Trust but verify. This is good advice in many situations, including in the approach of the business you hire to handle sensitive material in your possession. Even if the breach can ultimately be traced to the actions of the service provider, the liability remains with you from the perspective of the customer or employee whose personal information was included. That’s why Start with Security warns companies to ensure their service providers implement reasonable security measures.
Before bringing a service provider on board, clarify your expectations for security. Satisfy themselves that they have the technical ability to get the job done. Built-in procedures so that you can monitor what they are doing on your behalf. And make sure they deliver on their promises.
Based on FTC enforcement actions, investigations, and questions we receive from companies, here are some examples of steps you can take to encourage your service providers to start safe and stick with it.
due diligence.
You wouldn’t buy a used car without checking under the hood, and you wouldn’t buy a home based solely on the seller’s promise that the home is in top-notch condition. Data security is no exception. Information is often one of the most important assets a business has. Please make sure you know how to use and protect this information before placing it under the control of others.
example: A company is looking for a contractor to handle its data. It received bids from two contractors – one well-established in the field and the other a new contractor who charged significantly less. Rather than simply choosing a well-known brand or the low bidder, the company asked both contractors detailed questions about, among other things, how company data would be protected, who would have access to it and how their employees would be trained. Employees maintain data securely. The contract should only be awarded when the company is satisfied with the answers received. Even so, companies should include specific provisions in their contracts requiring reasonable guarantees.
Write it down.
Data security is too important to be relegated to a vague “let’s give it up” agreement. Both parties benefit when expectations, performance standards and monitoring methods are simplified and written down in a contract.
example: A company hires a service provider to send monthly bills to customers. The company allows service providers to access account information (including the customer’s preferred payment method), and then the service provider creates a spreadsheet of the data. Contracts between the Company and service providers do not contain any requirement to maintain reasonable security. The service provider does not have appropriate firewalls, does not encrypt data at rest or in transit, and does not implement system logging or intrusion detection systems. By failing to require reasonable security in its contracts and specifying the security measures that service providers must take, the company missed an opportunity to protect its customers’ confidential information.
example: A state personnel agency recruited employees from across the country to work from home for data entry. The company hires a regional human resources contractor to help new employees fill out initial personnel paperwork. Human resources contractors go to new employees’ homes and have them fill out appropriate forms that contain sensitive personal information, including Social Security numbers. The human resources contractor photographs the form, then uses the new employee’s personal computer to upload and email the information back to the staffing agency. Better yet, staffing agencies specify more secure information transmission methods in their contracts and contact staffing contractors immediately if sensitive information is sent in violation of this provision.
Verify compliance.
You calculate your change, confirm your hotel reservation, and check your credit card statement. It just makes sense to double check. That’s why prudent companies verify that service providers adhere to security-related contractual terms.
example: A retailer that sells camping equipment hired a company to develop an app that included hiking trail information. The retailer intended to market the app by claiming that the app would not collect geolocation data unless the user explicitly chose to do so, and the retailer included such a clause in its contract with the app developer. Before releasing the app, the retailer tested it and determined that the app would collect all users’ geolocation information and transmit it to the ad network. By clarifying its expectations in contracts and testing whether developers deliver on those expectations, retailers can correct problems before the app is released.
The message to security-focused companies is to build your expectations into contracts with service providers who have access to sensitive information. Additionally, make sure you have a way to monitor what they are doing on your behalf.
Next article in the series: Have procedures in place to maintain security and address vulnerabilities that may arise.
2 Comments
Pingback: Stay safe: Make sure your service provider implements reasonable security measures – Tech Empire Solutions
Pingback: Stay safe: Make sure your service provider implements reasonable security measures – Paxton Willson