Should a library inquire about how a vendor handles incident response and breach notification?

• A. Yes; it helps ensure timely notification and remediation.
• B. No; it's irrelevant to privacy.
• C. Only the vendor's marketing materials matter.
• D. Only the library's IT staff needs to know.

Answer: (A)

Coordinating with vendors about how they handle incident response and breach notification is essential for protecting patron privacy. When a vendor manages systems that contain personal data, their ability to detect breaches, respond quickly, and notify affected individuals or authorities directly affects how quickly harm can be minimized and how compliant the library remains. Asking about incident response processes, notification timelines, and escalation paths helps ensure there is a clear plan and accountability if a breach occurs, so remediation can begin promptly and patrons are informed as required. The idea that privacy concerns are irrelevant to the vendor or that only marketing materials matter would leave the library exposed and unprepared. Information that only the library’s IT staff needs to know ignores the shared responsibility and the need for alignment on how to handle incidents.