What kind of relationship do you have with your vendors? Have you peeked behind the curtains to see how they’re running their show? Or do you hold your breath and simply hope that they’ll keep all the balls in the air (including the ones that belong to your law firm)?
If you’re not taking an active role in vetting and managing your vendor relationships, you may want to reconsider your approach. Vendors provide critical services for law firms, yes, but they also have access to your data. And your clients’. And your employees.
Do you really want to risk security, privacy, and compliance issues with that information?
A good plan of action to gain insight and control of your vendor compliance includes a thorough vetting and review process.
What’s the deal with vendors and compliance?
When it comes to vendors, you can’t force them to have good data security and privacy practices. However, if there’s a data breach, you are on the hook for all the personal information you agreed to steward. And given the high costs and reputational risks that are on the line, it’s something you want to take pretty seriously.
If you’re considering integrating a vendor into your legal practice, these questions should always be at the front of your mind:
- What data are they accessing?
- How are they storing it?
- Who else has access to the data?
- What security measures are in place to protect it?
These questions don’t just come into play for data regulations like the European Union’s General Data Protection Regulation, the California Consumer Privacy Act, the Health Insurance Portability and Accountability Act, or any of the state or federal security and privacy-related legislation that are part of the data landscape these days. It’s also important for legal ethics vis a vis cloud computing, which requires cloud-based data to be stored securely.
Drilling down: How do I prioritize compliance?
Why do you need a vendor in the first place?
Yes, it sounds a bit cheeky, but really, what are you looking for in your vendor? What problems are they solving for you?
If you don’t answer these questions, you’ll be inundated with a boatload of vendors with a thousand and one ways to peel an orange – but that doesn’t do you any good if you’re trying to eat an apple.
Find the right fit
Not all vendors are created equal. There are some amazing ones that deliver near-flawless products. There are ones that are so badly implemented they make Google+ look like a brilliant strategy. And there’s a whole lot of in-between.
The key really is to find the right fit for your law firm and its specific needs. How do you do that? You start by asking a lot of questions.
- What are your core services? What features do you offer?
- How are your products and services bundled? Are there pricing levels?
- Who is the primary audience for your product?
- What does your customer support program look like?
- Are any services sub-contracted?
Do a dry run
Always test drive new cars and new vendors. What sounds good on paper can be clunky, badly managed, and full of security flaws when it’s in action. Trialing software gives you the chance to see how user-friendly and intuitive it really is. If you’re considering a service vendor, try starting with small projects and evaluating the experience as you go.
Always do your due diligence. But your due diligence isn’t just researching the product. Due diligence is about going beyond the website, the sales pitch, the demo. Dig to find out how solid the vendor’s track record is.
Do they deliver quality products? Is their customer service as good as their sales team? What issues come up? Get those references and call them.
What’s the best policy?
Here’s where the rubber really meets the road in compliance. You can vet vendors till the cows come home and that will weed out some of the bad ones. But your vendor management policy and your contract process are really where you start protecting yourself. (And your clients.)
How do you build a good vendor management policy
If you did your homework and laid out what you need out of your vendor, then you’ve got a good start on your policy. Knowing the whats and whys helps you make a less cumbersome policy. Here are points you should always touch on:
- Your vendor’s data security: Do they encrypt their data? How is data stored? How do they protect against data breaches – and what do they do if there’s one?
- Backups: What is their policy on creating backups of data? Are there redundant backups across different locations? Where and why?
- Data: What data do they collect? Who has access to it? If you end your relationship with the vendor, what happens to your data? ,
- IT acquisition and maintenance: How are updates handled?
- Incident management and disaster recovery: What is their disaster recovery plan? What is their process for notifying clients in the case of a data breach?
- Compliance: What compliance regulations do they adhere to? How do they approach their compliance needs?
If you’ve worked with great vendors, you know how much value they can offer your firm. And if you’ve worked with challenging ones, you know how difficult those relationships can be. But by closely evaluating your needs and prioritizing compliance, you’ll put yourself in a better position to build strong relationships and deliver results for your clients.