Data Security Compliance and Service Provider Oversight | Practical Law

Data Security Compliance and Service Provider Oversight | Practical Law

This Legal Update describes key due diligence and contractual considerations for companies considering entering into arrangements with third-party service providers involving the transfer or sharing of personal information.

Data Security Compliance and Service Provider Oversight

Practical Law Legal Update 5-528-5745 (Approx. 4 pages)

Data Security Compliance and Service Provider Oversight

by PLC Intellectual Property & Technology
Published on 14 May 2013USA (National/Federal)
This Legal Update describes key due diligence and contractual considerations for companies considering entering into arrangements with third-party service providers involving the transfer or sharing of personal information.
A common gap in privacy and data security compliance is the failure to properly select and manage outside service providers. As the outsourcing of business functions has become more popular, including the growing demand for cloud computing services, organizations are sharing increasing amounts of confidential information with third-party service providers. This may include personal information pertaining to the customer's employees and contractors, its own customers, business partners and other third parties. However, the customer ultimately remains responsible for complying with privacy and security regulations and can face significant monetary and reputational damage in the event of a security breach or other incident.
Two key aspects of third-party service provider oversight include conducting appropriate pre-contract due diligence and setting out a contractual framework that allows the organization to monitor and control how its service providers handle the organization's personal information and other confidential business information.

Due Diligence

Pre-contract due diligence should include at a minimum requesting and reviewing information on:
  • The service provider's data security and disaster recovery policies and procedures.
  • Data security audit reports concerning the service provider's information security program.
  • Details of any actual or potential security breaches or incidents impacting the service provider.
The organization should also consider speaking with existing clients of the service provider.

Key Contract Requirements

Organizations should also contractually require their service providers to implement and maintain appropriate measures for protecting personal information. Generally, the organization should consider contract provisions that address:
  • The organization's ownership of the data.
  • General and specific security requirements and procedures that the service provider must maintain.
  • The service provider's ongoing compliance with applicable privacy and data security laws.
  • The organization's right to audit the service provider's security procedures and policies.
  • The organization's right to:
    • terminate the contract for material breaches; and
    • other remedies, for example, indemnification for losses resulting from the service provider's failure to comply with its data security obligations.
  • Secure destruction or return of the personal information to the organization on the agreement's termination or expiration.
  • Requirements and procedures if the service provider suspects or experiences a breach or an incident, such as immediately notifying the organization.
  • Each party's responsibility for bearing the costs incurred in responding to and mitigating damages caused by a security breach.
  • Any restrictions on the location where the data is stored by or on behalf of the service provider, for example, prohibiting transfer outside of the US.
Both due diligence and any contractual requirements should be tailored to reflect:
Industry-specific requirements may also apply, for example, the Payment Card Industry Data Security Standard. In addition, if the transaction involves the cross-border sharing of personal information, the laws of the relevant foreign jurisdictions must be reviewed for compliance.
For sample contract clauses, see Standard Clauses, Data Security Contract Clauses for Service Provider Arrangements (Pro-customer). For more information on the Massachusetts Data Security Regulation, see Practice Note, Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation. For more information on HIPAA's security requirements in the context of cloud computing, see Practice Note, Cloud Computing and HIPAA Privacy and Security.