Protection of sensitive corporate and personal information is a dynamic and paramount business concern. Microsoft has updated their Supplier Security and Privacy Assurance (SSPA) program to address these concerns that intersect with their supplier network.

The SSPA program, and the accompanying Data Protection Requirements (DPR), are periodically updated to address evolving and emerging risks. Microsoft completed a revision to this program in June and published version 8 of the SSPA program guide and DPR on August 19, 2022. Compliance with this program is a major prerequisite to continue doing business with Microsoft; it is vitally important for suppliers to stay current with the changing SSPA requirements.

We have reviewed the updated DPR; at a high level, the security and privacy themes in the program remain the same. There are still 10 sections in the program and the topics have not changed. The number of requirements has been reduced from 53 to 50, with 2 requirements being added, 5 requirements being retired, and others receiving updates.

Several specific observations are detailed below.

New Requirements (References to v8 Indexing)

#2 – The designation “subprocessor” has been a defined term in the SSPA program guide for some time, but this new requirement #2 is the first time that a specific requirement has been added to the DPR. The requirement states that where Microsoft confirms a supplier engagement fulfills a subprocessor role, the supplier must have applicable data protection agreements in place. It is important to note that Microsoft will post this to a supplier’s profile and will make the decision when it applies. This will only apply if you company has been designated as a subprocessor.

#11 – This requirement has been added to Section D, covering the collection of sensitive information. Before collecting information from children, the supplier must now obtain consent as required by local privacy laws (e.g., consent from a parent/guardian) and maintain evidence of the same.

Removed Requirements (References to v7 Indexing)

#11 – This requirement previously required prior consent by Microsoft to collect personal data by use of executable software.

#12 – This requirement previously required that the necessity of collecting very sensitive personal data (e.g., data on racial or ethnic origin, political opinions, religious beliefs, genetic data, etc.) be documented in executed supplier contracts with Microsoft.

#32 – This requirement previously prohibited the issuance of a press release or other public notice relating to a data breach.

#51 – This requirement previously required any supplier processing credit card transactions on behalf of Microsoft to demonstrate compliance with Payment Card Industry (PCI) standards. Microsoft will still require those suppliers that handle this to demonstrate compliance with PCI standards, but this is now detached from the DPR assessment process.

#52 – This requirement previously required Microsoft physical assets to be stored in an access-controlled environment.

Updates to Other Requirements (References v7/v8 Indexing)

#8/#9 – This requirement relates to the use of cookies on websites/applications created or managed by a supplier. The update in version 8 reduced the expiration period for persistent cookies from no more than 2 years in version 7 to no more than 13 months in version 8.

#10/#28 – This requirement relates to data protection policies and practices involving collection of data from third parties. The requirement continues to be enforced in the DPR, but it has moved from Section D on Collection to Section G on Subcontractors.

#23/#22 – This requirement relates to the use of subcontractors on work performed for Microsoft. Previously, a supplier would need to receive written consent from Microsoft prior to using a subcontractor. Under version 8, the supplier now needs to simply provide notice prior to using subcontractors.

#38/#37 – This requirement relates to logical access procedures and was updated in version 8 to remove a previous requirement for passwords to be reset no longer than every 70 days. The password reset provision is no longer part of this requirement, but the other elements remain in place.

Section I – This section of the program is titled Monitoring and Enforcement and generally deals with data incident response protocols. In version 8, Microsoft replaced the word “breach” with the more broadly defined “incident.” In addition, version 8 clarifies that the reporting timeframe for reporting an incident to Microsoft is per contractual requirements or without undue delay, whichever is sooner.

Software as a Service (SAAS) requirement – Suppliers with a SaaS designation in their profile are required to either demonstrate they are compliant with ISO 27001 by way of a certificate of compliance or upload a memorandum stating that their contract with Microsoft does not explicitly require an ISO certification as a condition of being hired. This requirement was never associated with a specific requirement in the DPR, but it was a task associated with the acceptance of the independent assessment by Microsoft in the past. This requirement has now been detached from the independent assessment task and remains as a stand-alone, separate requirement.

Our overall impression: these updates clarify and resolve common points of confusion for suppliers while maintaining the core content of the DPR framework.

If you have any questions about these updates or any of the other SSPA literature, please connect with us.

© Clark Nuber PS, 2022. All Rights Reserved.

This article contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.