In the wake of COVID-19, many organizations found themselves transitioning to the remote world of telework. Just months later, as states begin lifting precautionary stay-at-home orders, organizations find themselves straddling the transition back to work-as-usual in a COVID-19 conscious world, as well as balancing continued telework operations. As organizations strive to reboot day-to-day physical operations, there will be an obvious emphasis on incorporating health and safety measures to flatten the COVID-19 curve. At the same time, organizations must not neglect the vulnerable areas of data privacy and security.
Aside from the physical impact of COVID-19, organizations must also be mindful of the ever-present virtual threats, particularly those concerning third-party vendors, which may include compromised communication platforms, ransomware, and other cyber-attacks causing business interruption. Organizations can be proactive by creating pandemic response teams that rapidly assess, monitor, manage, and mitigate third-party vendor risk. The following key vendor risk management steps can help reduce potential vulnerabilities during the COVID-19 Pandemic.
Assess and Monitor Your Vendors. Determine which vendors have access to your organization’s most critical information, including personal data. Conduct vendor risk assessments and periodically monitor compliance to determine: (1) Whether vendors have contingency plans for cyber-security incidents; (2) If and how vendors employ encryption; (3) What applications vendors frequently use (or started using because of COVID-19 telework) that could expose information about your organization; and (4) Whether your vendor can meet the privacy and security demands posed by the COVID-19 pandemic.
Know Your Vendor’s Policies and Procedures. It is critical to understand your vendor’s data privacy and security policies, procedures, and processes, which can range from the communication platforms your vendor uses to the encryption measures your vendor implements. With the shift to telework and increased digital communications, vendors that do not monitor such services for risks could be vulnerable to cyber-criminals looking to infiltrate unprotected systems.
Review and Enforce Vendor Agreements. Strong and well-developed vendor agreements, together with appropriate cyber security insurance, can help offset liability in the event of third-party cyber incidents. Confirm that vendor agreements require an appropriate level of authentication to access company networks, reasonable security measures, and policies, procedures, and processes to monitor connected devices and provide appropriate protection in the telework environment. Continuously monitor your vendor’s privacy and security practices to ensure they are maintaining the previously agreed-upon risk thresholds.
To help your organization with vendor risk management, you may want to consider the steps set forth in Fey LLC Third-Party Vendor Risk Management Checklist. Fey LLC will continue to closely monitor COVID-19 related privacy developments. For more articles and alerts on this or other significant data protection laws and developments, follow the Fey LLC LinkedIn page here.Mary Colleen Fowler, a 2020 graduate of University of Kansas School of Law, contributed to this post. Ms. Fowler is a law clerk with Fey LLC.