Q: If my third-party provider ("vendor") has access to consumer personally identifiable information, should provisions addressing the protection of such information be included in the Contractual Agreement with the vendor?

A: Yes, written agreements with third-party providers should address potential risks associated with data breaches — particularly when the vendor has access to consumer personally identifiable information. The vendor contract is a vital element of the vendor due diligence process and relationship. The contract should capture the nature of the relationship and set forth the contractual rights, obligations and duties of each party. This includes confidentiality requirements, responsibilities in the event of a breach, and liability provisions.

Since written contracts are a critical component of a sound vendor management program, regulators may review them with a degree of scrutiny. Failure to maintain sufficient protections within vendor contracts and address risks appropriately may result in unsatisfactory results during a regulatory review or examination. Additionally, insufficient contract protections could expose a company to added civil liability in the event of a breach.