Contributed by Odia Kagan.
This blog has discussed the importance of ensuring and auditing your vendors’ data security practices. A recent enforcement action from the Federal Trade Commission (FTC) drives home the importance of being proactive about vendors and data security.
Specifically, the FTC recently entered into an enforcement action with an analytics company for breaching the FTC’s Safeguards Rule issued pursuant to the Gramm-Leach-Bliley Act (GLBA) by failing to properly vet a third-party vendor it engaged. The vendor stored personal information in cleartext in an unprotected cloud-based location that could be accessed by anyone with the relevant URL. The information was exposed for a year and was accessed by 52 unauthorized IP addresses.
The company, Ascension Data & Analytics, was ordered to:
- Put in place a written data security program.
- Designate a person responsible for managing the data security program.
- Conduct an annual risk assessment.
- Require every vendor in advance of engaging them to:
- Provide documentation of their information security practices.
- Describe how and where the personal information will be stored and the protections that will be applied to it.
- Assess the risk to the information they receive including an annual vulnerability scanning and penetration test.
- Contractually require vendors to implement and maintain safeguards for personal information.
- Assess the sufficiency of the safeguards annually and after any incident.
- Assess the data security program at least annually and after any incident.
- Present for review initial and biennial data security assessments performed by a third party.
- Provide an annual certification from a senior corporate manager re: compliance with this order.
- Report to the FTC about any data breach incident.
- It’s not enough to have a written program that requires vendors to fill out an information security questionnaire if you then don’t take steps laid out in your program to evaluate whether the vendor could reasonably protect the personal information.
- It is NOT enough (by far) to say in your contract with the vendor that “any nonpublic personal information . . . shall be protected from disclosure with all the provisions of the GLBA.”
- You should include contractual provisions that at least require compliance with the Safeguards Rule.
- You should specify in your contract the actual safeguards that service providers must implement, or otherwise require them to take reasonable steps to secure personal information.
- You need to conduct a risk assessment for all of your vendors.
Odia Kagan is a partner in Fox Rothschild’s Privacy & Data Security Practice and Chair of the firm’s GDPR Compliance & International Privacy Practice. For questions about this post or other data privacy compliance issues, she can be reached at 215.444.7313 or email@example.com.