How-to guide: How to manage third party supply chain data privacy, security risks, and liability (USA)

Introduction

This How-to guide will assist in-house counsel, private practice lawyers, and risk and compliance professionals to develop the procedures and policies an organization needs to understand and reduce data security risks and liabilities arising from relationships with third parties, such as vendors and service providers.

This guide covers common types and causes of third-party risks, how to conduct a third-party risk evaluation, and regulatory compliance related to third-party privacy and security risks. It does not cover general privacy and data security risks in detail.

This guide covers how to:

Understand third-party data and security risks
Undertake a risk analysis
Comply with regulatory obligations

For further information, consult How-to guides: How to develop, implement and maintain a US information and data security compliance program, How to determine and apply relevant US privacy laws to your organization and Checklists: Completing data privacy risk assessment and Understanding privacy laws in the US.

Section 1 – Understand third-party data and security risks

An organization loses control over data once it is transmitted to a third party. Yet, generally, an organization’s use of third parties to perform activities does not diminish its responsibility to ensure that the activity is performed properly and in compliance with applicable laws. The combination of loss of control with continued legal responsibility creates significant legal and financial risks for organizations that entrust third parties with data, especially sensitive data.

Fortunately, it is possible to mitigate third-party risks. When you develop a risk management plan for your organization, consider a variety of factors, such as the number of third parties with whom your organization shares data, the reasons for sharing the data, the amount and type of data shared, and applicable legal standards, including those applicable only or largely to your organization's particular industry.

1.1 Common types of risks

The risks posed by third-party data access are varied and complex.

1.1.1 Cybersecurity

Providing third parties with data access creates cybersecurity risks because cyber criminals may be able to exploit third parties with weaker security systems to gain access to your organization’s data. For example, in 2017, the credit card information of mega-retailer Target’s customers was accessed through a cyberattack launched by gaining access through one of Target’s third-party vendors.

1.1.2 Financial

The financial risks of unauthorized third-party access to data have a broad reach. A breach of cybersecurity may, and often does, result in significant financial losses. A 2025 study conducted by IBM shows that the average cost to a company of dealing with a data breach is $4.44 million per incident globally. This report shows that the global average cost of a data breach in 2024 was $4.88 million, representing a 9% decrease in 1 year while the average cost of a data breach had increased by 10% from 2023 to 2024, from $4.45 million to $4.88 million.

1.1.3 Operational

Operational or business continuity risk is the loss caused by any disruption to services or products and failure to meet the organization’s contractual obligations. This can be caused by inadequate or failed systems or processes, for instance. Often, operational risks involving third-party data access can be managed by service level agreements (SLAs) and by having backup vendors available for critical services. A well-crafted SLA will set out how security and operations will be carried out, and will clearly delineate the expectations and requirements for each party. Backup vendors will allow your organization to continue to operate smoothly in the event of a disruption that cannot be immediately remedied.

1.1.4 Regulatory noncompliance

An organization can face liability if it fails to adhere to standards set by regulations, laws, or the specific industry. This risk comes up often in heavily regulated industries, such as health care and finance. As mentioned above, an organization could be held liable for failures by third parties to whom it grants data access.

1.1.5 Reputational

A data security event can negatively affect public opinion, whether it interferes with the organization’s ability to meet its objectives, decreases trust or prompts concerns about the costs of these events being passed on to customers. Third-party data breaches caused by poor security controls can have devastating reputational effects. Consider the number of disgruntled customers (likely former customers after the breach) that will be posting negatively on social media for having not demonstrated adequate care for their personal information.

1.2 Common causes of third-party related data and security issues

Various causes of data and security issues can arise from third-party relationships. These causes may be intentional, or they may be unintentional, the result of negligence or carelessness. The following are a few of the most common causes of such issues.

1.2.1 Access privilege violation

Third-party access to data is usually made subject to defined use privileges. For instance, the organization grants access only to certain people, or shares only certain data. Third parties could violate those conditions of use, for example, by unauthorized sharing of access credentials or gaining unauthorized access to sensitive information.

1.2.2 Human error

Inadvertent mistakes by third parties, such as accidental data deletion or sharing, input errors, and system misconfiguration can lead to significant problems. While it is unlikely that all possibilities for human error could ever be eliminated, it is important to be aware of the most likely points at which human error could cause a security breach.

1.2.3 Intentional data theft

Data theft is also a risk, especially where third parties have access to valuable or confidential information.

1.2.4 Fourth-party actors

Fourth parties (ie, the subcontractors of third parties), may be undetected and very difficult to control. To address this risk, carefully monitor data access and third-party security policies. The third party should be able to provide evidence of its security protocols and how they apply to fourth parties.

