Vendor and Third-Party Risk Assessments
Companies remain responsible for vendor actions and must use contract protections (confidentiality, no further use, subcontractor flow-down, breach notice, security, end-of-relationship data handling) and due diligence (reputation, finances, SOC 2, disposal per FACTA Disposal Rule). SolarWinds shows the stakes.
Companies are responsible for the actions of vendors handling data on their behalf, and privacy-policy claims also apply to third parties working with the organization's data. Written-contract protections to consider:
- Confidentiality provision
- No further use of shared information beyond contracted purposes
- Subcontractor flow-down of privacy/security terms; address cross-border flows
- Requirement to notify and disclose breach promptly
- Information security provisions (encryption, network security, access controls, segregation, background checks, audit rights)
- End of relationship - return or deletion of data
Vendor due diligence evaluates reputation, financial condition/insurance, information security controls (e.g., SOC 2 certification), point of transfer, disposal of information (the FACTA Disposal Rule is a good baseline), employee training, incident response, and audit rights. A vendor/third-party risk assessment also reviews data sources/types/location, whether a PIA/DPIA was done, AI and cloud uses, certifications such as SOC 2 or PCI DSS, and subcontractor disclosure.