The Federal Trade Commission now requires businesses to take the following 3 steps when contracting with data service providers: Investigate. Obligate. Verify.
Is your business following these steps?
- Investigate. Businesses are required to investigate by exercising due diligence before hiring data service providers.
- Obligate. Businesses are required to obligate their data service providers to adhere to the appropriate level of data security protections through their contractual agreements with the provider.
- Verify. Businesses are required to take steps to verify that the data service providers are adequately protecting data as required by the contractual standards.
These 3 steps were identified and explained by Daniel Solove in Duties When Contracting with Data Service Providers in which he explains how the FTC developed this new standard of care by observing the norms and standards that have developed in the law of privacy and data security in general and now essentially giving them the effect of law. He discerns these standards from, among other things, the recent FTC case In the Matter of GMR Transcription Services, Inc. (Jan. 31, 2014).
Solve also makes the following observations:
- The standards could lead to an FTC enforcement action because of poor data service provider management alone, even without a data breach.
- All companies need to take a closer look at their own data service provider management practices.
- Virtually all businesses fall within the FTC’s regulatory authority and should follow these guidelines.
- Even organizations that are not under the FTC regulatory authority should still follow these guidelines as the standard of care when it comes to contracting with data service providers.