Section 2 – Undertake a risk analysis

An analysis of the risks posed by third-party access to an organization’s data is a multi-step process tailored to the individual needs of the organization. This third-party risk assessment is just one portion of an organization’s overall data privacy and security risk assessment (see step 2.3 in Checklist: Completing a data privacy risk assessment).

For guidance on other aspects of risk assessment, review Checklist: Completing a data and information security risk assessment.

The fundamental steps include the following:

inventory of third-party relationships and data access;
review of security provisions in existing contracts;
assessment of individual risk points through internal and external review;
development of key performance indicators (KPIs); and
creation of processes and policies for screening, onboarding, remediation, and ongoing reassessment.

2.1 Inventory of third-party relationships and data access

The first step in data risk analysis of third-party relationships is to take an inventory of all the third parties you share data with and acquire an understanding of the characteristics of their access and their security policies. You can only obtain true data privacy and security through effective and coordinated data protection measures. The efforts that your organization takes to protect its privacy and security are undercut if you share data with a third party that does not undertake parallel efforts.

2.1.1 Prepare an inventory of third-party relationships

It is essential to identify each external party that has access to an organization’s data.

2.1.2 Assess third parties’ access to organization data

Look at the character of the third-party data access to assess the risk created by the relationship, evaluate compliance requirements, and develop appropriate risk mitigation measures.

Consider the key questions below when assessing third-party access.

What type of data is shared with the third party?
What amount of data is shared with the third party?
How is the data shared with the third party?
How long will the third party have access to the data?
How does the third party return or destroy data that has been shared?

2.2 Review of security provisions in existing contracts

A thorough review of the organization’s contracts with identified third parties is necessary at this point. This maps the relationships and helps to assess whether third parties are accountable for the data obtained from the organization.

Contract provisions addressing privacy and security provide standards that third parties must follow when working with the organization and its data. Tailor minimum security and privacy requirements to each relationship and the type of data involved. Contract provisions can also set minimums for cybersecurity insurance that the third party is required to carry for each type of transaction.

Look at whether contracts include third-party warranties and representations regarding protections for data, such as the following:

data use only for stated purposes;
prohibitions on data sharing or selling;
minimum security requirements in place to protect data;
prompt notice of events such as breaches;
third-party staff training on the organization’s data security requirements; and
data or cyber insurance coverage.

2.3 Assessment of individual risk points through internal and external review

After the organization has inventoried its third-party relationships, it should assess the risks presented by these relationships.

2.3.1 Create list of potential third-party risks

Determine what the organization’s risk points are in these relationships. In each case, the answer will depend on the individual third party and their access to data. Examples of risks might include the following:

data breach;
downtime to respond to and contain the breach;
regulatory violations due to inadequate data security controls; and
downstream misuse of data.

2.3.2 Conduct internal review of third parties

In an internal review, your organization assesses the third parties based on the knowledge it already has or can readily obtain without the third party’s input. A crucial part of the internal review is a review of the third-party’s history regarding data breaches. This can be based on your organization’s own experience of working with the third party, or may consist of a search through the archives of news sources, or (if possible) government records regarding reported breaches. A persistent record of data insecurity is a significant red flag, and merits further investigation.

2.3.3 Have third party conduct self-assessment

An additional option is to have the third party conduct a self-assessment, either by providing its own report according to your criteria, answering questionnaires, hiring an outside consultant to provide an assessment or certification, or some combination of these options.

Questionnaires are a good starting point for evaluating third-party security controls. Responses to the questionnaires should reveal deficiencies in data security. For instance, a questionnaire could require the third party to:

identify personnel in charge of cybersecurity;
describe what data protections are in place;
report any previous breaches and responses, including recovery time;
describe current plans and procedures for responding to breaches;
provide past internal risk assessment results; and
identify capabilities, such as disaster recovery and routine risk assessments.

A variety of industry-specific tools exist for assessing and certifying the adequacy of third-party data security. For instance, System and Organization Controls (SOC) certification is a voluntary compliance standard for third-party service organizations. Developed by the American Institute of Certified Public Accountants, it evaluates third-party data management based on several criteria, including:

security;
availability of information and systems for operation and use to meet the organization’s objectives;
processing integrity;
confidentiality; and
privacy.

2.3.4 Use risk list, self-assessment, and internal review to assess risk

The three operations outlined above (making a risk list, conducting an internal review, and requiring self-assessment) will help to start discussions on the risk profile of an organization’s relevant partners.

