Your team has been talking to a vendor who has a solution that is going to make your life amazing! The vendor even said integration with your core is FREE! All you must do is pay the recurring fees going forward and be willing to be their beta test…and of course, provide them your data to develop with. What a bargain!
Not so fast! While this solution might be a bargain for your organization, without the proper due diligence, this seemingly wonderful integration could be a formula for disaster. Too often, organizations see only the promises of a cool, new solution without understanding the risks and implications of turning over member data. Risks include the possibility of violating privacy laws if information is turned over without members’ consent. You can also be on the hook for data breaches, whether by the vendor or a downstream organization that receives access to the data.
Top questions to ask before signing on the dotted line
Consider the following before quickly agreeing to send your data to a third-party vendor:
What/how much data is your vendor requesting?
Is the vendor only asking for the data required to accomplish the task you are engaging them for, or is the vendor broadly requesting data that is unnecessary for your purposes? You may be exposing your organization to a massive data breach by sending data unneeded to reach your goals. In addition, your vendor may want volumes of data for such purposes as training their Artificial Intelligence (AI) models, at your risk.
Are you compliant with privacy laws?
Many states require consent from a person before their information can be sent to a third party. While there are federal carve-outs in state privacy laws for data sent to third parties to provide members with a financial product or service, many states grant their residents much broader protection regarding notification and the right to opt out. Do not assume an all-encompassing right to send data without first ensuring that your members do not have notification, consent, and opt-out rights regarding the data you are sending.
Have you reviewed the vendor’s data security policy?
Anytime you send member data to a third party, you are required to ensure that the third party is adequately safeguarding the data. Depending on the data sent, ensure the vendor can demonstrate safety and data protection, including physical safeguards, employee training, and compensating controls for you to follow.
What is the retention and destruction policy around your data?
Some third parties require daily downloads for member transactions because they want “fresh” data, not “stale” data from yesterday. This may be necessary for your service, but you should be aware of what is happening to the stale data. Does stale data sit on a server somewhere, piling up and ever increasing the exposure should something nefarious happen on that server?
Do you have assurances in writing?
In some cases, your vendor must agree to safeguard member data in the contract. Ensure that the requirement is met. In addition, check to see if the vendor has incident response plans they’ll share, security practices documented, and is properly insured.
What is your downstream exposure?
Downstream parties provide additional security and compliance risks. If your third-party vendor is using vendors of their own and sharing your data, you may have a responsibility to inform your members and require that these downstream vendors provide the same level of protection as the vendor you are working with.
No leaps of faith here
Bottom line, map your data through the process and lifecycle and make sure you are first aware of where it’s going and second that you’re comfortable with its journey from beginning to end. The time is before it leaves your system, not after an unfortunate event. There’s no putting the toothpaste back in the tube!
