(Note: Always seek legal counsel prior to developing, sending, or signing any contract. This article provides general advice and should not be misconstrued as legal counsel)
Trusting third-parties with your data and provide great benefits, but also great challenges. Coalition recommends that you have a contract with all third-parties, requiring them to uphold the same security standards you do. We minimally recommend following provisions be added in any third-party agreement:
Contractor agrees to handle data and other information in accordance with [your company] security standards
Prior to receiving or transmitting [your company] data, the provider shall perform a third-party risk assessment
Prior to receiving or transmitting [your company] data, the provider shall remediate all high and critical vulnerabilities on networks processing [your company] data.
Prior to receiving or transmitting [your company] data, the provider shall comply with all government and industry regulations pertaining to the secure storage, transmission, processing, and destruction of [your company] data. This includes HIPAA, PCI, state and federal privacy laws, and other relevant regulations.
If an actual or suspected unauthorized disclosure of, access to, or other breach of [your company] data, the provider shall comply with all state and Federal laws and regulations related to such breach, and will fully cooperate with [your company] and [your company] designees.
We highly recommend consulting legal counsel to develop your contracts, but a good starting point would be to assess your current agreements to ensure that, minimally, they include the above points.
For more information on this topic, please reach out to us; we're here to help!