The risk assessment also depends on the sensitivity of the data involved and whether an organization can minimize the risks when it shares the data with third parties. For instance, it might be possible to de-identify sensitive data before it is shared with third parties; or there may be ways to avoid unnecessary data proliferation.

2.4 Development of key performance indicators (KPIs)

The risk assessment should provide the organization with the information it needs for the next step: risk reduction.

2.4.1 Develop third-party KPIs

An organization should develop third-party KPIs for risk reduction. KPIs provide snapshots of how third-party data security functions over time as a way of measuring overall data security.

Indicators might include, marking the number of the following events in a given period of time (eg, per day, week, quarter, or year):

the number of security incidents;
the mean time needed to identify or detect (MTTI/MTTD) a security incident;
the mean time needed to contain or resolve (MTTC/MTTR) a security incident;
the number and duration of employee interactions with data;
the number of remote connections to the third-party’s network capable of accessing the organization’s data and the duration of those connections; and
periodic employee security training and review of data access privileges.

SLAs containing performance metrics can be the basis for setting KPIs. They enable the organization to monitor whether a third party is living up to its contractual obligations and required security standards.

The SLA may indicate acceptable levels or ranges for all of these indicators. Changes in these indicators may indicate heightened risk. The frequency of checking KPIs depends on the inherent risk involved in the service or product and how critical it is to the organization’s business.

2.4.2 Request appropriate changes from third parties

If the third party’s KPIs sink, or are persistently low, and the third party fails to fix the problem or otherwise fails to perform, termination of the contract may be appropriate. However, before that point is reached, consider remediation in order to avoid the costs of screening and onboarding new partners. The contract with the third party should provide for a remediation process and a means of tracking progress. This could include heightened monitoring until identified problems are addressed.

2.5 Creation of processes and policies for screening, onboarding, remediation, and ongoing reassessment

The process of screening and onboarding new partners is a chance to ensure that they have appropriate data security policies in place.

You may need to impose contract provisions containing data security policies and procedures on all new third-party contractors. The policies should describe the required privacy practices. Tailor policies and procedures to the individual third-party service provider based on individualized risk assessments and the needs of the organization.

An organization could also impose a blanket requirement on all third parties who handle its data. For instance, onboarding could include certification to an appropriate compliance standard, such as an SOC.

Depending on the industry, various other compliance standards may apply. For instance, merchants, service providers, and financial institutions involved with credit and debit card transactions must observe Payment Card Industry Data Security Standards (PCI-DSS). These are security standards formed by major credit card companies to secure credit and debit card transactions against data theft and fraud. It is a requirement for any business that uses payment card transactions. In order to meet the minimum requirements, organizations must have certain data protections in place, such as:

firewalls;
data transmission encryptions; and
antivirus software.

It may also be desirable to engage an outside partner to handle screening and onboarding of third parties. They can also develop and maintain an organization’s data security requirements. This could include creating due diligence processes for evaluating the adequacy of data protections used by all third parties who have access to data from the organization.

2.5.1 Ongoing reassessment

Data security risks need to be managed over time. The initial steps of screening and onboarding enable the parties to create a contract with adequate data protections at the start of their relationship, but left unchecked and uncontrolled, third-party access to data creates vulnerabilities. Therefore, ongoing reassessment of data security in third-party relationships is necessary.

The use of KPIs enables the parties to assess and reassess compliance with an organization’s contractual and legal requirements. At a basic level, reassessment can include routine audits and training. More advanced risk management includes continuous monitoring of key processes and access privileges.

Your organization should designate staff or hire outside monitors to be responsible for oversight of third-party access to the organization’s data. Other options include expanded data security insurance coverage for your organization and the third party.

Section 3 – Comply with regulatory obligations

A complex medley of state and federal laws and regulations impacts data security and an organization’s potential liability for third-party handling of data. Many of these require organizations to implement data security practices, including incorporating data security provisions into contracts with third parties. However, the comprehensive privacy laws recently enacted at the state level also explicitly limit secondary liability.

3.1 State contracting laws

Many states require certain types of businesses to implement information security measures, especially for protecting the personal data of their customers. About a dozen of those states also require businesses to to impose data security provisions on third-party service providers. However, the comprehensive privacy laws recently enacted at the state level also explicitly limit secondary liability.

3.1.1 California

The California Consumer Privacy Act of 2018 (CCPA), Cal Civ Code section 1798.100 et seq, protects California residents from the unauthorized disclosure of their personal information. Companies covered by the law are required to maintain security procedures and practices that are reasonable in light of the nature of the personal information. It also requires that California residents be given the option to opt out of covered companies selling their personal information to third parties.

