Vendor Centric Blog

State Laws Are Driving a Focus on Third-Party Management

The European Union's General Data Protection Regulation, which has been enforced since last May, is inspiring renewed efforts worldwide, including at the federal and state levels in the United States, to boost privacy protections. Several U.S. states, including Oregon, North Carolina, Virginia and Washington, are considering new legislation to shore up consumer data privacy laws in the wake of California passing strict privacy requirements last year.

 

While Democrats in Congress have once again introduced national breach notification and privacy legislation, states aren’t holding their breath that anything will get passed at the federal level and are taking matters into their own hands.

 

A by-product of the legislation is the spotlight that’s being placed on third parties. Companies are finding they have an incredible amount of data that is being collected, processed or stored by third-party service providers. This means there are going to be some changes that will need to be made in their third-party contracting and oversight to be compliant with these new laws.

 

For example,Virginia has proposed a bill that places new requirements on businesses to "take all reasonable steps to dispose of, or arrange for the disposal of, consumer records.” That means businesses will be required to know which third parties collect, process, store or have access to consumer records, and establish the appropriate contractual clauses and procedures to ensure the third party disposes of the data according to policy.

 

North Carolina has proposed legislation that ransomware attacks would be considered a security breach, and a breached entity would need to notify the state attorney general's office within 30 days. That means businesses will need to ensure their contracts clearly identify breach notification requirements.

 

These are just two examples and there are many more. As these proposals move into law, having visibility into third-party relationships is not a nice to have - it’s a requirement.  

 

But here’s the reality. Most companies don’t know which third parties have their data.

 

A recent third-party risk survey conducted by Aravo showed that 73% of the respondents “cannot produce a complete report of all of their third parties with cyber risk exposure quickly and easily.” That means that nearly three out of four of those businesses who responded couldn’t comply with these data privacy regulations if they wanted.

 

If you’re concerned about the data that’s being exposed to your third parties, contact us today and let’s discuss how we can help.

Please reload

Subscribe to the

Vendor Centric 

Blog

Subscribe to the

Vendor Centric 

Blog

Our

Publications

Rethinking Vendors

Our flagship publication shares our philosophy on power and untapped value of vendor relationships.

The Nonprofit CFO's Guide to Virtual Credit Cards

 

A step-by-step guide to automating a/p payment processing and creating new streams of revenue.

Subscribe to

Our Podcast

Related Blog Posts

Please reload

Contact Us

9841 Washingtonian Boulevard Suite 200 Gaithersburg, Maryland 20878

 

(240) 813-1170

 

info@vendorcentric.com

Follow Us

  • Vendor Centric Facebook
  • Vendor Centric Twitter
  • Vendor Centric LinkedIn

Subscribe to our

Rethinking Vendors Podcast

Vendor Centric Podcast

Copyright © 2018 Vendor Centric. All rights reserved.

Quick Links

Subscribe to our newsletter