On September 15, 2017, the FTC released its eighth “Stick with Security” principle, which offers advice that individuals and organizations should consider when hiring others to process sensitive data. A few tips for making sure those service providers implement reasonable security measures include:
Do Your Due Diligence
Because information is oftentimes a company’s most valuable asset, it is imperative that said company knows how its info will be used. Accordingly, the FTC offers a few ideas to keep in mind during the service provider selection process: how will your company’s data be secured, who will have access to the data, and how will the service provider train its employees to maintain the data securely.
Put it in Writing
A company and a service provider would be better off if both sides reduced to writing in a contract the following items: expectations, performance standards, and monitoring methods. For example, prior to giving a service provider access to customer or employee personal information, a contract may need to include provisions verifying that firewalls, data encryption methods, and intrusion detection systems are used.
Following-up with security providers to ensure their compliance with security-related contract provisions is equally important. This verification process should ideally come before any product is marketed to the public.