Covered companies under the CCPA are defined as for-profit businesses with at least $25 million in global revenue per year, to be adjusted every odd-numbered year to reflect any increase in the Consumer Price Index; who deal in the personal information of at least 50,000 California residents annually; or who earn at least 50% of their annual revenue from selling California residents’ information.

The California Privacy Rights Act of 2020 (CPRA), expands the CCPA and came into full effect on January 1, 2023. Among the most significant changes, it imposes important obligations on third parties who handle personal information, such as the following:

third parties must refrain from using personal data inconsistently with the use promised upon receipt of the data;
third parties must provide consumers with notice of changes in data use and security practices; and
third parties must provide consumers with notice of sales of personal information and the opportunity to opt out of the sale.

However, the CPRA also explicitly states that a business that discloses personal information to a service provider or contractor in compliance with the Act shall not be liable under the Act if the receiving entity uses the personal information in violation of the Act’s restrictions, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit a violation. A service provider or contractor likewise will not be liable for the obligations of a business for which it provides services as set forth in the Act, provided that the service provider or contractor shall be liable for its own violations.

3.1.2 Virginia

Virginia’s Consumer Data Protection Act (VCDPA) went into effect on January 1, 202 but was amended with provisions effective January 1, 2026. The amendments are primarily directed towards social media and the protection of minors. The VCDPA applies to all businesses that conduct business in the state, or target Virginia residents, and either control or process the personal data of at least 100,000 consumers, or derive at least 50% of gross revenue from the sale, control, or processing of personal data of at least 25,000 individual Virginia residents.

The VCDPA lists privacy protection obligations for data controllers and processors. It also requires organizations to enter into security agreements with third-party service providers that process personal data for the organization.

The Act also explicitly limits secondary liability. A covered entity that discloses personal data to a third-party controller or processor and is in compliance with the law will not be found to have violated the law even if the third-party recipient violates its provisions, provided that, at the time of disclosing the personal data, the disclosing entity did not have actual knowledge that the recipient intended to commit a violation. Similarly, a third-party controller or processor receiving personal data from a controller or processor in compliance with the Act will not be liable for transgressions of the controller or processor from which it receives the data.

3.1.3 Colorado

The Colorado Privacy Act (CPA) went into effect on July 1, 2023 and has been amended most recently in 2024 with provisions relating to minors that become effective October 1, 2025. The CPA applies to legal entities doing business in Colorado or that target Colorado residents, and that either control or process the personal data of at least 100,000 Colorado residents annually, or derive revenue from the sale of personal data and control or process the personal data of more than 25,000 individual Colorado residents.

The CPA requires covered entities to impose contract provisions on third parties who process personal data, including annual, documented cybersecurity audits and inspections to assess personal data protections.

The CPA also provides that covered entities that disclose personal data to another controller or processor in compliance with the Act do not violate its requirements if the recipient processes the personal data in violation of the law and, at the time of disclosing the personal data, the disclosing entity did not have actual knowledge that the recipient intended to commit a violation.

Where more than one controller or processor, or both a controller and a processor, involved in the same processing violates the CPA, liability will be allocated among the parties according to principles of comparative fault. Controllers and processors are not permitted to enter contracts to relieve them from the liabilities imposed based on their role in a violation.

3.1.4 Connecticut and Utah

Connecticut and Utah also have comprehensive privacy laws. Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, which went into effect on July 1, 2023, was significantly updated in 2025. Utah’s Consumer Privacy Act goes into effect on December 31, 2023. Overall, these laws are quite similar to those enacted in Virginia and Colorado.

The Connecticut law applies to entities that conduct business or target residents in the state and either process the personal data of at least 100,000 consumers or of at least 25,000 consumers and derive more than 25% of their gross revenue from the sale of personal data. (Notably, it expressly exempts personal data processed solely for payment transactions.) Effective July 1, 2026, the Connecticut law will apply to entities that either process the personal data of at least 35,000 consumers, control or process sensitive data other than data just for completing payment transactions, or offer to sell consumers’ personal data.

The Utah law applies where an entity conducts business or targets consumers in Utah, has annual revenue of at least $25 million, and either controls or processes personal data of at least 100,000 consumers; or derives over 50% of its gross revenue from selling personal data and controls or processes personal data of at least 25,000 consumers.

Like the CPA and the VCDPA, both laws explicitly limit liability for violations by third parties, unless the covered entities had actual knowledge that the third party would, or intended to, violate the respective laws’ requirements.

3.1.5 Iowa

Iowa recently became the sixth state to pass a comprehensive privacy law, which went into effect on January 1, 2025. The law applies to any businesses that control or process the personal data of at least 100,000 Iowa consumers during a calendar year. It likewise applies to any business that derives more than 50% of gross revenue from the sale of personal data, if they control or process the personal data of at least 25,000 Iowa consumers.

