FTC Encourages Vendor Contracts to Address Privacy and Security Risks

By: Greg Kratofil

Speaking at the National HIPAA Summit in Arlington, VA this past week (April 3, 2018), the Federal Trade Commission (FTC) highlighted the importance of healthcare providers having information security agreements in place with vendors.  “Companies need to have contracts in place to specifically address privacy and security”, said Molly Crawford, the Chief of Staff for the FTC’s privacy and identification division. 

Crawford further provided that new solutions for handling data are not governed by longstanding federal rules and statutes for healthcare privacy and security, including HIPAA.  While noting that the FTC works closely with the Department of Health and Human Services, “the FTC is the primary consumer protection agency” Crawford said and reinforced the role the FTC will play in protecting consumer data. 

It is estimated that almost 2/3rds of data breaches are tied to or directly caused by third-party vendors. This is at a time when companies are increasingly engaging third-party vendors to provide services.  It is a fact.  More third party vendors mean a higher risk of a data breach.

While a third party vendor management program is critical for managing vendor relationships, these programs must go beyond surveys and assessments.  Companies need to hold vendors contractually liable for the actions and inactions with regard to their security.  An effective way to do this is through a separate information security agreement (ISA) as an exhibit to the underlying procurement, master services or licensing agreement.  The ISA should address technical issues (e.g. auditing, employee management, encryption), but also address legal issues associated with security, including provisions related to indemnification, liability, breach response and insurance.

We encourage companies to use the procurement, master services or license agreement to address the business requirements together with the “project risk ” while using the ISA to manage the information security requirements and “security risk.”  An effective ISA program can be managed cost effectively and in a way that does not slow down new technology procurement and implementation. When done right, an ISA program helps companies provide the oversight of their service providers as required in today’s ever-changing legal and regulatory environment.