Trust, but verify. That’s good advice in many contexts, including in your approach to businesses you hire to process sensitive data in your possession. Even if a breach ultimately traces back to a service provider’s conduct, from the perspective of a customer or employee whose personal information has been comprised, the buck stops with you. That’s why Start with Security cautions companies to make sure their service providers implement reasonable security measures.
Before bringing service providers on board, spell out what you expect in terms of security. Satisfy yourself that they have the technical chops to get the job done. Build in procedures so you can monitor what they’re doing on your behalf. And make sure they’re following through on their promises.
Drawn from FTC law enforcement actions, investigations, and questions we get from companies, here are some examples that illustrate steps you can take to encourage your service providers to start with security – and stick to it.
Do your due diligence.
You wouldn’t buy a used car before checking under the hood and you wouldn’t buy a house based solely on the seller’s promise that it’s in top-notch condition. Data security is no different. Information is often one of the most important assets a business has. Before putting it in someone else’s control, be sure you know how that information will be used and secured.
Example: A company is looking to hire a contractor to handle its data processing. It gets bids from two contractors – one with a recognized name in the field and a newcomer that charges significantly less. Rather than simply opting for the established brand name or the low bidder, the company instead asks both contractors detailed questions about – among other things – how it will secure the company’s data, who will have access to the data, and how it will train its employees to maintain the data securely. The company should award the contract only if it’s satisfied with the responses it has received. Even then, the company should include specific provisions in its contract requiring reasonable security.
Put it in writing.
Data security is too important to relegate it to a vague “Let’s just shake on it” deal. Both sides benefit when expectations, performance standards, and monitoring methods are reduced to writing in the contract.
Example: A company hires a service provider to send monthly billing statements to customers. The company gives the service provider access to account information – including customers’ preferred payment methods – and the service provider creates a spreadsheet of the data. The contract between the company and the service provider doesn’t include any requirement to maintain reasonable security. The service provider doesn’t have firewalls in place, doesn’t encrypt data at rest or in transit, and doesn’t implement system logs or an intrusion detection system. By failing to require reasonable security in the contract and failing to specify the security measures the service provider must put in place, the company missed an opportunity to safeguard its customers’ confidential information.
Example: A national staffing agency recruits employees from across the country to work from home to conduct data entry. The company hires regional HR contractors to help new employees fill out their initial personnel paperwork. The HR contractors go to the new employees’ homes to have them complete the appropriate forms, which contain sensitive personal information, including Social Security numbers. The HR contractors photograph the forms and then use the new employees’ personal computers to upload and email the information back to the staffing agency. The better practice would be for the staffing agency to specify in its contract a more secure method for conveying the information and to contact the HR contractor immediately if sensitive data is sent in contravention of that provision.
You count your change, confirm your hotel reservations, and review your credit card statement. Double-checking just makes sense. That’s why careful companies verify that service providers are complying with security-related contract provisions.
Example: A retailer that sells camping gear hires a company to develop an app with information about hiking trails. The retailer intends to market the app with the claim that it will not collect geolocation data unless the user affirmatively opts in and the retailer includes a clause to that effect in its contract with the app developer. Before releasing the app, the retailer tests it and determines that the app collects geolocation information from all users and transmits it to an ad network. By spelling out its expectations in the contract and testing to see that the developer has honored them, the retailer can get the problem corrected before the app is released.
The message to security-centric companies is to build your expectations into your contracts with service providers that will have access to sensitive information. In addition, make sure you have a way of monitoring what they’re doing on your behalf.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.