With all the variables at play when you employ third party service providers to handle your data, you will need qualified lawyers who are familiar with technology and data security to help you minimize your risks and limit your liability.
Tom Kulik filed this report on Third Party data security risks for Above The Law:
For companies that are providing third parties with personal data they have collected as part of their business operations, they may think that their contractual allocation of liability limits their risk. Unfortunately, that is an assumption that is rarely accurate and almost always underestimated, and can create a liability trap that companies usually learn by surprise, and at the absolute worst possible time (such as a third-party data breach). Avoiding the trap is not an impossible task, and knowing about it is the first step.
[…]
So how do you avoid this data liability trap? This is where qualified counsel versed in technology, data security, and data privacy is invaluable. First, it is essential to evaluate the third-party provider’s business as applies to the service being provided to your company or client — in essence, you need to qualify the third-party service providers before you even get to the point of evaluating a contract with them. Further, policies and procedures need to be created with counsel and implemented by your company (or client) to not only qualify such provider, but to regularly “audit” how the third-party service provider is handling your data (especially sensitive data) to ensure compliance. In addition, technological measures (such as data masking and/or encryption) should be considered to further limit potential data breach risks. Believe me, there is nothing better than maintaining a level of security over the nature of the data presented (where possible) to reduce data breach liability.
Third-party service providers introduce risk to your data, whether you like it or not. Needless to say, there are a lot of variables at play when dealing with the “data liability trap,” and there is no magic formula to reduce risk. That said, taking measures beyond the four corners of the contract is not only prudent, but necessary. Data breach liability is not a matter of if, but when — the key is in creating enough barriers to breach that when the inevitable does happen, the impact I can be minimized.
