Lesa-Marie Mullen, Senior Legal Counsel, Pilgrim Quality Solutions
Maybe it’s a budget deadline. A price expiring. An important project timeline. The vendor is selected, the lawyers have finished dotting the I’s and crossing the T’s, and the pens are poised to ink the partnership into existence. Suddenly someone shouts, “But we need to do our data privacy and security due diligence!”
And the wheels grind to a halt.
Don’t be “That Guy.” Or girl.
As in-house counsel for a leading cloud-based software solution, I am part of a team that works directly with procurement personnel representing companies of all types: corporate enterprises, divisions, M&A entities, government organizations – from all continents. Whenever I get a chance, I like to ask my colleagues about trends they are seeing in the data privacy and security world. This is not just curiosity, of course. It’s another way of doing my own diligence regarding a topic that is so hot, changes are occurring on pretty much a daily basis.
The Time to Take Stock is Now
What I’m hearing repeatedly is that both vendors and buyers are not sure when is the right time to begin the data privacy and security due diligence. And my colleagues all agree. The right time is early in the process. This work can be completed in parallel with the other activities so all ducks are in a row when the pens are raised.
If there were a unified, global set of data privacy and security requirements, life certainly would be a little simpler. Unfortunately, requirements can differ from company to company, state to state, country to country.
I would recommend vetting your provider very early in your selection process.
You Can’t be too Diligent when it Comes to Data Privacy
When working with information system providers, data privacy and security are critical considerations across the board, whether you use an on-premise or a cloud-based solution. Protecting the integrity and the confidentiality of your company’s inside information, as well that of your clients, should be top-of-mind, and among the top of your vendor-selection criteria. You may have even greater concerns about the security of your clients’ data in the cloud because cloud providers have easy access to your information.
Data privacy and security in the cloud is such a hot topic, there is no shortage of cloud vendor checklists available. They are many and varied. When the cost of a data breach could be astronomical, how do you know which checklist to use? A good vendor due diligence checklist, when it comes to determining if you are comfortable putting your data into your vendor’s cloud, will not be short.
If you are not working with your company’s data privacy and security team, you are making a huge mistake. I am only providing some pointers for checking out your software and cloud vendors, but I can tell you that the first item on your checklist should be: “Am I working with our data privacy and security team?” If the answer is no, stop and get them onboard.
Big Considerations will Support the Big Decisions
Although your own checklist should be reviewed, revised and approved by your security team depending on jurisdiction, type of data, and other factors (and the following is by no means a comprehensive list), here are some things that every selection and procurement team should consider gathering early in the buying process to avoid delays down the road:
- Does the vendor have a security program with written policies and procedures in place?
- Does the vendor have the resources to manage and maintain data integrity and security?
- Does the vendor provide SLAs?
- Are there appropriate physical and electronic access controls?
- Will your data be encrypted in transit?
- Will your data be encrypted at rest?
- Is the vendor’s infrastructure monitored 24/7?
- Does the vendor have a written breach notification plan?
- Does the vendor have geographically separated data centers?
- Does the vendor have a disaster recovery plan? How frequently is it tested?
- Does the vendor have a business continuity plan?
- What security procedures are in place at the data center?
- Where will the data be located? Is the provider compliant with the location?
- Does the vendor have experience with other similar customers?
- Does the vendor have a data privacy awareness program for all of its employees?
- Will the vendor allow audits? Will its data center allow audits?
- What certifications/qualifications does the vendor have? ISO? SOC2? NIST? Safe Harbor? Swiss and EU? Privacy Shield?
- Does the vendor delete the data completely when the relationship is over?
- What happens to my data if my relationship with the vendor terminates?
- If payment is in dispute, can the vendor withhold my data?
- Are your vendor security controls audited by an independent auditing body?
Again, by no means is this a comprehensive list, but items you should gather early. A good solution and cloud vendor should have a program in place that will enable it to respond to your questions and concerns quickly. If you start the process early and get your data privacy and due diligence completed prior to the eleventh hour, you will have a much better idea of the kind of vendor you are working with throughout the buying process, and everything will be ready to go the first time the pens are raised.
Don’t be “That Guy.” Be “The Other Guy.”
NOTE: The above Blog is not Legal Advice. The information and advice on this site is general in nature, and may not be suitable for your particular circumstances. The material on this site is intended to be informational. It is not legal advice. Reading this website does not create an attorney-client relationship. The information contained on this website is not a substitute for obtaining legal advice from an attorney. Every situation is unique, and the information and materials on this website may or may not be applicable to your legal situation. You should not act or rely on any information on this website without seeking the advice of an attorney.
Cloud Solution Overview
Download this complimentary data sheet to learn more about Pilgrim cloud solutions.