The Challenges of Third-Party Data Protection

Angela R. Matney , Brian W. Fannin


December 2, 2014

RM_1214_3rdPartyVendorDuring the late Renaissance, it was not uncommon for a merchant to bet his entire fortune on a galleon full of cargo traveling safely from India to Italy through a gauntlet of pirates, storms and other dangers of the sea. Today's employers face a similarly perilous situation when they outsource employment functions as they depend on third-party vendors to collect, store and process employees' sensitive personal data without running afoul of ever-changing data protection laws. Fortunately, companies can take certain steps to reduce the likelihood that vendors will fail to adequately safeguard their data and minimize their exposure in the event of a breach. By understanding the data they are obligated to protect and their security requirements, thoroughly vetting vendors, negotiating robust data privacy and security contracts, and monitoring vendor compliance, businesses can gain a measure of protection that was not available to the merchant once his cargo ship's topsail disappeared over the horizon.

Companies collect and use employee data to carry out many aspects of the employment relationship, including evaluating job applicants, processing payroll, administering retirement benefits and running voluntary wellness programs. With the proliferation of cloud-based services, employers are increasingly choosing to outsource such functions. Employers may assume that their vendors will take all necessary measures to protect employees' personal information, but failure to adequately address data privacy and security issues when selecting and engaging vendors could result in significant expenses and reputational damage. According to a report released by the Ponemon Institute in May 2014, the average cost to a company for a single data breach is $3.5 million, and the average cost per compromised record is $145.

Know your Data and Your Obligations
Generally, data privacy laws afford special protection only to personally identifiable information (PII). Most statutes define PII (or a similar term) as data or information identifying or linked to an identifiable person.

The problem is that, despite this basic similarity, laws differ in the types of data they actually protect. Some laws afford protection to specific kinds of information, such as health or financial data, while others are more flexible in their approach. Many data privacy laws also treat encrypted or secured data differently.

Processing particularly sensitive PII, such as Social Security numbers, financial information and medical information, involves greater risk, so classifying the PII according to sensitivity can be beneficial. A company's requirements for a vendor that will process highly sensitive PII might be more stringent than those for a provider responsible for less critical data.

It is also crucial for businesses to understand whose PII they are obligated to protect. Employers' obligations under data privacy laws do not just extend to current and former employees-the PII of job applicants, independent contractors and customers must also be protected.

Instead of an overarching privacy regime, the United States operates under a sectoral approach to privacy, offering protection at the federal level to different types of PII from industry to industry. The Fair Credit Reporting Act regulates how employers perform background and criminal history checks on job applicants. U.S. employers that administer health plans are subject to HIPAA with respect to the health data of plan participants. And while Section 5 of the Federal Trade Commission (FTC) Act does not specifically address data privacy or security, it does prohibit unfair or deceptive business practices, and the FTC has brought enforcement actions under Section 5 against companies for failing to reasonably and appropriately protect sensitive PII. The FTC generally focuses on injury to consumers, but it has brought actions involving employee data in at least two cases.

Some state laws address sensitive data such as credit and financial information, and provide more stringent protections than their federal counterparts. While there is no omnibus federal data breach notification law yet, 47 states and the District of Columbia have statutes on the books requiring businesses that collect PII to notify affected individuals, the state's attorney general and the media if the data is compromised.

Multinational companies face additional compliance challenges. Other jurisdictions operate under data privacy regimes that differ markedly from the U.S. sectoral system. In the European Union, for example, privacy is viewed as a fundamental human right, and employees have broad privacy expectations as a result. These differences can lead to logistical complications in cross-border data transfers.
The EU-US Data Privacy Bridge Takes Shape
In the midst of trans-Atlantic controversies about data protection, a group of privacy experts is attempting to iron out the differences between data protection standards in the United States and the European Union.

Vetting Vendors
Once a business understands the types of employee data that it is obligated to protect and its security needs, it must ensure that vendors that access PII are able to adequately protect it. Asking certain questions of vendors early in the process can help eliminate those that cannot or will not comply with the business' specific requirements.

It is also a good idea to determine which vendors currently have access to PII and assess their abilities to adequately protect that data, encouraging high-risk vendors to implement appropriate mitigation measures. There are a variety of elements to consider:

SOC reports. Can the vendor provide a Service Organization Control (SOC) 2 or SOC 3 report? These reports, developed by the American Institute of Certified Public Accountants (AICPA) can provide information about controls related to security, availability, processing integrity, confidentiality and privacy that can be helpful when evaluated in conjunction with an internal risk assessment.

Safeguards. Does the provider have administrative, technical and physical safeguards in place that are appropriate, given the sensitivity of the data it will access and the nature of the company's business? If so, are the safeguards regularly tested, monitored and updated?

