According to a Ponemon Institute study*, data breaches occurring in the hands of third-party vendors amounted to 39 percent of breaches in 2010. Whether it be cloud service providers, benefits brokers, medical billing services, debt collection companies, consultants, accountants, law firms, staffing services, shredding/data destruction services, cleaning service providers and other businesses, most companies utilize third party vendors to provide an array of services. Those services often involve letting the vendor access, store and/or process personal information, which creates additional risk and legal obligations for the company using the vendor, such as the service provider contract requirement in Massachusetts.
Massachusetts deadline. A number of states have passed laws requiring companies that put personal information in the hands of third party service providers must obtain the written agreement of the third party to safeguard this information. The Massachusetts data security regulations that went into effect March 1, 2010, gave businesses until March 1, 2012 to update contracts with service providers that were entered into no later than March 1, 2010. However, next month that grace period expires. Thus, beginning March 1, 2012, a contract to safeguard personal information must be in place with all service providers who handle personal information concerning a Massachusetts resident on behalf of the company.
Other mandates. Requirements to ensure third party vendors are safeguarding personal information is not limited to Massachusetts. Examples include:
- States such as California, Maryland, Nevada, Oregon, and Texas have had for some time a contract requirement similar to the Massachusetts rule.
- The privacy and security regulations under HIPAA have a more expansive requirement for “business associates” and “subcontractors.” Businesses subject to HIPAA are anxiously awaiting final regulations under HITECH which will be specifically addressing business associate agreement requirements, among other things.
- The Payment Card Industry (PCI) standards require similar agreements.
- Law firms in many states are subject to specific state ethical mandates to have written assurances from vendors handling client data (these mandates are not limited to personal information, but seem to apply to all client information). For example, lawyers in states such as ME, MO, NJ, NY, OR, VT, WI are required to make sure that contractors maintain appropriate safeguards through a “legally enforceable obligation.”
What to do next? Vendor management should be part of an overall strategy to safeguard company and personal information. It is important to add that while personal information typically is the focus of this risk because of the breach reporting obligations across the country, confidential and proprietary company data is, of course, also at risk in the hands of vendors.
Companies should develop a list of all of their vendors and require all that have access to sensitive personal or company information to agree to amend the services agreement to include a requirement that the vendor have in place appropriate data privacy and security safeguards. Careful negotiations and drafting is critical to ensure legal compliance and protection/indemnity in the event of a data breach. In addition, some business might want to maintain a right to audit operations and require certain specific safeguards, depending on the volume and sensitivity of the information at issue. Companies also have developed comprehensive questionnaires and assessments for their vendors to complete to obtain a more complete picture of the vendors’ data security protocols.
Whatever the approach, companies should at a minimum obtain written assurances from their vendors concerning the safeguarding of personal information.
*Ponemon Institute, LLC. 2010 Annual Study: U.S. Cost of a Data Breach, March 2011.