Data protection laws require due diligence

August 16, 2012

By Bob Johnson, NAID CEO

It is illegal to select a data destruction service provider on price alone. So what qualifications should you use to select a vendor? In my last blog post, I wrote about the principle of “reasonableness.” I want to continue that theme in today’s posting, specifically looking at data-related vendor selection.

Without exception, data protection regulations put a special burden on data controllers – those originally entrusted to protect personal information – when they are selecting downstream vendors. After all, customers have a choice when selecting their primary data controller (e.g., banks, hospital, insurance company), but they have no say in who those organizations select to store, scan or destroy data. Customers simply have to rely on the hope that the data controller will select a competent service provider.

As a result, data protection laws have a number of provisions to promote such diligence on the part of the original data controller. First, they do not allow the data controller to pass on the regulatory liability to protect the data to the downstream service provider. While the regulators understand that the use of such subcontractors is a modern day necessity, they hold the data controller responsible for the actions of those vendors, as described in this excerpt from the “Proposed Modifications to HIPAA under HITECH.”

“…The covered entity remains liable for the acts of its business associate agents, regardless of whether the covered entity has a compliant business associate agreement in place. This change is necessary to ensure, where the covered entity has contracted out a particular obligation under the HIPAA rules, that the covered entity remains liable for the failure of its business associate to perform that obligation on the covered entity’s behalf.”

Similar provisions appear in all major data protections laws currently enforced around the world. To be clear, the data controller may, and often does, assign financial responsibility to the downstream vendors for financial damages they cause. However, they cannot pass on the responsibility. For example, if service provider causes a data breach notification event, their only responsibility under the law is to inform the data controller. The data controller is responsible for making and paying for the actual breach notification.

But that is not the only way data protection laws ensure data controllers keep their eye on the ball. The laws make it illegal to select a vendor without doing the proper due diligence. This excerpt from the Security and Exchange Commission’s Regulation S-P is typical.

“…The ‘reasonable measures’ standard will generally require the covered entity to take reasonable steps to select and retain a service provider that is capable of properly disposing of the consumer report information at issue.”

If space is permitted, similar language could be taken from virtually every other data protection law in the world.

In reality, the only time a data controller is likely to be found at fault for not properly evaluating its downstream data processors is when there is a breach. In that regard, it is very much like the seat belt law where the perpetrator is pulled over for a different violation when it is discovered.

Still, in nearly every investigation that follows a data breach, regulators find it was caused by lack of due diligence in policy development, training, or vendor selection and, usually, the fine is predicated more on the lack of due diligence than it is on the breach itself. Exercising your due diligence will protect you in the long run.