Companies that collect and store sensitive data, especially personally
identifiable information (PII), must remain vigilant to the threat of data
breaches. Today, the question is not whether an information security incident
will occur, but what protections are in place when it does. It is therefore
important to remember that data security must extend beyond the scope of a
Company's own office or network and to any of the Company's service providers
that have access to its data.
A Company can be held responsible for a data
breach involving its own data, regardless of whether the Company is directly
responsible for managing its own data. The risks associated with sharing data
with a service provider are best managed through the utilization of contract
provisions governing information security. The following (non-exhaustive)
guidelines highlight important steps to consider throughout the process of
drafting information security provisions to govern the management, handling,
and control of a Company's data.
1. Research Applicable Legal
Requirements: When drafting an information security provision(s), a Company should
ensure that it is not only protecting the data, but also meeting all legal
requirements applicable to the protection of the data at issue. Not all data is
subject to applicable laws requiring certain security or handling
responsibilities (or limitations), but particular laws do mandate certain
commitments. By way of example, the Federal Trade Commission (FTC) Act,
Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act
(HIPAA), Health Information Technology for Economic and Clinical Health Act
(HITECH), Fair Credit Reporting Act (FCRA), and Children's Online Privacy
Protection Act (COPPA) can all operate together or individually to impose
requirements on a Company that collects, holds, or processes certain sensitive
information. As a part of entering into any service relationship that would
involve the collection, handling, processing, or storing of sensitive
information, a Company should familiarize itself with the requirements of any
laws that may govern. A Company should then include contractual provisions
requiring both compliance with such applicable laws and the implementation of
and adherence to any required commitments.
2. Set and Meet Minimum Security
Standards through the Establishment of an Information Security Program: If a Company's service
provider is handling, processing, or storing Company data, especially sensitive
information, a Company should mandate that its service provider(s) meet minimum
security standards. These standards can take different forms, such as
certifications, audits, risk assessments, or the like. Increasingly, if not
universally in particular industries, standards articulated by the National
Institute of Standards and Technology (NIST), the International Organization
for Standardization 27002, or the SANS Critical Controls are generally followed
as an industry practice. These standards go beyond mere compliance with law –
they may require the service provider to commit to specific security protocols,
such as encryption, or that the handling, processing, or storing of such
information be undertaken pursuant to a formal information security policy and
program intended to protect the confidentiality and security of the Company
data. An information security policy and program is now a generally recognized
industry best practice. It typically requires an assessment of risks related to
the data at issue and its handling, processing, and storage; the designation of
a particular employee(s) to coordinate and manage the policy; adherence to a
formal and ongoing training commitment related to, about, and under the policy;
ongoing monitoring and maintenance of any safeguards implemented through such
policy; and periodic updating of the policy to manage new risks to information
security.
3. Ensure the Service Provider
Isn't Mis-using Data: When drafting a service contract, a Company
should include a provision(s) that prohibits the service provider from using or
sharing the Company's Data in any form and in any manner not authorized by the
terms of the written agreement and in furtherance of the services to be
performed for the benefit of the Company. If the service provider is allowed
(or even required) to disclose Company data to a third party, a Company should
further ensure that any such disclosure remains limited and subject to
particular conditions to ensure both limited use and continued confidential
treatment. But, as a general practice, Companies should restrict any further
data disclosure. In other words, the service provider should generally not have
the ability to sell, license, transfer, or disclose Company data received
pursuant to a service contract without further express consent and approval as
to the disclosure.
4. Determine Security Breach
Response Procedures: As a part of the information security standards
and program noted above, the Company should have, or require the establishment
by the service provider of, a plan to address an information security incident.
The service provider would then contractually agree to follow either the
Company's prescribed plan or the service provider's own plan, which would meet
the information security standards and program as well as any applicable laws
and regulations. Most states have laws requiring particular disclosure in the
event of certain unauthorized access to particular information. Having contract
provisions addressing these responsive process steps will help ensure a more
rapid and organized response to an information security incident that meets the
requirements of any applicable laws.
5. Create Audit Requirements: A service contract
should allow the Company to maintain some level of oversight (even if limited)
over its service provider's handling, processing, or storing of Company data.
The most effective provisions permit control of or approval authority over the
security practices to be implemented. But many service providers may not permit
such control or approval. Therefore, a Company should carve out the right to
conduct an audit of the service provider's facilities and practices or at least
receive the results of any audit conducted by the service provider to ensure
and document compliance either with the Company's approach or the service
provider's own approach, which presumably meets the information standards
referenced above. Auditing should occur no less than once each calendar year,
and can serve as a valuable tool to provide evidence that Company data,
especially sensitive information, is being handled properly.
No comments:
Post a Comment