data from vendors. This often occurs when vendor personnel will have access to sensitive data or other materials and background checks are required. If this has ever—or it is likely it should ever—become necessary, your organization should have a comprehensive approach regarding handling of sensitive data, PII in particular, routinely collected from third party contractors, vendors, and suppliers.

The common industry standard practice is for the host company to:

An organization with a large volume of government and Department of Defense business will have a much larger volume of statutorily and contractually required visitor background checks than the average company. If this is the case for your organization, your organization may make a business decision to collect PII and conduct third party background checks itself (collecting and maintaining resulting PII). The standards for handling third party PII should be in line with privacy principles applied to handling your organization’s own PII. Keeping in mind that vendors are usually not presented with the same terms and agreements as employees, privacy statements or other descriptions of how the PII will be used and maintained should be available at the point of collection.

Governance

An effective governance framework can ensure the success of a vendor relationship. Effective vendor governance will promote:

Leading practices illustrate several guidelines for the successful integration of a multi-sourcing management and governance model. Some of the keys to your vendor management governance framework may include:

Motivation and Why

The big questions that start with “Why” lead to recurring topics—even with executives who already know it is important to address vendor management and data protection proactively.

“Why are vendors handling data (including access to information systems) different from other types of vendors?”

This comes down to an understanding of one’s business—many truly are information based businesses today. As an example we look briefly at financial services.

Financial services companies have two major assets:

  1. Money
  2. Information

Key points to keep in mind:

“Why should we be concerned?”

Change Is Constant

Successful organizations adapt and change—both process and technology—this goes for not just your organization, but your vendors’ as well. Just like your organization, vendors too are interested in trying to improve their bottom line. This is why it is necessary to regularly assess vendors’ security and privacy compliance posture beyond initial due diligence. Indications that a significant change in business is about to or has occurred include mergers, acquisitions, and vendors moving to outsource their own operations.

Accidental outsourcing does occasionally occur. While your organization may take every precaution to make sure data is handled properly and in compliance with the organization’s policy and regulation goals, take every step to ensure your vendor is doing the same. If the vendor makes a sudden change in its operations such that data is transferred to another agent not bound to follow all the necessary precautions or in an inappropriate jurisdiction, detection and remediation must be swift.

Do Not Just Audit—Assess

Oftentimes, audits are performed strictly against checklists, asking questions such as “do you have ‘a,’ ‘b’ and ‘c,’ and may we see them?” and then checking off that the vendor has what is required. It is important to go beyond such basic audits and perform full assessments; remember that while answers can look good on the surface, often more questions must be asked—ultimately protecting the data is not just about liability, but mitigating tangible risk. Utilizing an assessment methodology allows for an adaptive process and a more dynamic approach toward achieving your goals then traditional audit methods do. Active participation such as seeing how a policy is executed, how processes are implemented and in some cases actively taking a detailed hands-on approach to assessing IT infrastructure will produce more accurate and informative results. For example, during site visits—which we absolutely recommend—are the storage rooms clean, are there boxes filled with documents in the corners of the room, did you notice any physical security barriers to entry? An adaptive, iterative approach that leverages the diverse experience and expertise of individuals (that form the VMO) also saves time and resources.

Approaches

Prepare for the Assessments

Plan for Incidents

Your organization has incident response and business continuity plans. Vendor practices must also include procedures to deal with incidents, such as data breach, leakage or exposure incidents—including communication (with your organization and appropriate third parties) and emergency response plans. These practices must also include an agreed upon definition of what an incident consists of.

Budget and Consolidating Vendors

When considering outsourcing, selecting vendors, and renewing existing contracts, money is always a factor: how much are we saving, spending, earning through this relationship? Organizations must remember to include the cost of maintaining a vendor in the budget—from contract negotiation through to regular audits or assessments and regular communications.

