With all of the privacy and data security enforcement actions brought by the Federal Trade Commission in recent years, and with all of the guidance distributed by the FTC in that time frame, it is easy to get caught up in making sure your privacy and data security practices are in order and compliant with Section 5 of the FTC Act. But even if you do that, there is a blind spot that can result in a data breach, a privacy violation and a resulting investigation and possible FTC order: the use of data by your vendors and business partners. The purpose of this primer is to call your attention to that blind spot and provide guidance on how you can address it before it causes big problems for you.

The FTC has made its position clear on vendor oversight requirements when it comes to privacy and cybersecurity: companies can and will be held responsible for their vendors’ failures. Over the course of the past decade, the FTC has effectively announced a position that a company can be held legally responsible for privacy violations, or data breaches occurring as a result of its vendors’ unreasonable security practices, if the company failed to perform adequate due diligence, implement appropriate contract provisions or exercise sufficient oversight.

Originally published in Bloomberg BNA’s Privacy & Security Law Report, 14 PVLR 781, 05/04/2015.