It’s 9:12 a.m. on a Monday. You open your inbox and see a subject line that instantly changes your week: “Potential Security Incident Notification.”
It’s from a vendor your team heavily relies on to process customer data. Of course, this is the vendor your procurement team swears is the absolute standard for your industry and was called “non-negotiable” if you wanted to succeed in the market. They even passed the security questionnaire… mostly.
You squeeze your eyes shut and click on the email.
Dear Customer,
We are writing to inform you that on Friday, February 6, 2026, ABC Corporation became aware of unusual activity within a portion of our environment. Upon detection, we immediately initiated our incident response procedures and began an investigation with the assistance of external advisors.
At this time, our investigation remains ongoing. While we are still working to determine the scope and nature of the activity, we are providing this notice out of an abundance of caution. We have taken steps to contain the issue and to enhance monitoring across our systems. We do not have additional details to share at this time, including whether any customer data was accessed, acquired, or affected, and we are not yet able to confirm which customers may be impacted.
We understand this information may raise questions, and we appreciate your patience as we complete our review. We will provide updates as they become available. In the meantime, we are not requesting that you take any action.
If you have questions, please contact our team at [email protected].
Thank you,
Director, Trust & Security
ABC Corporation
In that moment, you have much more than a vendor problem. I mean, you also have a vendor problem, for sure. But the larger concern is that now also have a trust transfer problem. Because the vendor may see this as them having an “activity,” but they borrowed your reputation to run their business—your brand, your customer trust, your contracts, your regulators, your board expectations—and now they’ve handed you a steaming pile of non-answers couched in a notification.
The risk and consequences being out of our hands is why vendor incidents feel uniquely awful. Even if the technical root cause happened elsewhere, the questions land on your desk, and you may not even have a way to answer them until you can wring some information out of your vendor.
If any of the following questions would haunt you…
Did we know this could happen?
Did we ask the right questions?
Did we contract for the right protections?
Can we respond fast enough to keep customers from finding out the wrong way?
Can we explain this confidently and consistently if we must?
… then I invite you to keep reading about what you can do before an incident strikes, and what you should do once one does.
Vendor Incidents Are YOUR Incidents
Organizations, particularly ones scaling quickly, sometimes treat vendor risk like a one-time procurement exercise. The vendor fills out a questionnaire, files the SOC 2, signs the DPA, and we all move on to the next project. Unfortunately, vendor risk isn’t a checkbox on a compliance list. It’s a relationship you’re accountable for and no more so than when things go sideways.
The vendor is an extension of your operations. There is a logical reason why so many regulatory frameworks use controller and processor. Your vendor may be handling your data, but you are its ultimate steward. If a vendor stores, processes, transmits, or accesses personal data on your behalf, your company will often be the one expected to answer for outcomes by customers, partners, executives, and, in many cases, regulators.
The other big reason vendor incidents explode is that the information asymmetry inherent in the relationship is brutal for your own internal operations. Your incident response team is trained to move quickly based on facts. But a vendor incident begins with the vendor controlling:
the investigation details
the forensic findings
the communications strategy
the timeline of updates
the definition of impact
and sometimes even what they’re willing to share
If you don’t have a disciplined way to gather the right information early, you can lose days waiting patiently for vendor legal review and PR review. Even if you don’t have a regulatory deadline that you are up against, organizations can end up speculating, issuing inconsistent messaging, or in some cases looking incompetent or disorganized to their own customers.
The Practical Response
Don’t take “we’ll be in touch” for an answer. Make it a priority to gather as much evidence as possible as soon as possible from the vendor. That sometimes looks like sending over a vendor questionnaire about the incident, but we would recommend getting a call set up with the relevant vendor contact ASAP. You’re not going to solve everything in a 30–60-minute call, but you do want to establish enough facts to make decisions that allow your team to act or not act if that’s the right decision. The key here is that you want to make the decision, not have a vendor decide for you.
The questions you are trying to answer are not easy, but they are concrete:
Do we need to activate our incident response plan?
Do we need to notify internal leadership?
Do we need to preserve evidence on our side?
Do we need to restrict or suspend data flows?
Do we have contractual obligations to partners/customers?
Are there deadlines we need to prepare for now, even if we don’t yet trigger them?
A big mistake teams make during vendor incidents is trying to be “reasonable” and waiting for the vendor’s next update. Reasonable is fine. But your job is to be ready, and readiness starts with asking pointed questions rather than saying, “keep us posted.”
That’s why I created a one-page set of Vendor Incident First Call Questions that makes vendor incident response faster, calmer, and far more defensible. It’s not an incident panacea, but the goal is to get as much information as possible, and barring that, as much coverage as possible.
Consider Using Incident Response Questions Proactively
If you use the questions below proactively outside an incident, such as the next time you onboard a vendor that handles personal data, you’ll start to see where you may have concerns about:
vendors that can’t explain their subcontractor chain clearly
vendors that don’t have tight enough timelines for customer notification
with vendors that treat investigations as “internal only”
with vendors that haven’t thought through evidence retention
with vendors that will resist sharing details unless your contract requires it
Try reframing the questions as:
“If an incident were to happen, what actions would you take to….”
“When would you expect to send an initial notice?”
“How would you determine…”
“How would evidence be preserved…”
“Do you have relationships with counsel / DFIR?”
If vendors haven’t thought through these types of questions or aren’t willing to discuss the answers openly, you have valuable insights that help strengthen your vendor governance.
Become a paid subscriber to get access to all of the mini tools that we publish with each post. For instance, this post includes Vendor Incident First Call Questions that you can use to gauge vendor incident readiness!
Finally, reminder that the opinions expressed in this article are the opinion of The Privacy Design Lab. They are not legal advice, and no attorney-client relationship is formed by reading this article or downloading the 30-Minute Privacy Tabletop Exercise. If you need to consult legal counsel, you can book a consult with ARLA Strategies or other legal counsel you trust!
If you’re tired of privacy advice that only works in theory, you’re in the right place.
The Privacy Design Lab exists for people who want to practice privacy, not just talk about it. It focuses on practical, repeatable ways teams actually learn. We offer hands-on workshops, downloadable systems, and a Privacy Design Lab community where teams and practitioners can go deeper. Paid newsletter subscribers get access to our full archive, plus supporting materials you can actually use.
Become a paid subscriber to Fieldnotes to get access to the micro tools included in each newsletter post.
If that sounds like your kind of work, we’d love to have you.