COMPLIANCE HOT TOPIC
Contract Provisions Protecting Consumer Personally Identifiable Information
QUESTION:
If my third-party provider (“vendor”) has access to consumer personally identifiable information, should provisions addressing the protection of such information be included in the Contractual Agreement with the vendor?
ANSWER:
Yes, written agreements with third-party providers should address potential risks associated with data breaches – particularly when the vendor has access to consumer personally identifiable information. The vendor contract is a vital element of the vendor due diligence process and relationship. The contract should capture the nature of the relationship and set forth the contractual rights, obligations and duties of each party. This includes confidentiality requirements, responsibilities in the event of a breach, and liability provisions.
Since written contracts are a critical component of a sound vendor management program, regulators may review them with a degree of scrutiny. Failure to maintain sufficient protections within vendor contracts and address risks appropriately may result in unsatisfactory results during a regulatory review or examination. Additionally, insufficient contract protections could expose a company to added civil liability in the event of a breach.
For 14 critical provisions to include in your vendor contract, download our free guide:
Rolling Sevens: The Top 14 Provisions Every Lender Should Examine When Reviewing Vendor Contracts
|
