Third-party vendors are critical to small-business success. They provide operational and financial support that eases the burden of daunting tasks such as bookkeeping and reporting. However, relying on these vendors can subject organizations to a unique set of risks.
To take advantage of these services, small businesses sometimes share sensitive and private information, potentially making them vulnerable to financial risks. Because small and medium businesses (SMBs) can lack the financial reserves or talent resources, such as an in-house security team that can respond in a timely manner, business owners that are vetting vendors should focus on finding partners that adhere to high compliance standards so they can better understand whether their data will remain safe and secure.
Asking the right questions upfront can save your business in the long run, but it can be difficult to know where to start. The following steps provide a helpful framework to help evaluate whether or not your data is in trustworthy hands.
Confirm which third parties are involved.
Third-party assurance is a crucial part of the best data compliance standards. The standards that your third-party vendor holds itself to can directly impact your small business—potentially even more than businesses with 500-plus employees.
Businesses should make sure that controls and processes are being audited by highly credentialed third parties with expertise in applying industry standards, like those of the American Institute of Certified Public Accountants (AICPA). In general, I suggest small businesses adopt the AICPA’s goal of promoting healthy skepticism as an integral part of auditing standards.
Depending upon one vendor without proper screening can have devastating effects on a small business, from loss of revenue to hefty fines. However, relying on the right third-party vendor can do more than just keep the lights on. It can provide you with the confidence and peace of mind that your private information is being managed with security and privacy in mind.
Know what they’re committing to.
Some of the most rigorous compliance standards, like SOC 2 and ISO 27001 compliance, require significant time and financial commitment. If you’re going to give an outside organization the keys to your financial house, you should know what kind of work they have done to earn them.
Although the application of SOC 2 compliance can differ in each use case, it is tailored uniquely to an organization and relies on common principles. Organizations undergo a voluntary audit by an unbiased third party that is accredited by the AICPA and pass evaluations in these areas of trust: security, availability, processing integrity, confidentiality and privacy.
Selecting a data partner with SOC 2 compliance provides your company with multiple levels of assurance. Similarly, ISO 27001 certification is available to all types and sizes of businesses and adheres to principles of confidentiality, integrity and availability.
With both certifications, you’re given an understanding of how the organization’s systems work and whether they live up to high security standards, as well as their operational efficiency.
Best practice in cyber safety is to request a copy of the certificate or a scope of applicability, or for SOC 2, requesting a recently completed (in the last 12 months) SOC 2 report. If the SOC 2 report is older than 12 months, the vendor may be able to provide a bridge letter attesting to the fact that the older report is still valid. All of these documents may require an NDA to access, but it’s important to scour these documents thoroughly when conducting due diligence.
Understand how your data is being used.
Do your homework and ask questions. How sensitive is your data? How secure? The more you understand how your data is being used, the more peace of mind you will have when handing it over to a trusted vendor, and the more empowered you will feel to make decisions on behalf of your employees and customers.
Including data processing agreements (DPAs) in contracts with third-party vendors, especially when the vendor will be handling any kind of sensitive data, is also best practice and a legal requirement in certain states.
Do not be afraid to seek out ratings on Google, Yelp or platforms such as Trustpilot as one data point. If users have a bad or even dangerous experience, they will sometimes warn others. While these types of reviews are not perfect and should not be treated as sufficient on their own, they are valuable when taken into consideration as part of a 360-degree review.
By asking pertinent questions about data handling practices, consent agreements and security measures, you can help safeguard your company’s privacy, maintain control over your information and contribute to a safer digital environment. If you’re unsure of what you should be asking, the following questions provide a good starting point.
• What specific data points do you collect from my business?
• How do you use the data collected from my business?
• Do you share or sell the data to other parties for targeted advertising or profiling? If yes, who are they?
• Do you do any subcontracting? What standards do you have for these third parties?
• How do you ensure the security and privacy of the data you collect?
• Are there any data retention periods? How long do you keep the data?
• Can you provide details about your data handling practices and compliance with relevant regulations (e.g., GDPR, CCPA)?
• How can my business and its customers opt out of data collection or processing?
• Can I review and request changes to the data you have collected from my business?
• What measures do you have in place in case of a data breach involving my business' data?
Ultimately, whichever third-party vendor(s) you choose should help you manage risk, save time and money, and focus on core competencies. If you do your due diligence and find a vendor that aligns with your business values and goals, you may find yourself with the opportunity to scale your small business in a way you never thought possible. Working smarter, not harder, is the golden rule of business success.
The information provided here is not legal advice and does not purport to be a substitute for advice of counsel on any specific matter. For legal advice, you should consult with an attorney concerning your specific situation.