news.cuna.org/articles/113076-tighten-up-third-party-contracts-to-mitigate-cyberthreats
Brian Lauer

Tighten up third-party contracts to mitigate cyberthreats

Equifax breach underscores need for close contract management.

October 4, 2017

Many credit unions have contracts with third-party vendors that have access to their member data. In fact, it’s not uncommon for credit unions to have this level of contractual relationship with hundreds of suppliers.

The proliferation of data breaches in the past few years has forced credit unions to view those relationships, and their contracts, with a more critical eye. The recent Equifax breach has only heightened this wariness.

“When we found out that Equifax knew about the breach in May, and didn’t tell us until three months later, that’s when things went crazy,” says Brian Lauer, an attorney with the firm Messick, Lauer and Smith, who addressed a breakout session at CUNA’s Governance, Risk Management, and Compliance Leadership Institute.

“Really, the goal is that you can react to a data breach of a third party as you would to a data breach to your own in-house system,” Lauer says. “We can try to handle that with the contracts you have with your third parties.”

Virtually every credit union has data breach language in its contracts with third-party vendors, Lauer says. Usually that language says something to the effect that the third party will notify the credit union in the case of breach when it reasonably believes the breach will have a material effect on the members’ information.

“But who decides what’s ‘reasonable’ and what’s ‘material?’” Lauer asks. “You might think you have timely notification of unauthorized disclosure of your member information, but you might get into an argument with them if you find out much later. Did Equifax notify anyone in May?”

Lauer suggested that credit unions try to negotiate into their agreements a clause demanding the third party contact them following any unauthorized disclosures of member information, which allows the credit union to decide if it must notify members.

“You might have vendors who push back, but it’s a very good starting point for a conversation,” Lauer says.