Companies that collect and store sensitive data, especially personally identifiable information (PII), must remain vigilant to the threat of data breaches. Today, the question is not whether an information security incident will occur, but what protections are in place when it does. It is therefore important to remember that data security must extend beyond the scope of a Company's own office or network and to any of the Company's service providers that have access to its data. A Company can be held responsible for a data breach involving its own data, regardless of whether the Company is directly responsible for managing its own data. The risks associated with sharing data with a service provider are best managed through the utilization of contract provisions governing information security. The following (non-exhaustive) guidelines highlight important steps to consider throughout the process of drafting information security provisions to govern the management, handling, and control of a Company's data.
- Research Applicable Legal Requirements: When drafting an information security provision(s), a Company should ensure that it is not only protecting the data, but also meeting all legal requirements applicable to the protection of the data at issue. Not all data is subject to applicable laws requiring certain security or handling responsibilities (or limitations), but particular laws do mandate certain commitments. By way of example, the Federal Trade Commission (FTC) Act, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Fair Credit Reporting Act (FCRA), and Children's Online Privacy Protection Act (COPPA) can all operate together or individually to impose requirements on a Company that collects, holds, or processes certain sensitive information. As a part of entering into any service relationship that would involve the collection, handling, processing, or storing of sensitive information, a Company should familiarize itself with the requirements of any laws that may govern. A Company should then include contractual provisions requiring both compliance with such applicable laws and the implementation of and adherence to any required commitments.
- Set and Meet Minimum Security Standards through the Establishment of an Information Security Program: If a Company's service provider is handling, processing, or storing Company data, especially sensitive information, a Company should mandate that its service provider(s) meet minimum security standards. These standards can take different forms, such as certifications, audits, risk assessments, or the like. Increasingly, if not universally in particular industries, standards articulated by the National Institute of Standards and Technology (NIST), the International Organization for Standardization 27002, or the SANS Critical Controls are generally followed as an industry practice. These standards go beyond mere compliance with law – they may require the service provider to commit to specific security protocols, such as encryption, or that the handling, processing, or storing of such information be undertaken pursuant to a formal information security policy and program intended to protect the confidentiality and security of the Company data. An information security policy and program is now a generally recognized industry best practice. It typically requires an assessment of risks related to the data at issue and its handling, processing, and storage; the designation of a particular employee(s) to coordinate and manage the policy; adherence to a formal and ongoing training commitment related to, about, and under the policy; ongoing monitoring and maintenance of any safeguards implemented through such policy; and periodic updating of the policy to manage new risks to information security.
- Ensure the Service Provider Isn't Mis-using Data: When drafting a service contract, a Company should include a provision(s) that prohibits the service provider from using or sharing the Company's Data in any form and in any manner not authorized by the terms of the written agreement and in furtherance of the services to be performed for the benefit of the Company. If the service provider is allowed (or even required) to disclose Company data to a third party, a Company should further ensure that any such disclosure remains limited and subject to particular conditions to ensure both limited use and continued confidential treatment. But, as a general practice, Companies should restrict any further data disclosure. In other words, the service provider should generally not have the ability to sell, license, transfer, or disclose Company data received pursuant to a service contract without further express consent and approval as to the disclosure.
- Determine Security Breach Response Procedures: As a part of the information security standards and program noted above, the Company should have, or require the establishment by the service provider of, a plan to address an information security incident. The service provider would then contractually agree to follow either the Company's prescribed plan or the service provider's own plan, which would meet the information security standards and program as well as any applicable laws and regulations. Most states have laws requiring particular disclosure in the event of certain unauthorized access to particular information. Having contract provisions addressing these responsive process steps will help ensure a more rapid and organized response to an information security incident that meets the requirements of any applicable laws.
- Create Audit Requirements: A service contract should allow the Company to maintain some level of oversight (even if limited) over its service provider's handling, processing, or storing of Company data. The most effective provisions permit control of or approval authority over the security practices to be implemented. But many service providers may not permit such control or approval. Therefore, a Company should carve out the right to conduct an audit of the service provider's facilities and practices or at least receive the results of any audit conducted by the service provider to ensure and document compliance either with the Company's approach or the service provider's own approach, which presumably meets the information standards referenced above. Auditing should occur no less than once each calendar year, and can serve as a valuable tool to provide evidence that Company data, especially sensitive information, is being handled properly.
*Allison Laubach is a first year associate and not yet admitted to practice law.