Your Own Data Protection Practices Are Sound. But What About Your Vendors?

Recent news of a bankruptcy filing related to a data breach at a service provider carries warnings on two critical points: First, that the costs associated with repairing a data breach can all too easily take a company under, and second, the importance of vetting your vendors’ data protection practices.

This particular breach lasted more than eight months and involved credit card data obtained by the American Medical Collection Agency (AMCA), who collected medical debt for companies including Quest Medical and LabCorp. Quest said the breach had affected almost 12 million of its patients; LabCorp, almost 8 million patients. The breach lasted from August 2018 to March 2019. Clients were informed in May.

In less than three months after discovering the breach, AMCA and its parent company, Retrieval Masters Creditors Bureau, incurred more than $4 million in related costs and lost AMCA’s four biggest clients. The bankruptcy papers were filed on June 17, 2019, as rumors spread of class-action lawsuits being prepared in New York and California.

Third-party data protection

The AICPA developed its Service and Organization Controls (SOC) standards and Trust Services Criteria specifically to address concerns about how vendors manage their clients’ sensitive data. The Payment Card Institute’s Data Security Standards (PCI DSS) define detailed practices specifically for credit and debit cards. Best practices abound; the challenge is making sure that your vendors are following them.

These are some steps you can take to help ensure that your vendors are as careful with client data as you would be:

  • Ask for the appropriate SOC report (usually a SOC 2 report covering security and data confidentiality), and review it carefully. Is it the correct kind of report over the right systems? Is it current? Were there findings disclosed or criteria the vendor failed to meet?
  • For vendors handling payments or financial information, request recent documentation that they meet current PCI DSS requirements
  • Follow the trail: What service providers do your vendors use? Modern cloud-based services often leverage multiple layers of technology service providers and systems, all of which must work together to keep your customers safe — and each one should be able to provide assurances through SOC reports, PCI certification and other means
  • Establish an ongoing program to identify and monitor all vendors and related service providers with access to your sensitive customer information

Need help?

If you could use help to make sure that your data is safe on every step in its lifecycle, contact us. Weaver’s cybersecurity team can help you evaluate how well third parties are managing your customers’ information, helping protect you from devastating financial consequences.

© 2019

Neha Patel

Neha Patel

Partner-in-Charge, IT Advisory Services


Neha Patel, CPA, CISA, CDPSE, has more than 17 years of experience in public accounting and internal audit, with an emphasis on…

Learn More