What to Do When Your Third-Party Vendor Suffers a Data Breach

When the Call Comes

Every TPRM program must plan for the scenario where a vendor notifies you that their systems have been compromised and your data may be affected. The first hours after notification are critical for containment, assessment, and regulatory compliance. Having a documented, rehearsed response plan is not optional—it is a regulatory expectation.

GDPR Article 33 requires controllers to notify the supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individuals. The clock starts when you are notified by your vendor, not when the breach actually occurred.

Immediate Response (0-24 Hours)

1. Activate your incident response team: Engage privacy, legal, IT security, and communications leads.
2. Assess the vendor's notification: What data was involved? How many individuals are affected? When did the breach occur? What containment measures has the vendor taken?
3. Determine your data exposure: Cross-reference the vendor's report with your data map to identify exactly what data of yours may be affected.
4. Contain further risk: If necessary, temporarily suspend data flows to the vendor, rotate API keys, or isolate integrations.
5. Engage legal counsel: Assess regulatory notification obligations based on the nature and scope of the exposure.

Investigation and Assessment (24-72 Hours)

1. Request full incident details: Timeline of the breach, root cause analysis (even if preliminary), scope of data accessed, and the vendor's remediation plan.
2. Perform your own risk assessment: Based on the data involved, assess the risk to affected individuals. Consider the sensitivity of data, the nature of the breach (encryption status, exfiltration vs. unauthorized access), and the likelihood of harm.
3. Determine notification obligations: Under GDPR Article 33, notify the DPA within 72 hours if the breach is likely to result in risk. Under Article 34, notify affected individuals if the breach is likely to result in high risk to their rights and freedoms.
4. Check other jurisdictional requirements: CCPA, LGPD, and state laws may have their own notification timelines and thresholds.

Regulatory Reporting

• DPA notification: Include the nature of the breach, categories and approximate numbers of individuals and records affected, likely consequences, and measures taken or proposed.
• Individual notification: If required, communicate in clear, plain language what happened, what data was involved, what you are doing about it, and what they can do to protect themselves.
• Multi-jurisdiction coordination: If affected individuals span multiple jurisdictions, coordinate notifications per each jurisdiction's requirements.

Post-Incident Review

• Root cause analysis: Work with the vendor to understand the full root cause and verify that remediation is complete.
• Reassess vendor risk: Update the vendor's risk score and tier classification based on the incident.
• Contractual review: Evaluate whether the vendor met its contractual obligations (notification timeline, cooperation, security measures).
• Lessons learned: Document what worked and what failed in your response process. Update your incident response plan accordingly.
• Consider vendor continuation: Based on the severity, root cause, and vendor response quality, decide whether to continue, enhance monitoring, or terminate the relationship.

Jerisaliant's TPRM module includes vendor breach response workflows, regulatory notification templates, timeline tracking, and post-incident risk reassessment tools.