By the Apra Ethics & Compliance Committee
I keep getting notifications regarding a recent incident involving one of our industry’s vendors. It makes me wonder — how do I prevent such incidents from happening to my organization and what role can (or even should) I, as a prospect development professional, play in making sure that we never have to send out notifications like the ones I am receiving?
Into the Breach
Dear “Into the Breach,”
Thank you for your question. The incident to which you refer presents an excellent reason for us, as the prospect development professionals we are, to reflect on our own practices.
The new Apra Due Diligence Toolkit has resources for vetting companies, and this information can be useful for vetting vendors as well. Many of us are researchers, so researching your vendor is well within your wheelhouse!
Find out what you can about the company. Are there any recent or pending lawsuits? What are the allegations? Have they ever had to pay fines at the federal or country level and, if so, for what violations? How well funded are they? What are the backgrounds of the people working there, especially those in executive positions? Are they familiar with advancement? Have there been recent changes in c-suite at the office that might be of concern? Does the business seem to be doing well?
Answering these questions will get you a long way to understanding if it’s OK to move forward with a vendor. If you decide to move forward, here are a few other things to keep in mind:
- Contracts are long and dense, but you need to read them (and/or have your organization’s counsel review them) when you first sign on with a vendor and every time you renew, as the vendor may change the language in the contract and/or your organization may change its way of thinking about data and resources. This is a really important step.
- Does the contract contain language about data deletion? (i.e., Will the vendor delete your data when you terminate your contract or at some well-defined and mutually agreed upon point in time?) What happens to your data if the company goes under?
- Does the contract explain what the vendor will do if there is a data incident or breach? Are their terms acceptable to your organization?
- Does the contract contain language about data confidentiality? Are the terms acceptable to your organization?
- How does the vendor secure your data? If it’s too technical, find a colleague who can help you wade through. Are their standards acceptable to your organization?
- What is the supply chain of this vendor’s data? Is the data derived or obtained from acceptable (ethical and legal) sources? Is it publicly available? Will the vendor tell you where they get their data? If not, think about whether you want to assume the risk of buying data of unknown provenance. Is the data scraped? Is that acceptable for your organization?
- If the vendor is providing a model score, will they tell you exactly which data points went into the model? If they won’t provide that information, are you sure you want to use the model? Will you really know what it’s telling you?
- Does your organization have a data usage/sharing policy? Will working with this vendor be in compliance with your organization’s data usage policy?
- Is the vendor in compliance with registration regulations, such as the State of California Data Broker Registration Requirement, enacted in part due to the CCPA (search for your vendor here), or Vermont’s Data Broker Regulation (search for your vendor here)? NOTE: If you do not find your vendor listed, ask your third-party data vendor to explain why they are not subject to these registration regulations.
- How are you documenting the vendor due diligence that you are performing? You want to ensure you have a process in place so all vendors are vetted in the same way by you and your prospect development colleagues.
As always, ask your peers to weigh in. When you can, ask your legal counsel and/or your procurement people if you have questions or concerns. Their expertise can be really valuable!
Bottom line: You are what you eat. The data you acquire can set you up for a healthy future or can be a real risk to the health of your organization.
Know your data; know your vendor.