If you were asked to give all your company’s money, data, and details about your employees to a stranger on the street who will watch over it for you…would you? Seems crazy. That’s a lot of very important information you’ve just been asked to simply hand to someone.

Here’s the thing. You’re probably already doing this (in a very roundabout way).

What I’m talking about specifically relates to third-party vendors.

Today, many companies depend on third-party vendors to collect, store, and process employees’ sensitive personal data. If you’re doing this, there’s nothing wrong with that. The problem occurs when there’s a breach of information. Who’s responsible?

Employers may assume that their vendors will take all necessary measures to protect employees’ personal information, but failure to adequately address data privacy and security issues when selecting vendors could result in significant expenses and reputational damage.

According to a report released by the Ponemon Institute this year, the average cost to a company for a single data breach is $4 million, and the average cost per compromised record is $158.

How to Review Third-Party Vendor Contracts

So what can you do? Well, there’s a lot. But when I talk with businesses, there are three main areas I will look at in a contract review.


Where does the liability truly flow? Indemnification clauses involve a great deal of legalese and are often overlooked. This is, however, the No. 1 source of the contractual transfer of risk.

Pay close attention to the language in this clause. Assuming a common-sense approach of who’s responsible for what expenses in the event of a loss may have you scratching your head.

Definition and Ownership of Data

These agreements should say who the owner of the data is, no matter where it is. This could dictate who’s responsible in the event of a breach because of this ownership. It may be wise to have someone in your IT department review this to pay close attention, as again, the clause may not be overly intuitive.

Limitation of Liability

Liability can be a touchy issue. Who’s liable in a breach situation when there’s a vendor involved?

Obviously, businesses want vendors to accept unlimited liability for costs that come from breaches. But on the flip side, vendors don’t want that responsibility, especially when the cost of a contract can be outweighed by the costs associated with fixing a breach, the customer notification process, and dealing with any lawsuits that may arise.

The key is that you want to make sure you have favorable language, modify it if you can, or be aware of the risk and adjust your policy accordingly…primarily increasing your limits to cover this additional exposure.

When in Doubt, Ask for a Contract Review

Like I said, there are numerous items that should be considered.

The main thing is that I don’t want you to feel overwhelmed. It is a scary subject, but we’re here to assist. We’d love to review those contracts with you and help you identify where your exposures may lie.

My goal is to inform businesses that contracts may not read as intuitively as you may think, thus exposing you to a great deal more. So reach out to us! You can do so by commenting below or emailing/calling directly! Don’t wait until it’s too late.