When a data breach comes from a third-party vendor, the initial question that arises is, “Who is ultimately responsible for this breach?” In his article for the November 2018 issue of NACE Journal, attorney Edward J. Easterly says that as a general matter, both the vendor and the party that provided the initial information may be subject to potential liability for a breach.
Most state and federal laws put the onus on the entity that collects the information to ensure that it is handled in a safe and confidential manner. Accordingly, in the event a breach occurs, the collecting entity would have responsibilities to notify the individuals of a breach and the pertinent information related to the breach.
As such, it is imperative that an organization conduct a detailed internal and external assessment of its own policies and procedures, and those of any vendor it contracts with when dealing with personal protected information. The entity should conduct annual privacy and data protection assessments to analyze whether it has adequate procedures in place to protect personal information.
Prior to contracting with any third-party vendor, the entity should conduct due diligence on the vendor. This due diligence should include, but should not be limited to, reviewing any of the vendor’s confidentiality policies and procedures, determining who will have access to any protected information, and reviewing any third-party agreements that the vendor may have in which information is disclosed.
The parties should also enter into a written contractual agreement that contains certain requirements for the vendor. The requirements for the vendor include, but are not limited to:
- Notifying the disclosing entity—that is, the school or employer—of any data breach and providing any and all requested information on the breach;
- Notifying any affected individuals of a breach;
- Indemnifying the disclosing entity for any damages or costs associated with a breach;
- Maintaining cyber insurance policies, which may name the disclosing entity as a covered party (the disclosing entity should also have such insurance); and
- Destroying or returning any data at the end of the agreement.
In general, merely providing the vendor with access to the data does not give ownership of the data to the vendor; however, the question of ownership should be specifically spelled out in the agreement, along with any stipulations as to how, when, and for what purposes the vendor can use the data.
Once an agreement is entered into, it does not end the disclosing entity’s responsibilities. The entity should routinely perform audits of the vendor’s protocols and ensure that there have not been any breaches during the term of the agreement. Merely requiring a vendor to report a breach in the agreement does not mean the vendor will do so if one occurs.
As with an internal breach, if an entity is made aware that a vendor’s data have been breached, the entity will generally be required to notify affected parties of the breach and provide information related to the breach. It is recommended that if a breach occurs, legal counsel is consulted to determine the appropriate response.
For more information, see “Maintaining and Handling Protected Data” in the November 2018 issue of NACE Journal.