Q: My company handles a lot of sensitive customer information (medical, financial, biographical) and has relationships with third party service providers that have access to the information. Can my company be held liable to our customers for my service provider’s mishandling of that data?
A. Bad news first. Not only may your company be liable to your customers, your company may have to engage in costly notification and disclosure efforts, and may be subject to governmental auditing and penalties all due to your service provider’s mishandling of your customers’ sensitive information.
In today’s computer and cloud-based business world, customer data can be accessed, and is often stored, by a company’s service provider or “vendor.” Vendors providing services such as: Software as a service (SAAS), payment processing, accounting, document destruction, and external IT all commonly have access to, and store, sensitive information of their clients’ customers. Even your office supply delivery company, cleaning service, and building maintenance company has access to your customer information and could cause a breach either knowingly or accidentally.
Depending on the privacy laws and regulatory requirements your company is subject to, you may be required to ensure that vendors are equipped to properly secure your sensitive customer data. Regardless, your company will be responsible for your vendors’ failure to maintain the confidentiality of your customer data and for choosing to work with a vendor that is not data security compliant. Should your vendor suffer a data breach, your company will be on the hook for customer notification requirements, governmental investigations, and penalties, in addition to any customer legal action.
So what can you do to minimize these risks? Establish a vendor management program to assess your vendors’ ability to handle sensitive customer data. If the vendor will be handling sensitive customer data, make sure that the vendor has a data security policy and data breach response plan. Further, require the vendor to have cyber insurance policies that will cover the costs of data breaches, and have the vendor sign a data security agreement that will require it to maintain the confidentiality of the customer data, require it to indemnify your company for unauthorized disclosures of customer data, and establish auditing rights that will enable your company to ensure that the vendor is maintaining its data security standards.
The bottom line is that since your company will be responsible for the mistakes of your vendors, you should take appropriate legal steps to protect your company and your customers.