One trend in recent months is an increase in class action lawsuits and government investigations following a major data breach that compromises personal information. This serves to remind companies not only of the repercussions of a data breach, but also the importance of taking stock in the data they collect and share and integrating privacy and data security into their business practices. As companies outsource activities to third parties and move to cloud-based services, it is particularly important to build privacy and data security considerations into contracts with service providers.
While the nature of the business and type and sensitivity of the information that is collected and shared with service providers will dictate the specific requirements to be imposed, it is important to contractually require providers to implement and maintain appropriate administrative, physical, and technical safeguards, share information regarding their security practices with the company, and notify the company of any incidents that do or could affect the security of personal information. It is also important to review the provider’s privacy and data security programs, policies, training materials, and data breach response procedures. Further, access to and use of sensitive information should be limited to individuals with a need for the information to perform the services.
Compliance with the various federal and state laws and industry standards (such as the Payment Card Industry Data Security Standards) is another key consideration. The global privacy landscape is quite different from the U.S. legal framework, so companies must also be mindful of international laws as they outsource activities to other jurisdictions.
In short, privacy and data security should be considered at every step as companies expand their activities and outsource functions to third parties.