Thirty-nine percent of data breaches in the U.S. happened to businesses while the data was in the hands of third-party vendors, according to the 2010 Annual Study of the Ponemon Institute.
Most companies utilize third-party vendors to provide an array of services. These vendors include cloud service providers, benefits brokers, medical billing services, debt collection companies, consultants, accountants, law firms, staffing services, shredding/data destruction services, and cleaning service providers. To provide the services, they must access, store or process personal information. For the company using a vendor, this creates additional risk and legal obligations. Many states require companies that supply personal information to their third-party service providers to obtain the third-party’s written agreement to safeguard this information.
Massachusetts
The Massachusetts data security regulations that went into effect March 1, 2010, gave businesses until March 1, 2012, to update contracts with their service providers that were entered into before March 1, 2010, to include the requirement of safeguarding personal information. (For more information, see The Final, Final Massachusetts Data Security Regulations and a Checklist for Compliance.) Thus, beginning March 1, 2012, all service providers who handle personal information concerning a Massachusetts resident on behalf of a company must agree to safeguard the personal information.
Other Mandates
Requirements to ensure third-party vendors are safeguarding personal information exist elsewhere, including the following:
- Businesses in California, Maryland, Nevada, Oregon, and Texas are covered by state laws with a contract requirement similar to the Massachusetts rule.
- Businesses in the field of health are covered by the privacy and security regulations under HIPAA, which contain an expansive requirement for “business associates” and “subcontractors.” Businesses subject to HIPAA are awaiting final regulations under HITECH, which will specifically address business associate agreement requirements, among other things. For more information, see Proposed HITECH Regulations: Will Subcontractors of Business Associates Be Subject to the HIPAA Privacy and Security Rule?
- Merchants that accept credit cards are covered by the Payment Card Industry (PCI) standards, which require similar agreements.
- Law firms in many states are subject to state ethical mandates to have written assurances from vendors handling client data (these are not limited to personal information, but seem to apply to all client information). For example, lawyers in Maine, Missouri, New Jersey, New York, Oregon, Vermont, and Wisconsin must ensure that their contractors maintain appropriate safeguards through a “legally enforceable obligation.”
Strategy
Vendor management should be a part of an overall strategy to safeguard company and personal information. While personal information typically is the focus of risk, because of the breach reporting obligations across the country, confidential and proprietary company data, of course, also is at risk in the hands of vendors.
Companies should consider requiring their vendors that have access to sensitive personal or company information to enter into service agreements that include a requirement that the vendor use appropriate data privacy and security safeguards. Careful negotiations and drafting is critical to ensure legal compliance and protection/indemnity in the event of a data breach. In addition, depending on the volume and sensitivity of the information at issue, some businesses should consider a right to audit operations and require specific safeguards. Companies also have developed comprehensive questionnaires and assessments for their vendors to obtain a more complete picture of the vendors’ data security protocols.
Jackson Lewis attorneys are available to assist businesses in their effort to comply with the law and to development an overall strategy.
