Vendor selection isn’t difficult but it’s critical to risk management

December 4, 2014

By Bob Johnson, NAID CEO

Every data protection law in the world holds clients responsible for making sure their third party data processors meet regulatory requirements and security standards. This applies to clients hiring services such as records storage, data destruction, computer recycling and imaging services, among others.

The regulations contain language to make sure clients take this responsibility seriously.

  • A contract with such service providers wherein the client and service provider clearly delineate the security specification as well as what is necessary for service provider regulatory compliance. Such contracts specifically reference the service provider’s requirements to notify the client in the case of a potential data breach and specify the service provider provides the appropriate staff training.
  • Regulations (and regulators) hold the client fully responsible for the behavior, security and compliance of the service provider.

The thinking, very sensibly, is that a client is going to be appropriately careful when selecting a vendor when the client is ultimately bearing the consequences of their actions. Ironically, the only way to shift some of this liability over to the service provider is by conducting the appropriate due diligence in the first place. The legal requirement to demonstrate a clear selection process based on proper vendor qualifications and agreements is one of the reasons NAID’s certification program has become so popular for customers. Because of NAID’s long history in certification, its extensive, regulatory-based security specifications, and its strong audit regime, it actually does for the client what the client does not have the capability to do themselves. Learn more about the NAID AAA Certification Program at