Follow ACC Docket Online:  

The Legal Department's New Nightmare: Your Vendors

Sponsored by Jordan Lawrence

F rom the European Union's GDPR to California's new privacy law, there has been a tidal wave of new data privacy and cybersecurity regulations globally. This surge of new laws requires legal counsel to identify, with great certainty, all the third-party service providers that access, process, or store personal and regulated data on behalf of their companies.
An average of 63 percent of a company's personal and sensitive data is disclosed to or managed by third parties spanning a wide range of functions, including human resources, law firms, legal service providers, payroll, accounting, marketing, customer services, software development, engineering, and many more.

Any third party with access to your company's personal, sensitive, or otherwise regulated data represents a risk and is subject to data privacy and cybersecurity regulations. The stakes have never been higher. You can't afford to be surprised.

"Vendor management, including the risk profiling of all third-party service providers, should squarely sit with the legal department. Otherwise, the legal department will not be fulfilling its duty of risk mitigation and prevention. The department will only be set to solve serious problems such as data breaches in a reactive rather than proactive manner," said Susanna McDonald, vice president and chief legal officer at the Association of Corporate Counsel.

The regulations make it clear that you are responsible for your third parties — all of them. ACC's Third-Party Compliance Best Practices white paper says effective compliance requires you to know which third parties are relevant to data privacy and cybersecurity regulations and to assess their data protection practices and compliance routinely and systematically.

Data privacy and cybersecurity regulations requiring third-party diligence

Data privacy and cybersecurity regulations requiring third-party diligence

What is vendor risk profiling?

To effectively meet your obligations, you must define your universe of third parties and establish a process that documents the steps you've taken for data privacy remediation and compliance. Vendor risk profiling enables you to determine which data privacy and cybersecurity regulations are relevant to each of your vendors.

Vendor risk profiling also helps you discover which vendors may not fall under a regulation but might pose a high risk to your company. As with any regulation, the key to compliance is demonstrating reasonable diligence that is supported by a systematic, well-documented process.

Can you confidently answer "yes" to these questions?

  1. Do you know which of your third parties are subject to data privacy and cybersecurity regulations?
  2. Do you know the specific types of personal data you disclose to each third-party service provider?
  3. Do you know how all your third parties manage and use that data?
  4. Do you know if your third parties are complying with applicable regulations?

Case study: Legal team meets requirements under New York state's 23 NYCRR 500.11

The legal department of Plaza Home Mortgage established a practical, repeatable process for risk profiling and assessing third-party risks using the ACC Vendor Risk Service to meet their obligations under 23 NYCRR 500.11. Download the Plaza Home Mortgage Case Study (PDF).

"With the ACC Vendor Risk Service platform, I feel confident in Plaza's compliance, ability to monitor, and safeguard itself from the risks associated with third parties," says Scott Laughlin, corporate counsel and chief information security officer at Plaza Home Mortgage.

Case study: Law department risk profiles 800 vendors in two weeks for GDPR compliance

The legal department of a multi-national hospitality company leveraged the ACC Vendor Risk Service to risk profile over 800 vendors in just two weeks. The automated processes and tightly-structured survey standards helped them quickly identify the 63 vendors relevant to GDPR compliance. While collaborating with outside counsel, the legal department was able to focus their time and efforts on the vendors that required legal review and get the right contracts in place to meet their obligations.

How can you comply with data privacy and cybersecurity regulations?

Legal must establish and maintain a vendor risk profiling process to identify which vendors are relevant to data privacy and cybersecurity regulations and avoid risks before they become problems. Meeting your obligations is easy with the right standards, processes, and automation.

The ACC Vendor Risk Service is specifically designed to help legal counsel comply with data privacy and cybersecurity regulations.

"The ACC Vendor Risk Service is a crucial part of ACC's vendor diligence process. It enables us to quickly get an in-depth view our of third-party relationships and understand their data privacy and cybersecurity practices," says McDonald. 

About the Author

Rebecca-PerryRebecca Perry is the director of professional services at Jordan Lawrence, the world leader in helping companies meet legal and regulatory obligations related to how they manage information, and the exclusive ACC Alliance Partner for Data Privacy and Cybersecurity Compliance. Perry has been with Jordan Lawrence for 25 years helping in-house counsel, compliance, privacy, and IT executives identify and address critical information risks and comply with regulatory obligations. She provides expertise and guidance in the areas of information governance, data mapping, data minimization, records retention, and third-party diligence. Perry is a Certified Information Privacy Professional and frequent contributor and speaker in the legal and privacy communities. [email protected]

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.