The use of third party technology service providers has become widespread and commonplace in all industries. Technology services like “cloud” data storage providers and software as a service (SaaS) allow companies of all sizes to better leverage their use of technology for their own purposes in a profoundly more affordable way than if businesses had to implement these IT initiatives themselves.
However, simply because a business is using a third party for its technology needs, it is not relieved of its duties of care with respect to the handling and protection of the personal private information of its consumers. In fact, by engaging with third parties for technology, businesses are in fact exposing their consumers to an additional layer of cyber-risk that they would not otherwise be exposed to if the business handled its own technology. For example, if you store your customer’s personal information on a Cloud storage provider, you could have the greatest data protection policy in the world and your customer is still at risk if your Cloud provider does not share your data security vigilance.
As we have commented previously, the FTC has assumed a broad scope of authority to regulate data security, privacy, and the protection of consumer information under Section 5 of the FTC Act, which states that “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” Under this provision, the FTC has recently prosecuted a number of enforcement actions based upon known and/or existing breaches in those companies’ data security. The FTC has also extended its enforcement to instances when companies contract with third party technology service providers.
In its January 2014 settlement, In re GMR Transcription Services Inc., the FTC indicated that when companies contract with technology service providers, they are required to: (1) exercise due diligence before engaging with third party providers; (2) include appropriate protections of data in contracts with technology service providers; and (3) take adequate measures to verify that the third party is protecting data adequately. This seems to extend companies’ data security obligations beyond the face of the contract to require monitoring of the data security practices of its provider.
GMR is a medical record transcription company that engaged with a third party for typing and transcription services. Aside from finding that GMR failed in its due diligence obligations when engaging with the third party, the FTC also charged GMR with failing to require by contract that the third party provide adequate data protections to GMR’s customers (such as basic encryption and authentication protocol) and additionally failed to assess whether the third party employees were trained in basic cyber security.
This case and other recent trends make it plain that businesses’ obligations to protect consumer personal and private information includes contracts with third party technology service providers.