Avoiding The 'Data Liability Trap': Protecting Against Third-Party Data Security Risks

How do you avoid this data liability trap? This is where qualified counsel versed in technology, data security, and data privacy is invaluable.

(Image via Getty)

This may be difficult for most people to accept, but your data is everywhere. The more websites you shop online, the more you are providing personal data in the process.  The more you search online, the more that the internet service provider you are using (as well as the search engine) gets to know about your interests and internet-surfing habits. Whether you like it or not, this loss of privacy in exchange for the convenience of a connected world is a fact of everyday online life.  More than that, those sites are most likely sharing that personal information with third parties (ostensibly consistent with their privacy policies, but that’s a discussion for another time).  For companies that are providing third parties with personal data they have collected as part of their business operations, they may think that their contractual allocation of liability limits their risk.  Unfortunately, that is an assumption that is rarely accurate and almost always underestimated, and can create a liability trap that companies usually learn by surprise, an at the absolute worse possible time (such as a third-party data breach).  Avoiding the trap is not an impossible task, and knowing about it is the first step.

Most companies use third-party service providers to maintain their online presence or otherwise support the computing services necessary to run their operations.  Whether it is a hosting service provider that houses the equipment of your company (or client), or a software-as-a-service provider that provides a managed solution for all or a portion of your company’s (or client’s) data processing services, third-party services are likely a part of the overall network architecture.  Some of the processes of the business may be within the expertise of qualified staff, while others require the expertise of specialty third-party providers (such as payroll processing).  Of course, such third-parties normally operate under a contractual arrangement with the business that attempts to address potential liabilities and data risk by allocating same.  Unfortunately, such protection is not always what you think.

The appropriate way to illustrate this point is by an example:  Let’s assume that your company (or client) has done its internal data homework, mapping all the data points within the business and outbound to the third-party services and implemented policies and procedures for the handling of same.  Let’s further assume that the business has taken every reasonable precaution technologically to address potential data breach after an appropriate audit of its systems and procedures, updated its policies and procedures to limit potential breaches from internal phishing/spearfishing and other social engineering hacks, and implemented a comprehensive incident response plan in the event of the inevitable data incident and potential data breach.  Moreover, let us assume that your company (our client) has contractually required its outside payroll processor to maintain appropriate procedures and safeguards for the handling of data (likely personally identifiable information, or PII) that must be handled by it as part of the services.  Lastly, let us even assume that the payroll processor agreed to these terms and more, and your company (or client) agreed to them, especially since the third-party provider asserted that its cyber-insurance covered the risks.  Sounds good?  Maybe.  Is it really OK?  Nope.

Here’s a few reasons why: Without understanding the scope of the coverage of the third-party provider’s cyber insurance coverage, they (and therefore, your company or client) may be operating under false pretenses.  The exclusions may obviate the insurance coverage (such as where an employee of the payroll processor negligently exposes PII by clicking on a phishing email — a negligent act that may be excluded from coverage).  Further, it is difficult to understand the scope of risk when you don’t fully understand how the third-party service provider handles PII.  Now the contractual provisions that allocate risk to the third-party provider are only as good as the financial viability of the provider to handle the inevitable contractual indemnities and other allocated risks.   Granted, I am making a number of assumptions here, but you get the point — allocating contractual risk is important, but it’s not enough.

So how do you avoid this data liability trap?  This is where qualified counsel versed in technology, data security, and data privacy is invaluable.  First, it is essential to evaluate the third-party provider’s business as applies to the service being provided to your company or client — in essence, you need to qualify the third-party service providers before you even get to the point of evaluating a contract with them.  Further, policies and procedures need to be created with counsel and implemented by your company (or client) to not only qualify such provider, but to regularly “audit” how the third-party service provider is handling your data (especially sensitive data) to ensure compliance.  In addition, technological measures (such as data masking and/or encryption) should be considered to further limit potential data breach risks.  Believe me, there is nothing better than maintaining a level of security over the nature of the data presented (where possible) to reduce data breach liability.

Third-party service providers introduce risk to your data, whether you like it or not. Needless to say, there are a lot of variables at play when dealing with the “data liability trap,” and there is no magic formula to reduce risk.   That said, taking measures beyond the four corners of the contract is not only prudent, but necessary. Data breach liability is not a matter of if, but when — the key is in creating enough barriers to breach that when the inevitable does happen, the impact I can be minimized. So avoid the “data liability trap” by running appropriate traps of your own on the third-party service providers that are exposed to the data of your company (or client) — it’ll not only protect the data, but your company (or client’s) bottom line in the process.

Sponsored


Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at [email protected].

Sponsored