Am I liable if my vendor gets breached?

Generally, yes. Under GDPR and most privacy laws, you (the Data Controller) are responsible for the data you entrust to a vendor (the Data Processor). You can sue the vendor for damages later, but you are responsible for notifying your customers and paying regulatory fines.

What should I ask my vendor immediately?

Ask three questions immediately: 1) Is OUR data involved? 2) What specific data elements were compromised? 3) Has the vulnerability been patched? Demand a written response within 24 hours.

Should I notify my customers?

If your customers' PII was compromised, yes. Even if it was the vendor's fault, the notification usually needs to come from YOU, because the customers have a relationship with you, not your vendor.

Third-Party Breach Response Guide: Managing Vendor Incidents [2025]

Step 1: Immediate Vendor Management

Vendors will try to downplay the incident. Do not let them. You need facts to meet your own legal deadlines.

1. Stop the Bleeding

If you have an active connection to the vendor (API, VPN, shared portal), sever it immediately until they confirm they are clean.

2. Preserve Rights

Review your contract (MSA/DPA). Look for "Notification Clauses" (usually 24-72 hours) and "Right to Audit."

Vendor Demand Letter Template

Send this formal notice to your vendor's Legal and Security teams immediately. It puts them on notice and starts the legal clock.

TEMPLATE: Notice_of_Breach_Inquiry.docx

URGENT: NOTICE OF SECURITY INCIDENT INQUIRY

To: [Vendor Name] Legal & Security Team

We have become aware of a security incident affecting your systems. As a customer and data controller, [Your Company] requires immediate clarification regarding the impact on our data.

Pursuant to our Data Processing Agreement (DPA) and applicable laws (GDPR/CCPA), please provide written responses to the following within 24 hours:

Has [Your Company]'s data been accessed, exfiltrated, or encrypted?
If yes, precisely what data elements (fields) were involved?
When did the incident start, and when was it discovered?
Has the vulnerability been remediated?
Are you engaging external forensics? If so, who?

Please preserve all logs and evidence related to our account. We reserve all rights to audit and seek indemnification for damages resulting from this incident.

Direct all future communications to [Your Email].

Sincerely,
[Your Name]
[Your Title]

Liability Matrix: Who Pays?

Who is responsible for what? This matrix helps you understand your exposure.

Activity	Responsible Party	Notes
Notifying Regulators	YOU (Controller)	Vendor notifies you; you notify the government.
Notifying Customers	YOU (Controller)	You own the customer relationship.
Forensic Costs	Vendor	They should pay to fix their own systems.
Credit Monitoring	Negotiable	You often pay upfront, then sue vendor for reimbursement.

Need to Audit Your Vendor?

If a vendor caused a breach, you may have the right to send in your own forensic team to verify their security. Connect with firms that specialize in third-party risk assessments.

Find Forensic Auditors Check Notification Deadlines