Consolidating vendors can save money, and we are often asked what having your eggs in one or more baskets means from a data protection perspective. While consolidation of vendors may add risk to some operations—it almost always reduces risk from a data protection perspective. Unless different vendors work with completely different sets of data, the eggs are not really different no matter how many baskets they are in. If customer data is breached—it is breached. If one vendor mishandles data, exposing the data, it may be just as bad as any other of the vendors doing so with the same data. However, if your VMO has fewer vendors to guide and keep on course, stronger, well performing relationships may be the result of a more focused VMO. Additionally there are fewer eggs that might fall out of a basket.

When Failure Is an Option (Have a Plan)

One of the significant business situations in which organizations are not prepared is when a vendor fails an audit. There are many reasons why this occurs. Often, the organization may have been working with their vendors for a considerable length of time, and are not prepared for failure. Other times, it is simply a lack of preparation for such a situation. However, it is important to understand that failure is an option.

If this situation does occur—whether it be a failed audit or a vendor simply failing to live up to its contractual obligations, the organization must be prepared to address the issue immediately.

One of the most significant possible results of an audit failure is that the organization does nothing. This should never happen. If there is an issue with a vendor—any vendor, but especially a vendor who handles PII—your organization needs to have a well defined action plan to address the failure. This plan should include:

If the organization does remove a vendor, it needs to be ready to move forward immediately with a suitable replacement. The research on the new vendor should not wait until a key vendor has failed an audit.We recommend, at minimum, you have potential replacement vendors for consideration and/or a fast-track process to identify new vendors to complete your due diligence. If this is impractical—and for some large organizations it is—focus on the critical vendors and have at least one replacement available. It is always good to have options.

There should be established guidelines as part of your assessment, audit or review processes that address immediate failure of a vendor’s data protection posture. The organization should also have preexisting guidelines for how remediation can be achieved (if the business should desire to maintain the relationship with the vendor).

Being proactive in the vendor relationship helps to avoid failures. We have found that most failures are due to a change in the vendor’s organization or operating procedures, and these can be detected early through regular communication, even when it is not time for an audit/assessment.

Managing the Vendor Relationship

Managing the vendor relationship needs to start early.We recommend that you begin during the initial contract negotiation stage. Usually, there are several parties involved at this time. Corporate counsel, selected business units, sourcing and possibly representatives from the information technology group will give input. We recommend that the VMO lead the negotiations with input from the legal department. If this is not possible, have one organization designated as the point group for these discussions. If it is the VMO, legal will also most likely be involved to assist with the discussions and certainly to approve any final document. We have been involved in situations where legal leads the negotiations, others where the VMO leads the negotiations; this will depend upon your corporate culture. Also, do not forget other interested parties—human resources, corporate compliance, and selected business units may also provide valuable input.

Before you get into the negotiations, do your homework. Identify what type of data it is that you are moving to the third parties. Ask yourself a few questions:

There are also two very important documents when initiating a vendor relationship. These are the due diligence questionnaire and the security and privacy requirements document.

The due diligence questionnaire should be presented to any interested party either right before the relationship has begun or soon thereafter. This document will allow the vendor to elaborate on its entire background and history. You will want information on its relevant security and privacy programs, responsible parties, governance modules, audit expectations, monitoring expectations, special handling considerations, disaster recovery plan and maybe even their financial viability. Most due diligence documents are very comprehensive. Do not be afraid to ask questions. The data is very important and you need to make the correct decision regarding its care.

The second most important document for your vendor relationship is the data privacy and security requirements roadmap document. These privacy and security guidelines and requirements should be provided to vendors so that they understand your organization’s requirements; they should be provided early in the relationship. If this is an existing relationship, provide this as soon as possible; if you are negotiating a new contract, include this with your other requirements; if you are in an existing contract and cannot retroactively enforce the requirements, provide them to the vendor as upcoming requirements. This is an extremely significant document and will always be reviewed by auditors should there be an incident. However, this roadmap is usually the document that most vendor relationships are missing. Specifically, it is the listing of data protection, handling and governance instructions that should be undertaken by the vendor in order to for the data security and privacy aspect of the relationship to be judged a success.

