The Domino Effect: Third-Party Vendor Data Breaches

It’s a beautiful day outside. The sun is shining. The birds are singing. The breeze feels nice. But then you get the dreadful news…one of your vendors had a data breach. And since your vendor had a data breach, that means it could affect your credit union, which in turn will affect your employees and/or your members. It’s the domino effect of data breaches.

Your credit union has probably gone through tremendous efforts to ensure that your members’ and employees’ sensitive information and data are protected. But before this point, have you considered what would happen if one of your vendorshad a data breach? Your credit union could end up facing significant risks depending on the type and amount of information that the vendor houses, processes or has access to. Since data breaches are increasing in likelihood these days, you should identify these potential risks ahead of time as part of your credit union’s vendor management program.

Before the first domino falls and a breach occurs, your credit union should already:

Know your vendors – This seems like a silly point to make, but you might have a lot of vendors and some may even be inactive, which means you may not know all of them. It’s vital that your credit union has in-depth and up-to-date knowledge of your active vendors as well as the inactive vendors, as they could still retain sensitive information. You should also know who the point of contact is for that vendor and the best way to reach them. Do they prefer to be contacted via a phone call or an email address?

Additionally, make sure you know how they’ll contact you in the event of a breach and the information they’ll provide, which is usually addressed in the breach notification clause of your vendor contract. If you have this clause in your contract, make sure to reference it, as it will determine how the vendor will notify you.

Know the types of data your vendor houses, transmits and/or processes – In addition to knowing how much information your vendor has access to, you also need to be aware of how sensitive that information is. Do they have access to account numbers, social security numbers, home addresses, etc.? In other words, is it Non-Public Personal Information (NPPI) or Gramm-Leach-Bliley ACT (GLBA) information? You will also need to take into account the frequency in which you share information with your vendor.

For example, has it been a while since you’ve shared information with them, or do you share information with them on a more frequent basis? Is it an inactive vendor or a vendor that might only be used once a year? This is important to know because it can determine how much of your information could be at risk. Also think about if your vendor has direct access to your credit union’s systems or networks, and therefore, direct access to any information stored on those systems or networks.

Know your riskiest vendors – You should have a decent idea of how risky your vendors are and how much information you share with them — especially if you’ve already completed the first two points I made. You can either rate your vendors on a scale based on their risk management practices, among other factors, conduct a more thorough risk assessment of the vendor or have them answer questionnaires. This will give you an idea of the risk the vendor poses to your organization.

Once the first domino falls and you’re notified of a third-party data breach, your credit union needs to:

Know who the breach affected and what was affected – You have access to employees’ and members’ sensitive information, so you’ll need to find out who was impacted and what information was obtained in order to inform your members or staff of what happened. You’ll also want to know what was affected. Was it account numbers, social security numbers or some other type of sensitive information? Your affected parties are going to want to know how much of their information was compromised and what is being done about it.

Know your contract coverage – In your contract with the vendor, does the vendor provide breach language? If not, you should consider adding a section about it. You could also add a statement that requires your vendors to respond to and/or let your credit union know about a security issue or data breach within a certain timeframe. You don’t want your employees or members finding out about a data breach through some other party. They need to hear it from you, so you need to be informed in a timely manner. Make sure that you understand and know what’s covered in your contract so that you can protect your credit union as well.

While good vendor management obviously can’t prevent a data breach of a third-party vendor, it’s vital in ensuring that your credit union has a good strategy and plan in place to handle it when the first domino falls and the inevitable happens.


Belinda Mumma has over 12 years of experience implementing and maintaining vendor management and vendor due diligence software. During her career, she also has been responsible for policy and legal review processes; implementing, directing and maintaining enterprise risk management software; and implementing and maintaining audit and exam findings software.