If you own a business, you own (or at least have access to) information that you need to protect. From trade secrets and confidential R&D to customers’ credit card and personal data, you have a business interest in making sure this information is secure – and you may have a legal obligation to protect it as well.
Data Protection Considerations with Third-Party Vendors
In today’s world, data protection tends to be a group effort. What we mean by this is that most companies have to rely on third-party vendors to help maintain the security of their proprietary and confidential information. Do you use a credit card processing company? Do you store data in the cloud (whether through Google Docs, Amazon Web Services, or another fee-based enterprise solution)? Do you use email? If your answer to any of these question is, “Yes,” then you have third-party data security issues with which you need to be concerned.
Of course, companies like Google, Amazon, Cisco, and IBM are likely to have data security protections that are far more sophisticated than most businesses. If you are using a blue chip third-party provider, your concerns may be somewhat mitigated (and your negotiating power may be limited as well). However, these companies also use their service agreements to limit their exposure as much as possible; and while companies may not be able to disclaim liability for their data security breaches entirely, it is important to make sure you understand the terms of service before you commit to using a data processing or storage platform from any third-party vendor.
The Risk of Data Security Breaches Involving Third-Party Vendors
In a study reported in Security Magazine, researchers found that, “63 percent of data breaches were linked to a third-party vendor that was responsible for system support, development, and/or maintenance. In some cases, the victimized companies did not even know that a third party handled certain security functions.” This last point highlights one of the first critical steps for protecting your business from third-party data breaches: Make sure you know your third-party providers. While you may be familiar with the providers that you have chosen directly, many companies in the IT sector rely on vendors and subcontractors to fulfill functions that they lack the resources and capabilities to fulfill on their own.
Along with knowing your vendors, some other steps you can take to protect your company from losses and liability due to third-party data breaches include the following.
1. Audit Your Company’s Data Protection Needs
In order to determine the steps you need to take with regard to data protection, you first need to know which type(s) of data you need to protect. Legal requirements and industry standards vary widely for different types of data, with consumer information (and medical records in particular) typically requiring the greatest level of protection. But, your company’s confidential and proprietary information could be worth millions; and if it is, it could be a prime target for hackers as well. If a third-party vendor is the weakest link in the chain of protection, your vendor’s platform could provide a way in despite your company’s own in-house data security measures.
2. Develop Internal Data Protection Policies and Procedures
Once you have cataloged your company’s data protection needs, then you can begin developing internal data protection policies and procedures that are custom-tailored to your company’s unique needs, risks, obligations, and business environment. These policies and procedures should be as comprehensive as possible, addressing everything from multi-factor authentication and email encryption to off-site data security solutions. What tasks can your IT department handle in-house? What tasks are better handled (or need to be handled) by a third-party provider? What terms and conditions will you require with regard to data security in your third-party provider service contracts? These are just a few of the multitude of questions you will need to answer.
3. Communicate within Your Company
A data protection policy is worthless if it sits on the shelf, and a procedure is meaningless if no one knows how to execute it. If you have employees who have access to sensitive information, it will be important to communicate your company’s policies and procedures to them effectively. When it comes to data protection, everyone should know their role. What information can employees keep on their smartphones? What restrictions apply to using third-party or public networks? What should IT personnel and other employees do if they become aware of a potential security breach? Most employees won’t be aware of the business or legal risks involved, so education will be a critical aspect of communication as well.
4. Conduct Third-Party Vendor Assessments
Do your current third-party vendors meet the standards you have deemed necessary? Once you go through the exercise of determining what protections are necessary (whether from a business perspective, legal perspective, or both), then you can assess your current third-party vendors to determine if their service offerings and contract terms are adequate. This will often require a team effort between legal counsel and IT infrastructure specialists (either in-house or outside consultants) who can compare vendors’ contracts, service level agreements (SLAs), and current data protection efforts against your company’s policies and procedures.
5. Negotiate (or Renegotiate) Your Third-Party Vendor Contracts
If any third-party vendors’ data security measures are lacking, you need to react accordingly. While your prior ignorance was not an excuse, now that you know where the deficiencies lie, you certainly do not have any justification for coming up short with regard to protecting your company’s and customers’ confidential information. If you have had a relationship with a third-party provider for a while, addressing the issue may be a relatively-simple matter of entering into an updated contract that reflects current legal requirements and industry standards. But, if a vendor is unable to provide an adequate level of data security, it may be necessary to start looking for alternative providers. When you negotiate new terms, consider incorporating provisions that provide your company with the right to demand updates and upgrades as they become available and/or as needs change over time.
6. Test, Retest, then Test Again
Finally, once you have everything in place, you should conduct penetration testing on an ongoing basis. As hackers’ methods become increasingly sophisticated, your company’s data security needs will change, and you need to make sure that you (and your third-party vendors) are not exposed to breaches due to falling behind the times. Data security is an active and ongoing practice, and companies of all sizes and in all industries need to treat it accordingly. While your company’s specific requirements may not be the same as another’s, all companies have a responsibility – to themselves and their customers – to take measures that are appropriate to their unique risks and needs.
Is your company’s data security program adequate? If you don’t know, it is time to find out.
Contact Jiah Kim & Associates
If you would like more information about your company’s data security obligations, or if you need legal representation for contract negotiations with a third-party provider, we encourage you to get in touch. To get started with a confidential initial consultation, please call (646) 389-5065 or schedule an appointment online today.
This blog post is written for educational and general information purposes only, and does not constitute specific legal advice. You understand that there is no attorney-client relationship between you and the blog publisher. This blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.