May 23, 2012

Do You Know Who's Got Your Data?

Poyner Spruill LLP Attorneys at Law, a North Carolina Law Firm
Pamela A. Scott
Elizabeth H. Johnson
Poyner Spruill LLP
Saturday, October 2, 2010
Communications, Media & Internet / Consumer Protection / Intellectual Property / Labor & Employment / Law Office Management
All Federal / North Carolina
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

It’s Time to Pin Down Your Vendors and Make Sure They Toe the Line on Information Security 

Your organization may be minding its information privacy and security Ps and Qs, but are your vendors? From your payroll provider to your copy service, from your data hosting provider to your records disposal service, dozens of third parties handle personal information on your behalf, and your information security program is only as good as theirs.

Identifying these service providers and obligating them by contract to implement necessary security measures is mandatory in many states and thus necessary to comply with law. Forty-six state laws and several federal rules require your organization to notify affected individuals of any breach your providers may cause, making appropriate diligence and contracts necessary to avoid costly data breaches and related risks. The Ponemon Institute’s 2009 study of data breach costs indicates that 42 percent of the breach incidents studied were caused by third-party mistakes, and the involvement of those third parties increased the cost of the breaches by 12 percent.

Examples of contractor missteps that have caused recent data breaches include:

  • Tossing boxes filled with the personal information of tens of thousands of individuals into open dumpsters and recycling bins.
  • Publishing login credentials in a brochure and on the Internet for a secure website that contained hundreds of thousands of individuals’ personal information.
  • Leaving an unencrypted laptop containing personal information of thousands of individuals in a car, from which it was stolen.
  • Losing a shipment of computer backup files and unencrypted CDs containing personal information for tens of thousands of individuals.

In all cases, the organizations that hired these contractors were obligated to give notice of the breaches. These incidents typically result in bad press, government enforcement actions, lawsuits, and lost productivity while the organization responds to the breach. The average cost to respond? Over $6.5 million.

So how do you comply with information security laws and avoid cleaning up a contractor’s costly data breach? The most effective solution is to implement a comprehensive privacy and security compliance program that includes vendor management. The first step to vendor management is to actually identify all the contractors that access your data. The next step is to conduct appropriate diligence on their security programs, which can consist of a questionnaire, a conversation, an onsite review — any level of checking is better than doing nothing.

Arguably the most crucial step in vendor management is executing a strong contract that is agreed to before the first piece of sensitive data reaches the contractor’s hands. As above, a number of states require contracts by law when a service provider will have access to or dispose of personal information. Contractual issues to consider include control of subcontractors a service provider may use; compliance with applicable information privacy and security laws; appropriate security measures such as encryption and system activity review; notice and cooperation in situations involving data breaches; the right to audit the contractor’s compliance and security program; and appropriate allocation of responsibility and liability in the event of a breach.  

© 2012 Poyner Spruill LLP. All rights reserved.

About the Author

Pamela A. Scott
Partner

Pam represents businesses and professionals in administrative and civil litigation and appeals pertaining to a wide variety of regulatory compliance issues and professional licensure, as well as rulemaking proceedings before the North Carolina Rules Review Commission. Pam’s health care practice focuses on certificate of need (CON) litigation and appeals; regulatory compliance and professional licensure matters; and matters involving compliance with HIPAA privacy and security rules, the HITECH Act, and other privacy laws. She has assisted both covered entities and business associates...

pscott@poynerspruill.com
919-783-2954
www.poynerspruill.com

About the Author

Elizabeth H. Johnson
Partner

Elizabeth’s practice focuses on privacy, information security, and records management. Her comprehensive, practical approach to privacy law is reflected by the diversity of her clients, which hail from a variety of industries including health care, financial services, insurance, retail, telecom, utility, technology, consumer goods and client services. Elizabeth has also worked with organizations of various size and scope, ranging from Fortune 100 companies with international reach to local charities.  She was listed among the top privacy professionals in Computerworld’s...

ejohnson@poynerspruill.com
919.783.2971
www.poynerspruill.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.