Take PCI off the table for a minute.

Chimney swift, by eschipul

Do you get nervous when dealing with a small service provider that performs some niche service for your company?  It doesn’t have to be cardholder data related, but it definitely needs to be some kind of data that is either regulated or is classified as something other than public—data like PII, healthcare, or even intellectual property.

Smaller providers can sometimes provide higher or better security than larger ones, and that may be beneficial long term—especially when doing the value proposition. But in some cases, smaller providers are providing a niche service to a larger customer, and are operating on a skeleton crew.  Imagine if a company like Ford Motor Company selected Brando’s Bitchin’ Body Business, a company created when Branden was laid off from Ford Motor Company last year to do a specific type of processing on vehicle owner data, to process data containing every registered owner of every vehicle sold in the last ten years.  Maybe it’s not regulated data, but if a celebrity registered cars to their home, he would not be happy to see that data leaked.

In the worst case scenario, what happens if it is leaked? Generally, like the A/C repair market in Texas, companies go out of business because there are no assets and they cannot afford the legal bills.  Those uncapped liabilities might look good on a contract, but as the saying goes, you can’t get water from a rock. A large company would be held responsible for the data loss with no real recourse.  That cheaper monthly fee is not looking so cheap now, is it?

What this means is that companies looking to outsource parts of their data processing or housing operations should do significant diligence on a third party vendor, regardless of their size. Big companies are just as guilty (if not more) as small guys when it comes to irresponsibly securing data.

Is it really two guys, a laptop, and a garage? Is your liability somewhere in the seven figures? Sounds the provider should accept responsibility for their actions, AND be able to back it up with insurance (to some capped level).

Does that make the price go up? Probably, but it’s part of the cost of doing things properly. I encourage companies to go local whenever they can to help boost their city, town, state, or country’s economy, and you should be sure that when you entrust your data to a third party that you are covered in the case of a breach.

This post originally appeared on BrandenWilliams.com.

Possibly Related Posts: