Your organization may be minding its information privacy and security Ps and Qs, but are your vendors? From your payroll provider to your copy service, from your data hosting provider to your records disposal service, dozens of third parties handle personal information on your behalf, and your information security program is only as good as theirs.

Identifying these service providers and obligating them by contract to implement necessary security measures is mandatory in many states and thus necessary to comply with law. Forty-six state laws and several federal rules require your organization to notify affected individuals of any breach your providers may cause, making appropriate diligence and contracts necessary to avoid costly data breaches and related risks. The Ponemon Institute’s 2009 study of data breach costs indicates that 42 percent of the breach incidents studied were caused by third-party mistakes, and the involvement of those third parties increased the cost of the breaches by 12 percent.

Examples of contractor missteps that have caused recent data

breaches include....