By John Beauchamp, CUAnswers/CUSO Magazine
Click here to read the entire article.
Your team has been talking to a vendor who has a solution that is going to make your life amazing. The vendor even said integration with your core is FREE. All you must do is pay the recurring fees going forward and be willing to be their beta test…and of course, provide them your data to develop with. What a bargain.
Not so fast.
While this solution might be a bargain for your organization, without the proper due diligence, this seemingly wonderful integration could be a formula for disaster. Too often, organizations see only the promises of a cool, new solution without understanding the risks and implications of turning over member data. Risks include the possibility of violating privacy laws if information is turned over without members’ consent. You can also be on the hook for data breaches, whether by the vendor or a downstream organization that receives access to the data.
Top questions to ask before signing on the dotted line
Consider the following before quickly agreeing to send your data to a third-party vendor:
What/how much data is your vendor requesting?
Is the vendor only asking for the data required to accomplish the task you are engaging them for, or is the vendor broadly requesting data that is unnecessary for your purposes? You may be exposing your organization to a massive data breach by sending data unneeded to reach your goals. In addition, your vendor may want volumes of data for such purposes as training their Artificial Intelligence (AI) models, at your risk.
Are you compliant with privacy laws?
Many states require consent from a person before their information can be sent to a third party. While there are federal carve-outs in state privacy laws for data sent to third parties to provide members with a financial product or service, many states grant their residents much broader protection regarding notification and the right to opt out. Do not assume an all-encompassing right to send data without first ensuring that your members do not have notification, consent, and opt-out rights regarding the data you are sending.
Have you reviewed the vendor’s data security policy?
Anytime you send member data to a third party, you are required to ensure that the third party is adequately safeguarding the data. Depending on the data sent, ensure the vendor can demonstrate safety and data protection, including physical safeguards, employee training, and compensating controls for you to follow.