Administrative safeguards include limiting PII access to specific employees, training employees on data privacy and security issues, and designating a compliance manager.  Technical safeguards may include firewalls, passwords, segregation of client data to prevent unauthorized access by other clients of the vendor, and encryption of PII that is stored on portable devices. Physical safeguards include locks on filing cabinets and measures to prevent access to facilities where electronic PII is stored. They may also include appropriate environmental safeguards, as well as disaster recovery and business continuity plans.

Policies. What are the vendor's policies regarding data backup, retention, off-site storage and destruction? Does the vendor require that data on flash drives, laptops and cell phones be encrypted? Does the vendor have policies in place to minimize the risks of third-party cloud providers? In May 2014, for example, Lowe's Home Improvement had to notify 35,000 current and former employees that certain sensitive data stored by its third-party cloud provider, including Social Security and driver's license numbers, might have been compromised for a period of 10 months.

Special issues. Is the vendor equipped to deal with special considerations arising from the types of data that will be processed or the location of the company's employees? A flexible spending account administrator, for example, should have policies and procedures in place regarding access to protected health information. If the vendor is in the United States and will be processing European employee data, the vendor may need to have Safe Harbor certification to permit the cross-border transfer. And if the company has employees in California or Massachusetts, it will need to make sure that vendors can comply with the rigorous data privacy and security requirements for residents of those states.

Subcontracting. Does the vendor plan to subcontract any of the work? If so, understand how the vendor will ensure that subcontractors observe company requirements with respect to PII. Also be clear on whether subcontracted work will be covered by insurance.

Contractual Provisions
Contract clauses addressing data privacy and security can be the subject of intense negotiation, with each party seeking to minimize its risk of exposure. Service agreements should be customized to reflect the sensitivity of the PII involved and the employer's need for security, as well as the size, nature and resources of each party. It is critical to consider the following:

Safeguards. The service contract should require the vendor to implement specific, reasonable administrative, technical and physical safeguards and regularly test and monitor their effectiveness. What constitutes "reasonable" will vary, depending on the size of the business and the nature of the PII. Massachusetts and California, for example, require vendors to agree to implement security safeguards when entering into service provider agreements. Such contractual provisions may also reduce the risk of exposure to an enforcement action under Section 5 of the FTC Act or similar state laws.

Breach notification. Ideally, the vendor should notify its clients of any potential or suspected breach, not just after it is certain that PII has been compromised. A company will also want to retain control over how employees are informed. If the vendor simultaneously notifies employees and management of a possible breach, the organization will miss out on crucial opportunities to prepare employee communications and ascertain the company's own responsibilities under applicable laws.

Remediation. It is also important to expressly provide that the vendor will reimburse the business for costs incurred in notifying affected individuals and mitigating damages, particularly when highly sensitive PII is involved. These costs may not be covered under standard indemnification provisions.

Insurance. More commercial general liability policies exclude coverage for electronic data. Consider whether it is appropriate to contractually require vendors to maintain technology errors and omissions insurance and coverage for cyberrisks, including data security breaches.

Oversight. Push for the right to conduct or oversee an audit of the provider's facilities and practices, particularly if highly sensitive PII is involved. At a minimum, reserve the right to require the vendor to provide information addressing its security practices at specified intervals throughout the term of the agreement. High-risk vendors should be evaluated more frequently.

Termination. The agreement should address what happens to PII after the business relationship ends. The vendor should return all of the company's PII or, if appropriate, destroy it and certify the destruction.

State-specific requirements. State laws and regulations, particularly in Massachusetts and California, impose additional requirements. Companies that own or license PII of residents of either state must take "reasonable steps" to select and retain third-party vendors capable of appropriately protecting PII, and contracts must require vendors to implement and maintain reasonable security measures.

Massachusetts' requirements include encrypting PII that is transmitted over public or wireless networks or stored on portable devices to the extent technically feasible.

While California law does not require encryption, the California Breach Notification Law only applies when unencrypted PII is compromised. This incentivizes companies to encrypt PII of California residents (and, by extension, all PII they collect and store) and to require the same of third-party vendors.

Monitoring Compliance
Due diligence and contractual safeguards will mean nothing if a business fails to train its own contracting officers about what to look for in data privacy and security requirements and if the vendor does not train its employees in how to keep data safe. Exercise any audit or oversight rights granted by the contract. Establish procedures to verify the identity of third-party vendors that access all systems, possibly through the use of a third-party digital signature service.

By knowing its rights as a corporate consumer and verifying that a vendor is able and willing to meet data processing requirements, a business can mitigate some of the risks inherent in outsourcing employment functions. Just as the seas have become safer for shipping cargo, one day there may be mechanisms to ensure that PII is not compromised. Until then, however, attention to training, compliance, and a written agreement that reflects the realities of a company's rights and needs will better position it to navigate the requirements of privacy and data security under today's evolving regulations.
Angela R. Matney is a certified information privacy professional (CCIP) and an attorney with Hirschler Fleischer in Richmond, Virginia.
Brian W. Fannin is an attorney serving clients in New Jersey, Virginia, Washington, D.C. and internationally.