(Note: Always seek legal counsel prior to developing, sending, or signing any contract. This article provides general advice and should not be misconstrued as legal counsel)
Trusting third parties with your data can provide great benefits, but also great challenges. Coalition recommends that you have a contract with all third parties, requiring them to uphold the same security standards you do. We minimally recommend following provisions be added in any third-party agreement:
Contractor agrees to handle data and other information in accordance with [your company] security standards
Prior to receiving or transmitting [your company] data, the provider shall perform a third-party risk assessment
Prior to receiving or transmitting [your company] data, the provider shall remediate all high and critical vulnerabilities on networks processing [your company] data.
Prior to receiving or transmitting [your company] data, the provider shall comply with all government and industry regulations pertaining to the secure storage, transmission, processing, and destruction of [your company] data. This includes HIPAA, PCI, state and federal privacy laws, and other relevant regulations.
If an actual or suspected unauthorized disclosure of, access to, or other breach of [your company] data, the provider shall comply with all state and Federal laws and regulations related to such breach, and will fully cooperate with [your company] and [your company] designees.
We highly recommend consulting legal counsel to develop your contracts, but a good starting point would be to assess your current agreements to ensure that, minimally, they include the above points.
For more information on this topic, please reach out to us; we're here to help!