Is the Enterprise or the Third-party Vendor Responsible for a Privacy Breach?
Online PR News – 26-January-2010 – – Boston, Mass., January 26, 2010 – In a recent blog by Boston-based research and consulting firm, ZeroPoint Risk Research, chief executive officer MacDonnell Ulsch addressed the issue of responsibility for an information breach within a corporation. Does the obligation for privacy lie with the Third-party Vendor or the principal company?
The use of a recognized third-party service provider does not absolve the principal company from maintaining a progressive information privacy program. Nor does it exonerate the third-party vendor. For example, the new Massachusetts privacy law, 201 CMR 17.00, requires that both entities with access to personally identifiable information are accountable.
According to Ulsch, “Consider that a large principal company engages a smaller company to provide data management services. Under 201 CMR 17.00, not all “persons” or entities are required to provide for the security of personally identifiable information in the same manner--because it is risk-based. The requirement to protect information is risk-based and is modeled on the U.S. Federal Trade Commission’s Safeguards Rule. A risk-based approach takes into consideration the business’ size, scope of business, resources, the amount of data and the need for security. But if that third-party is going to manage data from a larger entity, it is important to meet the higher standard of information security because the risk must be perceived as greater. It is imperative for the principal company to make certain that the third-party meets the same level of information security required for the principal company.
“Making sure that third-party vendors meet an acceptable level of information security,” Ulsch continued, “one consistent with the requirements mandated for the principal entity, is one of the more critical decisions a company will make. The regulators will hold companies accountable. But so will the courts in the event of a damaging breach and any resulting litigation. It is the principal company that must make sure that its third-party providers meet a defined, agreed upon standard. This should raise several questions for companies as third-party firms are assessed. Can the vendor meet the same risk-based requirements as the principal company on a continuing basis? What is satisfactory demonstration of proof? In kidnapping cases, there is ‘proof of life,’ a phrase that addresses proof that the kidnap victim is alive. In this case, what is an acceptable proof of security? What standard must be met? What is a reasonable test? How often should the third-party be tested? How are results verified? This may sound simple, but what if the provider is half-way around the world?”
Ulsch said, “Every organization, whether in managing regulatory compliance for federal or state requirements, needs a privacy and security strategy. A haphazard approach to ensuring information integrity is a high-risk. It’s never too late to assess your strategy, approach to security, and level of risk, even after the date of compliance. For 201 CMR 17.00, that is March 1, 2010. We’re almost there. Are you ready?”
# # #