This document is generally based upon internationally accepted data security and privacy frameworks and your organization’s own policies and compliance requirements. It will list out all the actions and expectations that you want the third party to undertake when handling, accessing, storing and processing your data. This will include definitions of protected information, security protocols, privacy protocols and possible compliance issues. Every possible data issue should be contained in this document. Usually, many of these points are pulled directly from ISO 17799/27002, NIST or CoBIT; the AICPA have also provided guidance in this area.

If possible, provide this document during the contractual negotiation phase. Let their personnel review it, comment on it and finally accept it. Also, have some flexibility, they will not accept everything. Determine what is important to your organization. IT, legal and business need to work together on this to set expectation and to ensure that all aspects of your outsourcing agreement are covered in relation to data privacy and security expectations.

In many of the contractual negotiations that we have been involved with, the opposing counsel very often makes the following statement, “Go Ahead and protect our data like you protect yours.…”2 If you are presented with this situation, it demonstrates a clear lack of understanding about both the law and common sense around this issue. As has been stated earlier in this article, the vendor is not in the same business as the outsourcer, may not be in the same country, and does not have the same data and data practices as the outsourcer. Because of this, it will need direction from the outsourcer. This is what the aforementioned roadmap document addresses. We recommend that you always request such a document from opposing counsel when addressing data privacy practices in contractual discussions.

Success Criteria

It is difficult to evaluate procedures in which the relationship will be judged a success. However, this is essential to your agreement. We recommend that you develop metrics and/or success criteria before this process begins and consistently evaluate the vendor relationship. Evaluate all vendors on a yearly basis and make adjustments as necessary. Do not forget also to audit your vendor on a regular basis. For vendors who handle critical data, the time frame should be more frequent, perhaps quarterly. If you do not have a quarterly audit with these vendors, it is important, at minimum, to set up a communications plan in which you will receive a regular status update from the vendor. Judge success based upon the metrics, the communications and performance quality for the services provided.

Having vendor termination procedures addressed in your contract prior to allowing a vendor to receive data from your organization is vital to being able to neatly wrap up an outsourcing relationship when the time should come to do so. This should include provisions for safe return transfer of any data or derived data the vendor holds, as well as secure deletion or destruction of any media used to store the data, and a communication process in the case of later discovery of your organization’s data that may not have been removed from the vendor or later discovery of a breech that may have occurred while the vendor was still in possession of your organization’s data.

Outsourcing to India

For years India has been a lead destination of outsourcing. This trend is still on the rise for many business processes, including back office operations, though even the latest laws do not sufficiently address data protection. As with any jurisdictions not yet providing adequate levels of data protection within their own legal regimes, businesses need to continue to be concerned with the laws that pertain to the data they are handling within their own frameworks.

The current state of privacy regulation in India is unsettled. The National Association of Software and Service Companies (“NASSCOM”)3 has been pushing for more privacy regulation, though no such regulation has yet made it through the legislature.4

India does have some basic protections and there are remedies for a privacy breach, but there are many remedies and they have not yet been codified into one cohesive piece of legislation.5 Also, new privacy impacting directives have been mandated almost in a haphazard fashion. One such example of this is the recent demand made by the Indian government on Research in Motion6 (the producers and service provider for BlackBerry devices and software) to provide the ability to decrypt encrypted data transmitted by BlackBerry devices used in India.7

Even if your organization has established privacy and security process and technology for outsourced operations today, it is important to keep in mind that that the reengineering of infrastructure for purposes of moving to an overseas vendor can affect security controls.

Walk Through of the Development of a Data Related Vendor Management Program

As an example of how an organization may come to establish a data related vendor management program, we will walk through the experience of one of our clients. This client is a multibillion dollar provider of consumer services.

The organization was adopting a risk management approach to the handling of their assets. As they calculated the level of risk posed to all assets—they soon realized a cross functional team was necessary to assess risks associated with their data—in particular their customer and employee data. It became clear they needed to pay special attention to the vendors handling their data, as these “data related vendors” are involved in every aspect of their services.

The organization’s motives for addressing data protection go beyond compliance and competitive advantage, their motivation stems from the organization’s culture and a strong desire to:

The risk management effort was spearheaded by the organization’s Chief Information Officer and Vice President of Finance, who were able to gather a cross functional team to handle the data aspects of their vendor risk management program. This included representatives from legal, internal audit, finance, marketing, purchasing, information technology, information security and selected lines of business.

