Federal Trade Commissioner Terrell McSweeny recently stated at the Privacy + Security Forum in Washington, DC, that companies that outsource data security practices to vendors can still be held accountable if such data security practices are unreasonable or misleading. A company will not be able to shield itself from liability if it should have known that the vendor improperly handled personal information and other consumer data.

McSweeny provided some recommendations, including that companies should

• include specific data security procedure obligations in contracts with vendors,

• verify a vendor’s capacity to adhere to the prescribed data security procedures, and

• look at data security practices from an expert’s perspective to determine whether such practices are reasonable.

As we recently reported, the Federal Trade Commission (FTC) has the power to prosecute companies for certain “unfair” business practices. Under this authority, the FTC has brought enforcement actions against companies for “unreasonable” consumer data security practices. Although the reasonableness standard is somewhat vague, the FTC released a Start with Security guide to data security practices earlier this year.