When evaluating new vendors, firms ask vendors to complete security questionnaires, using them to help determine what risks a new vendor might introduce into their environment and weighing that against potential benefits of the product or service. The main problem with this process today? You might be asking the wrong questions. And the answers you’re receiving as a result don’t give you a true picture of the vendor’s risk profile. When it comes to targets for cyberattacks, there are few as attractive as the law firm. They hold not only their own, very sensitive, attorney work product, but also their clients most detrimental and risky documents and data. While people tend to be the primary weakness exploited by bad actors, each new vendor introduced into your infrastructure represents a new potential vector for attack.
Background
Let’s start with my experience in this space. Twenty-some years ago when legal tech was still emerging, we didn’t have the benefit of specialized information security professionals to help evaluate the tech we were buying and implementing. It was our responsibility to bring to the technology team a fully vetted product, meaning we needed to deeply understand the risk profile of the vendor ourselves.
Later, as an innovation leader within large law firms, I worked closely with our own GCs, infosec, privacy, and information governance professionals to find ways to mitigate risks within platforms that the firm needed. And when I moved to the vendor side, I frequently was the lucky one tasked with responding to law firm security questionnaires, eventually serving as the Security and Data Protection Officer for my last startup. Last summer, I earned the most well-respected Information Privacy certification available – the CIPP/E, which indicates expertise is EU privacy regulations.
Today, I help US-based startups develop and implement security and privacy policies that align with the needs and expectations of law firms and legal teams. And, I act as a fractional security officer who helps startups respond to law firm security questionnaires. I see the questions you’re circulating, and I talk with startups leaders about your questions -- both what the words mean and what you're probably after. And they’re often quite far apart.
Let’s dig in with one of the most straightforward examples – GDPR compliance.
"Are you GDPR Compliant?"
Almost every security questionnaire, whether the firm has employees dispersed internationally or not, asks some version of this very broad question. And when I review it with my startups, it always starts a discussion around what is being asked.
On one hand, the General Data Protection Regulation (GDPR) is a pretty specific regulation with clearly defined penalties for violations. On the other hand, GDPR is a bit like US Tax Code – though the rules are pretty clear, to whom they apply and how precisely they apply is left up for some interpretation.
Let’s take a quick detour to compare and contrast to whom one of the most stringent US privacy laws, the California Consumer Privacy Act (CCPA), applies in comparison to GDPR.
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
- Have a gross annual revenue of over $25 million;
- Buy, sell, or share the personal information of 100,000 or more California residents or households; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
Even as an outsider, it's likely you could easily tell if a vendor you’re vetting is subject to the privacy obligations of CCPA.
Do they seem like they're making more than $25 million in revenue a year? How likely is it that they have personal information, usually from customers, of more than 100,000 people in California? Are they in the business of selling data?
So, instead of asking if they’re CCPA-compliant, asking these three questions tells you that they’re obligated to be. If you then ask if they’re CCPA-compliant as the fourth question, you know right away whether they likely handle customer data in a legal way. Think about it – if they answer ‘yes’ to any questions that would make them subject but answer ‘no’ to being compliant, they’re probably lacking maturity and knowledge in data security; they're clearly not aware of or observing their legal obligations. If the solution you’re evaluating involves a lot of personal data, I’d suggest you run from this vendor based on those answers alone.
In complete contrast, you could ask 10 well-educated privacy professionals whether GDPR applied to a particular US-based company and probably end up with answers split 70/30. And both sides would have great explanations for why they believe it did or did not apply. Why? Because there’s so much ambiguity in who it applies to.
For instance, a US company probably falls under the extra-territorial scope of the GDPR if they have a “physical presence” in GDPR country. If they have a team developing the product in Romania, which is in the EU, is that a “physical presence”? It might depend on the developers’ employment status, something that's hard for you to evaluate as an outsider. A US company could also be subject to GDPR if they transfer data to or process data in a GDPR country. Or, they may be subject if the data you give them, which often comes from a client, contains the protected information of EU citizens and residents. How can you, as an outsider, possibly evaluate that? And as a result, how can you possibly know if they have a legal obligation to handle your data a certain way?
Even if you’re a US firm whose people may not be due all the protections of GDPR, it’s critical for you to have information you can base current and future risk decisions upon. And I promise you, you're not getting that today with the questions you're asking.
Do you see why we should be rejecting this question as, “Objection. Overly broad”?
What Do You Really Want to Know?
It’s critical that you:
- understand the things you're asking about, and
- define exactly what information you hope to learn from the answer.
In the case of GDPR, know that it only protects the personal data of individuals, not companies. There is absolutely no protection for the handling or privacy of your company information. So if you’re asking about GDPR compliance, you’re really asking about how they protect the personal information of your users and of any personal information you might store in the system. Not your firm data, and not your clients’ company data.