Early on, they established the mission of the data related vendor management program:

A vendor management lead role was appointed for each line of business, it was these individuals’ responsibility to gather and maintain information from their lines of business regarding vendors. This information was used to identify what each vendor provides to the organization (services) and what the organization provides to each vendor (access to information). Initial analysis of this information also allowed for developing a relevant tier structure for their vendors.

Each vendor was assigned a tier ranking according to:

Risk TierFailure Consequences (and Data Sensitivity and/or Quantity)Criticality (and Practicality of Replacement)
1
(Critical)
  • Significant financial loss
  • Significant adverse privacy and security risk for customers or employees
  • Large number of customers or employees affected
  • Significant legal/regulatory compliance risk
  • High risk of damage to reputation and/or brand value
  • Critical to the enterprise
  • Loss of service would result in financial and reputation loss
  • Difficult to replace, would incur significant time and expense
2
(High)
  • Large financial loss
  • Significant adverse privacy and security risk for customers or employees
  • Large number of customers or employees affected
  • Legal/regulatory compliance risk
  • High risk of damage to reputation and/or brand value
  • Critical to several main line(s) of business
  • Loss of service would result in financial loss
  • Difficult to replace, would incur significant time and expense
3
(Medium)
  • Moderate financial loss
  • Significant adverse privacy and security risk for customers or employees
  • Large number of customers or employees affected
  • No or little legal/regulatory compliance risk
  • Medium risk of damage to reputation
  • Negative impact to non-mission critical line(s) of business
  • Loss of service would result in financial loss
  • Replaceable, would incur some time and possible expense
4
(Low)
  • Little financial loss
  • Non-sensitive data
  • Small number of customers or employees affected
  • No or little legal/regulatory compliance risk
  • Low risk of damage to reputation
  • Non-critical services
  • Loss of service may result in financial loss
  • Easy to replace, would incur little time and/or expense

The type of data handled that automatically classifies vendors into Tier 1 (Critical) or Tier 2 (High) vendors, includes all data that falls under the jurisdiction of privacy or security protection or breech notification laws and regulatory requirements. Additionally the organization made a decision that vendors that handle any significant quantity of customer data that is in any way personally identifiable (including customer account numbers), regardless of whether it is covered by any law or regulation, will be classified as a Tier 1 (Critical) vendor. Volume also is factored into assigning vendors to a tier. It was decided that vendors performing transactions on 250,000 or more distinct records annually would fall under Tier 1. By classifying vendors into tiers the organization also knows where to concentrate its resources.

The organization’s internal security controls framework, which is utilized to maintain compliance with its own privacy and security policies, was based on ISO 17799/27002 as well as laws and regulations applicable to the organizations use of data. This was leveraged to develop the tools against which vendors were assessed. Careful consideration of requirements along with efficiency and clarity were taken into account, and 35 individual controls were determined for validating vendors’ data privacy and security controls.

Of the 35 controls, five were selected by the organization as key risk indicators. Failing any of these five criteria resulted in an automatic controls assessment failure:

A questionnaire was created in order to query the vendors regarding the 35 controls. Upon return of the questionnaires, automated scoring of the weighted questions was performed before the answers were manually scrutinized. Then a determination was made as to what evidence would be requested of the vendors to support their questionnaire answers. For example, an information classification policy or an employee confidentiality agreement might be requested. Demonstration of supporting evidence was then used by the organization to confirm or deny suspicions of where the vendors’ data protection practices may be flawed.

On a quarterly basis, the Tier 1 (Critical) vendors receive this questionnaire on their practices. If any anomalies or deficiencies appear, contact is made by phone. The Tier 2 (High) vendors also receive questionnaires biannually and the other vendors receive questionnaires on an annual basis. For all Critical and High vendors, an onsite visit was made within six months of establishing this program and continues on a regular and as needed basis, with most Critical and High vendors scheduled for annual on-site visits. Tier 3 (Medium) and Tier 4 (Low) ranked vendors found to have deficiencies that may be able to be addressed, can opt to address their gaps and be reassessed by the organization.

