‘Dear Mary,’ is Troutman Pepper’s Incidents + Investigations team’s advice column. Here, you will find Mary’s answers to questions about anything and everything cyber-related – data breaches, forensic investigations, how to respond to regulators, and much more. ‘Dear Mary’ goes beyond our articles, podcasts, webinars, and other content we produce because here, we respond directly to your questions with concise, practical answers. We promise they will be interesting, informative, and hopefully a little fun.
Drop us a line with any cyber-related question you would like answered – whatever may keep you up at night – and we’ll do our very best to provide a practical, actionable answer. Of course, our answers will be somewhat general in nature and should not be considered legal advice – always consult with an attorney (preferably one of ours!) before acting on anything you read here.
Thank you for reading!
Dear Mary,
We were recently impacted by a vendor incident, and the vendor is offering to provide notice to the impacted individuals on our behalf. That sounds like great news to us, but is this something we can and should consider?
– Potentially Optimistic in Miami
July 3, 2024
Dear Potentially Optimistic,
Yes, this is certainly an option worth considering, and many businesses have taken this route before. Your contract with the vendor may even address notification obligations in the event of a security incident and whether they will provide notice to the impacted individuals on your behalf. However, here are a few things to keep in mind.
- Is the Notice Legally Compliant? Ensure your team reviews the content of the notice to confirm it complies with any potential legal obligations (e.g., if social security numbers are impacted, is the vendor providing consumers with any required credit monitoring?). Some breach notification laws have notice content requirements, so be sure to review the notice from that perspective.
- Does the Notice Explain Why the Vendor Has the Consumers’ Information? A common issue with vendor notices is that they might not explain why the vendor has the consumer’s information, which can confuse people. Make sure the notice explains this clearly. Data owners, such as yourself, sometimes request to be named specifically in the notice or that the notice include sufficient context to explain the relationship between the vendor and business, even if in general terms.
- Verify the Recipients and Process for Notification. Verify who will receive the notice and how it will be sent. If mailing, consider whether you need to review the addresses being leveraged or if the vendor already has the most up-to-date information.
- Call Center Scripts. If the vendor sets up a call center, ask to review the script to see what information will be given to consumers who call in.
- Proactive Notification. Even though your vendor may ultimately provide the formal breach notification letter, consider whether a proactive notification to affected individuals should be sent. Doing so may help alleviate concerns or questions as to the legitimacy of the notice and show that you’re involved and on top of the situation.
Remember, while the responsibility to notify usually lies with the data owner, you can still likely leverage a vendor to handle this. Just make sure you do your due diligence to ensure the notice complies with legal requirements and doesn’t create additional exposure for your company.