Second, it protects the data of individuals living and working in the EU and other countries who’ve adopted the regulation. If your users are all in the US and the vendor is in the US, you’re probably not gaining any useful information out of this answer.
More than likely, what you're trying to understand is how this vendor would protect your data and what rights you have if they don't. But if the only question you ask here is whether a company is GDPR compliant, you’re probably not getting an answer that aligns with your expectations.
In fact, a 2022 study by Cytrio found that 95% of US companies were not GDPR-compliant.
What percentage of your vendors are answering “No” when asked if they’re GDPR-compliant?
Don’t Demand Things You Don’t Need
One quick caution against demanding GDPR compliance from all vendors as a blanket standard – and against applying blanket standards without regard for the risk the product presents or how you intend to use it.
When you force a young company to attain a certification or status just to do business with you, that’s money they're not spending on the other features you ‘simply must have.’ Don't demand protections you don't need.
And, ensure you understand the ones you're asking for. In an upcoming piece, I’ll expose some of the misconceptions around SOC2 'certifications.' (It’s neither a security standard nor does the SOC2 Type 1 tell you anything about how they execute security in the regular course of business.)
Need help with your security program? Book a Consultation now.
What’s the Right Question?
Know that one question won't get you the information you want. But there are some easy “gotchas” that tell you some key information quickly.
So why isn’t asking ‘Are you GDPR compliant’ the right question? Because it fails to establish whether they, first and foremost, have a regulatory obligation to handle your data according to defined standards. And, in an industry of lawyers and lawsuits, establishing your legal protections and rights should be the first step in your risk mitigation strategy.
To get a clear, irrefutable understanding of your vendor, what if you asked the question in a way that forced the vendor to very clearly state whether they are treating your data under the legal obligations of GDPR or not? Try this simple branched question sequence:
- Is your company subject to the legal and regulatory obligations of the GDPR?
- If they answer ‘Yes,’ you now have in writing that they believe they have a legal obligation to protect your data under all the rules of GDPR.
- Please name and provide contact details for your Data Protection Officer.
- If they’ve indicated they’re subject to GDPR and they don’t have a DPO, this is a red flag. This is a legal requirement under GDPR.
- Please list all companies with whom you’ve entered into a Data Protection Agreement (DPA).
- This is the primary method your vendor uses to protect your data they share it with their vendors (like CRMs, contractors, and other tools they use to deliver their service to you). And again, this is a legal requirement under GDPR. If they don't list any, it either means they have zero third parties touching their data (not so common) or it’s a red flag. It might mean they're already in violation of their obligations.
- Please list all Third-Party Processors in use today.
- If this list isn't the same as the DPA list of companies above, this may also be a red flag. Third-Party Processors should all be bound by DPAs.
What if they answer “No” when asked if their company is subject to GDPR? Remember, GDPR isn’t magical and you can establish similar protections through simply asking for them. But can you learn anything from a negative answer? With some quick follow up, it can be very enlightening.
First and foremost, it’s worth finding out if they even understand GDPR or that they may have obligations regardless of where they're headquartered. Why? This helps you judge whether they're likely to recognize their future privacy obligations, especially as it relates to your engagement.
So when a company indicates they don't believe they're subject to GDPR, take the opportunity to gauge their background knowledge on the issue by asking a simple follow up.
- What reasons or criteria have led you to determine that your company is not subject to GDPR?
- If you think they are wrong in their reasoning, please tell them. Many of the companies I work with are shocked to find how easy it is to fall under GDPR. Simply having a satellite office in Europe or offering pricing in Euros can be enough.
- If their answer indicates they are completely unaware of GDPR or privacy rights in general, which I find is quite common amongst less mature US companies, consider it a major red flag. If they're not informed on data privacy at this stage, the right decision might be to re-visit this vendor at a later stage of maturity.
One Last Tip
Well-structured, yes/no questions might be great for scoring, but open-ended questions can help identify weaknesses in a vendor’s security program. I’m definitely not suggesting you make them longer -- they're already torturously long. Instead, swap in open-ended questions where the closed one falls short.
Start with the End in Mind
While the example above digs into GDPR, I've seen similar issues with questions on almost every topic within a security questionnaire. While these aren't intended to be an audit, it's critical that you start by identifying the information you need to make a confident decision around the risk a vendor presents. When you start with the end in mind, both your process and the questions you need answered become a lot more clear.
Need Help with your Compliance Programs?
Let's talk. Whether you’re refining your current questionnaire or need to align your program with the unique standards of the legal profession, there are few who have been a part of these programs as both a legal buyer tasked with protecting the firm and also as a legal tech seller who needs to get our product approved for use.