The results of these assessments are presented back to the lines of business that utilize the given vendor. A summary of the vendors risk ranking is presented as high, medium or low, color coded as the familiar red, yellow or green. From this, the business is charged with making an educated decision with options to accept risk, request a further risk remediation plan be implemented or move toward terminating the vendor relationship. We have found that most, but certainly not all, organizations elect to work with their vendors in order to address any deficiencies rather than eliminating them. This is changing however; in recent months underperforming vendors are frequently being eliminated.

Conclusion

Data related vendor management is a growing, and complex, area of information technology, compliance and the law. It is important that your organization develop a comprehensive solution in order to manage your data related vendors. The completion of these activities will provide procedural clarity for your organization’s data protection practices and compliance responsibilities. Having a well structured vendor management practice will allow your organization to maintain a high level of data security and privacy maturity while leveraging the benefits of outsourcing.

Checklists

Rolling Out New Programs—Challenges & Solutions

Points to Consider Before Transferring Data to Vendors

Successful Vendor Management Office (“VMO”) Practices

There are similarities in the successful VMOs that we have observed. Some of the key activities of these groups include:

Strategy and Leadership

Opportunity Evaluation

Quality and Risk Management

Business Integration/Operations Support

Sourcing Program/Project Management

Financial Management

Vendor Contracting and Management

Communication

The authors spoke on the topics covered in this article at the West LegalWorks Second Annual Information Security and Data Privacy Summit in November 2007.

At the time of writing, Benjamin Gerber, CISSP, CISA, CPP, CIPP/G, was a Senior Managing Consultant and the Privacy Services Competency Co-Lead with the Security and Privacy Practice at IBM.
He is now a Principal in the Privacy Strategy group at The MITRE Corporation.
He can be reached at privacy.us/contact or .

Adam C. Nelson, Esq., CIPP/IT, a member of the Board of Editors of the Privacy & Data Security Law Journal, is a Senior Managing Consultant in the Security and Privacy Practice at IBM and the Privacy Services Competency Lead.
He can be reached at .

Notes

  1. Adam Nelson and Benjamin Gerber, Protecting Outsourced Data: The Role of the Vendor Management Office, Vol. 2, No. 1, Privacy & Data Security L. J.,37 (2006). ↩

  2. Adam Nelson, Go Ahead, Just Protect My Data Like You Protect Yours…, Vol. 2, No. 11, Privacy & Data Security L. J., 1046 (2007). ↩

  3. NASSCOM (National Association of Software and Service Companies) represents the IT services industry in India. Established in 1988 to instrument global business in software and technology services, NASSCOM presently has over 1,200 member organizations including over 90 percent of the Indian high-tech industry and over 250 companies from the US, Europe, China and Japan. NASSCOM has been the driver of information security and privacy legislation efforts in India—including changes to the Information Technology Act of 2000. Its web site is http://www.nasscom.in. ↩

  4. As of July 1, 2008. ↩

  5. Remedies can be provided by Indian Contract Act, 1872; Indian Penal code, 1960; Special Relief Act, 1963; Consumer Protection Act, 1986; and the IT ACT of 2000. See “As Outsourcing Grows In India, Privacy Stakeholders Organize to Launch Public Debate.” Ponnurangam Kumaraguru, Sunil Mehta and Nandkumar Saravade/ Presentation and documenation available online at www.cs.cmu.edu/~ponguru/Final_iapp_aug_2006_pk_sm_ns.pdf. ↩

  6. It is interesting to note that Research In Motion (“RIM”) is a Canadian company, a country with strong data privacy regulations. ↩

  7. Under India’s Information Technology Act of 2000, the government has the right, under certain circumstances, to intercept electronic communications for security reasons and in the national interest. The request to access BlackBerry data is under the premise of preventing terrorism. ↩


Published in the October 2008 Privacy & Data Security Law Journal.
© 2008 Alex eSolutions, Inc.