In Business Management Daily, Susan Lessack of Pepper Hamilton LLP offers guidance on protecting employee data handled by third-party vendors. Lessack says: "A good contract with your vendor is your best protection against liability," and cites specific terms to include in contracts, such as those that limit the number of people who can access the data. Lessack says that, although the vendor may be reluctant to enter into such a term, the contract "should stipulate that the vendor is legally responsible for any data breach that occurs during its engagement, and that it will indemnify you and your employees for any actions resulting from a breach." Full Story
At Pre-Paid Legal those of us who are qualified to work with companies in establishing a policy framework for information protection and risk management have taken this provision of the Red Flags Rule to heart as it deals with 3rd party contractors. We ask every client company to inform all of their contractors of the efforts they have made to protect PII and to request that they do the same or similar. It is just smart business to complete the loop of data security. Even an office cleaning service should adhere to the basic rules of security. I have visited numerous businesses where the cleaning service has more or less unlimited access to hard copy left on desks, in wastebaskets, and left on file cabinets, to name a few. When we include all contractors in the security formula a much better understanding of personal information security is created which gives rise to the FTC term "Culture of Security" that we are hopefully all striving for.
The recommendations of the FTC are sound. All RFIs and contracts should contain such language. In the not too distant future all federal government contracts will contain this kind of clause I believe. As regards liability FACTA clearly gives liability to all parties who share non-public information. If a company hires an HR service for example and that contractor suffers a breach of that information then the liability is shared by both companies. Even if identity theft does not occur both firms can be sued for a "Failure to adequately protect the information." There is no requirement under such circumstances to prove penury damage.