A client recently raised this issue: with respect to third-party vendor management, in the event of an information breach, is the third-party responsible or is the principal company responsible?
Both the principal company and the third-party may be responsible for maintaining the conditions required for privacy compliance. The use of a third-party service provider does not absolve a principal company from the responsibility for maintaining information privacy. But neither is the third-party absolved. My reading of the new Massachusetts privacy law, 201 CMR 17.00, is that both entities with access to personally identifiable information must take responsibility.
Consider that a large principal company engages a smaller company to provide data management services. Under 201 CMR 17.00, not all “persons” or entities are required to provide for the security of personally identifiable information in the same manner-because it is risk-based. The requirement to protect information is risk-based and is modeled on the U.S. Federal Trade Commission’s Safeguards Rule. A risk-based approach takes into consideration the business’ size, scope of business, resources, the amount of data and the need for security. But if that third-party is going to manage data from a larger entity, it is important to meet the higher standard of information security because the risk must be perceived as greater. It is imperative for the principal company to make certain that the third-party meets the same level of information security required for the principal company.
Making sure that third-party vendors meet an adequate level of information security, one consistent with the requirements mandated for the principal entity, is one of the more critical decisions a company will make. The regulators will hold companies accountable. But so will the courts in the event of a damaging breach and any resulting litigation. It is the principal company that must make sure that its third-party providers meet a defined, agreed upon standard. This should raise several questions for companies as third-party firms are assessed. Can the vendor meet the same risk-based requirements as the principal company on a continuing basis? What is an acceptable demonstration of proof? In kidnapping cases, there is “proof of life,” a phrase that addresses proof that the kidnap victim is alive. In this case, what is an acceptable proof of security? What standard must be met? What is a reasonable test? How often should the third-party be tested? How are results verified? This may sound simple, but what if the provider is half-way around the world?
Every organization, whether in managing regulatory compliance for federal or state requirements, needs a privacy and security strategy. A haphazard approach to ensuring information integrity is a high-risk strategy. It’s never too late to assess your strategy, approach to security, and level of risk, even after the date of compliance. For 201 CMR 17.00, that is March 1, 2010. We’re almost there. Are you ready?
- MacDonnell Ulsch