Under the new law, consumers are afforded four key rights:

right to access;
right to delete;
right to portability; and
right to opt out of the sale of their personal information.

Controllers of personal information that engage in targeted advertising must ‘clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.’ Controllers must also provide a reasonably accessible, clear, and meaningful privacy notice that identifies, among other things, the categories of personal data that is shared with third parties and the categories of those third parties receiving the data.

3.1.6 Other state contracting laws

Other States with data security laws that came into effect in 2024 and 2025 are Delaware, Montana, New Jersey, Oregon, Tennessee, and Texas. Indiana’s data security law comes into effect January 1, 2026. More data security laws are on the horizon, including laws targeting third-party use of data. According to the National Conference of State Legislatures (NCSL), the number of states with data security laws has doubled since 2016. Cybersecurity is also a growing focus; recent legislative efforts include incentives for businesses to have reasonable security practices in place at the time of a breach.

The increased measures include data security laws of general application, as well as the specific security needs of various sectors, such as health care and finance. For example, the New York Department of Financial Services (DFS) Cybersecurity Regulation Part 500 (New York DFS Regulation), makes it mandatory for all covered financial organizations to implement a third-party service provider security policy. See 23 NYCRR section 500.11. The rule calls for minimum cybersecurity practices by all third-party service providers, due diligence to evaluate their practices, and periodic risk assessment. Additionally, organizations covered by the New York DFS Regulation must document their own guidelines and impose contract provisions on third parties to address access controls, multi-factor authentication, encryption, and notice of incidents (eg, security breaches).

3.2 Federal contracting laws

At the federal level, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has rules for certain types of third-party contracts. HIPAA generally requires that covered entities enter into contracts with third-party business associates that oblige the business associate to take certain privacy and security measures to protect any Protected Health Information that the business associate is given. Consult the HHS Business Associate Contracts guide for additional information.

Outside of the HIPAA, federal data privacy and security laws tend to provide more general data security standards as opposed to strict contract requirements. Nonetheless, review and consider applicable federal data security and privacy laws when you evaluate third-party risks and develop associated contracts.

The FTC has issued some guidance on the data risks of utilizing third party vendors. In Cybersecurity for small business: Vendor security the FTC instructs small businesses on:

How to monitor your vendors
How to protect your business and
What to do if a vendor has a security breach

In addition, the FTC has issued a factsheet about vendor security.

3.3 Other compliance obligations

There are many other sources of third-party data security compliance obligations. Many of these, while they do not directly cover third-party relationships, need to be considered because a third-party’s actions could undermine an organization's compliance and its reputation.

The Sarbanes-Oxley Act of 2002 (SOX) applies to all publicly held US companies and the accounting firms that audit them. It requires covered organizations to demonstrate financial data security compliance in 90-day cycles. SOX does not explicitly mention third-party risk management, but an organization’s liability for data leaks and breaches extends to all the third parties who have access to the organization’s sensitive financial data.

Every state has a data breach notification statute. With some variation from state to state, these laws require disclosure of data breaches to the affected individual, the owner or licensee of the data, credit reporting agencies, the state attorney general, and other state agencies. The organization itself must undertake notification, even if the breach occurred through a third party responsible for processing data for the organization.

See eg, Alaska Stat section 45.48.010 et seq, DC Code section 28-3851 et seq, Iowa Code section 715C.1 et seq, 73 Penn S section 2301 et seq, and Wash Rev Code section 19.255.010.

Additionally, the Federal Trade Commission (FTC) has the power to enforce data security laws. This includes the authority to bring actions against organizations that inadequately protect the security of personal information, including when that information is handled by third parties. The FTC treats these cases as unfair trade practices. See 15 USC section 45(a) (prohibiting ‘unfair or deceptive acts or practices in or affecting commerce’) and also How-to guide: How to identify and manage antitrust and unfair trade practice risk.

3.4 EU General Data Privacy Regulation

Another major source of potential liability is the European Union’s General Data Privacy Regulation (GDPR), in force since 2018. The GDPR applies extraterritorially in certain situations, including where a company offers goods or services to, or that processes the data of, people in the EU. The GDPR also covers data transfers outside the EU, and requires protections to be in place that are essentially equivalent to those in the EU. The GDPR’s accountability provisions also hold organizations responsible for the actions of their third-party data processors.

Additional Resources

HHS Business Associate Contracts guide
NCSL State Data Security Laws summary
IBM Cost of a Data Breach Report
PCI Security Standards Overview