Dear Mary,
We were recently impacted by a vendor incident, and the vendor is offering to provide notice to the impacted individuals on our behalf. That sounds like great news to us, but is this something we can and should consider?
– Potentially Optimistic in Miami
July 3, 2024
Dear Potentially Optimistic,
Yes, this is certainly an option worth considering, and many businesses have taken this route before. Your contract with the vendor may even address notification obligations in the event of a security incident and whether they will provide notice to the impacted individuals on your behalf. However, here are a few things to keep in mind.
- Is the Notice Legally Compliant? Ensure your team reviews the content of the notice to confirm it complies with any potential legal obligations (e.g., if social security numbers are impacted, is the vendor providing consumers with any required credit monitoring?). Some breach notification laws have notice content requirements, so be sure to review the notice from that perspective.
- Does the Notice Explain Why the Vendor Has the Consumers’ Information? A common issue with vendor notices is that they might not explain why the vendor has the consumer’s information, which can confuse people. Make sure the notice explains this clearly. Data owners, such as yourself, sometimes request to be named specifically in the notice or that the notice include sufficient context to explain the relationship between the vendor and business, even if in general terms.
- Verify the Recipients and Process for Notification. Verify who will receive the notice and how it will be sent. If mailing, consider whether you need to review the addresses being leveraged or if the vendor already has the most up-to-date information.
- Call Center Scripts. If the vendor sets up a call center, ask to review the script to see what information will be given to consumers who call in.
- Proactive Notification. Even though your vendor may ultimately provide the formal breach notification letter, consider whether a proactive notification to affected individuals should be sent. Doing so may help alleviate concerns or questions as to the legitimacy of the notice and show that you’re involved and on top of the situation.
Remember, while the responsibility to notify usually lies with the data owner, you can still likely leverage a vendor to handle this. Just make sure you do your due diligence to ensure the notice complies with legal requirements and doesn’t create additional exposure for your company.
— Mary
“Dear Mary,” an advice column from Troutman Pepper’s Incidents + Investigations team, will answer questions about anything and everything cyber-related — incident response, forensic investigations, responding to regulators, breach-related litigation, and much more. “Dear Mary” goes beyond the articles, podcasts, webinars, and other content we produce, as we are responding directly to our reader’s questions with concise, practical answers. Answers will be general in nature and will not contain legal advice. If you need legal advice or representation, please contact one of our attorneys directly. “Dear Mary” also can be found here on the firm’s website.