When Your Critical Service Providers Telecommute: Risks and Tips

COVID-19 Update

Date: March 25, 2020

Key Notes:

  • Remote working creates unique information security risks that hackers and data thieves are actively working to exploit.
  • When your service providers utilize remote working arrangements, they can put expose your sensitive information, exponentially increasing your cybersecurity risks.
  • Proactive vendor security management can contain those risks if prompt action is taken.

In a previously published COVID-19
alert, we reported on the privacy and data security risks your business faces when transitioning to remote working and telecommuting operations. But even with implementing all appropriate precautions to protect your systems and the data that live on them, there exists another layer of risk relating to out-of-office work practices: your service providers. Just like you, many of your critical service providers have moved to remote working arrangements, meaning that the risks of data insecurity that your business faces from working remotely are multiplied by each of the service providers that handle sensitive, confidential and personal information on your behalf. Applying good data security protections to data that your own personnel manage while working remotely is a necessary but not sufficient strategy. Your business must also address how the security of your information is impacted by your service providers as their personnel disperse.

Most businesses do not handle their information systems and data alone. Most use third-party services to not only help run and manage their information systems (cloud hosting, IT security, application management, telecommunication services, to name a few) but also to handle one or more routine business functions (like payroll and benefit management, inventory control, management, research and development databases, cash management). The loss of access to these systems can bring entire functions to a halt and any breach of the security in a service provider’s systems can be at least as devastating to its customers as a breach on the customer’s own systems.

Fortunately, there are proactive measures you can take to mitigate this risk. The key is to get on top of the risk and act now, just as you are doing regarding your own personnel. Here are some suggested steps you can take now:

  • Identify those service providers that are most critical to business continuity or that access and manage sensitive personal and competitively important information. IT security, legal, compliance and vendor management teams are already stretched thin and identifying the core service providers for immediate attention will focus the plan.
  • Next, identify those personnel who have front-line connection with the service providers and arrange for them to reach out to their relationship contacts now. The goal should be to obtain visibility into how much of the service provider’s functions have switched to remote work arrangements and what steps the provider is taking to maintain both the availability and the security of the systems used to manage their remote working capabilities. Your head of information security should be enlisted to provide guidance on what questions to ask and to provide a central clearinghouse for the information that is obtained.
  • Your legal and compliance teams should locate the governing agreements with these key service providers to confirm your service providers security and compliance obligations. Should something go wrong, you will want to be prepared ahead of time to understand what remedies you may have. Particular attention should be paid to information security standards, data breach notifications requirements, and force majeure clauses, as the last of these three is usually lightly negotiated (if paid attention to at all before a contract is signed).
  • Set up a regular cadence of communications with your service providers to monitor their ability to provide their services as remote working conditions continue and evolve. As business partners, they are in a position to alert you to systemic problems and to share best practices.
  • Review your data incident response plan to verify that the incident response team is in contact with those managing third-party relationships so that any sign of third-party insecurity can be managed as soon as possible.
  • Consult your risk management team to determine whether business interruption coverage exists for the loss of a service provider’s services and facilities as a result of the current crisis. The earlier claims can be made in this environment, the better the business will be.

We all know that failing to plan is the same as planning to fail. Taking these basic steps now puts you in the best position to respond to the all-but-inevitable consequences of interruptions in critical service delivery upon which your business depends. The good news is that there are basic steps you can take to minimize the impact of these disruptions.


For more information, please contact:

Thomas F. Zych

Steven G. Stransky

Darcy M. Brosky

Deborah S. Brenneman

Kim Wilcoxon

Nancy M. Barnes

Julia Ann Love

Additional Resources

We have assembled a firmwide multidisciplinary task force to address clients’ business and legal concerns and needs related to the COVID-19 pandemic. Please see our COVID-19 Task Force page for additional information and resources.

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.