The use of third party technology service providers has become widespread and commonplace in all industries. Technology services like “cloud” data storage providers and software as a service (SaaS) allow companies of all sizes to better leverage their use of technology for their own purposes in a profoundly more affordable way than if businesses had to implement these IT initiatives themselves.

cloudHowever, simply because a business is using a third party for its technology needs, it is not relieved of its duties of care with respect to the handling and protection of the personal private information of its consumers. In fact, by engaging with third parties for technology, businesses are in fact exposing their consumers to an additional layer of cyber-risk that they would not otherwise be exposed to if the business handled its own technology. For example, if you store your customer’s personal information on a Cloud storage provider, you could have the greatest data protection policy in the world and your customer is still at risk if your Cloud provider does not share your data security vigilance.

As we have commented previously, the FTC has assumed a broad scope of authority to regulate data security, privacy, and the protection of consumer information under Section 5 of the FTC Act, which states that “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” Under this provision, the FTC has recently prosecuted a number of enforcement actions based upon known and/or existing breaches in those companies’ data security. The FTC has also extended its enforcement to instances when companies contract with third party technology service providers.

In its January 2014 settlement, In re GMR Transcription Services Inc., the FTC indicated that when companies contract with technology service providers, they are required to: (1) exercise due diligence before engaging with third party providers; (2) include appropriate protections of data in contracts with technology service providers; and (3) take adequate measures to verify that the third party is protecting data adequately. This seems to extend companies’ data security obligations beyond the face of the contract to require monitoring of the data security practices of its provider.

GMR is a medical record transcription company that engaged with a third party for typing and transcription services. Aside from finding that GMR failed in its due diligence obligations when engaging with the third party, the FTC also charged GMR with failing to require by contract that the third party provide adequate data protections to GMR’s customers (such as basic encryption and authentication protocol) and additionally failed to assess whether the third party employees were trained in basic cyber security.

This case and other recent trends make it plain that businesses’ obligations to protect consumer personal and private information includes contracts with third party technology service providers.


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Traub Lieberman Straus & Shrewsberry LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.