Progressive Computer Systems, Inc.
Call us: (919) 929-3080
  • Home
  • About Us
    • Our Team
      • Under Attack! – Book Release
    • Awards
    • Community Involvement
    • Referral Program
    • Testimonials
    • Join Our Team
      • Job Postings
  • Services
    • Complete List
    • Managed Services
      • ProgressiveCARE Managed Services
    • Cybersecurity
    • HIPAA Compliance
    • Cloud Services
    • IT Consulting
    • Email & SPAM Protection
    • Cabling & Internet Services
    • IT Outsourcing
  • Solutions
    • Strategic Planning
    • Business Continuity
    • IT Infrastructure
      • Why Use Progressive?
    • Network Security
      • Security Concerns
    • Virtualization
    • Business Assessments
    • Unified Communications
    • Hardware & Software
      • Recommended Equipment
  • Partners
  • Industries
    • Life Sciences
    • Health Care
    • Professional Services
    • Government & Education
    • Non-Profit
  • Resources
    • Professional Network
    • Under Attack! with Lisa Mitchell – Book Release
    • Newsletter Archive
  • Contact Us
    • Referral Form
  • Portal
    • Client Portal Login
    • Online Payment
Search the site...

Stick with Security: Make Sure Your Service Providers Implement Reasonable Security Measures

Trust, but verify. That’s good advice in many contexts, including in your approach to businesses you hire to process sensitive data in your possession. Even if a breach ultimately traces back to a service provider’s conduct, from the perspective of a customer or employee whose personal information has been comprised, the buck stops with you. That’s why Start with Security cautions companies to make sure their service providers implement reasonable security measures.

Before bringing service providers on board, spell out what you expect in terms of security. Satisfy yourself that they have the technical chops to get the job done. Build in procedures so you can monitor what they’re doing on your behalf. And make sure they’re following through on their promises.

Drawn from FTC law enforcement actions, investigations, and questions we get from companies, here are some examples that illustrate steps you can take to encourage your service providers to start with security – and stick to it.

Do Your Due Diligence.

You wouldn’t buy a used car before checking under the hood and you wouldn’t buy a house based solely on the seller’s promise that it’s in top-notch condition. Data security is no different. Information is often one of the most important assets a business has. Before putting it in someone else’s control, be sure you know how that information will be used and secured.

Example: A company is looking to hire a contractor to handle its data processing. It gets bids from two contractors – one with a recognized name in the field and a newcomer that charges significantly less. Rather than simply opting for the established brand name or the low bidder, the company instead asks both contractors detailed questions about – among other things – how it will secure the company’s data, who will have access to the data, and how it will train its employees to maintain the data securely. The company should award the contract only if it’s satisfied with the responses it has received. Even then, the company should include specific provisions in its contract requiring reasonable security.

Put It In Writing.

Data security is too important to relegate it to a vague “Let’s just shake on it” deal. Both sides benefit when expectations, performance standards, and monitoring methods are reduced to writing in the contract.

Example: A company hires a service provider to send monthly billing statements to customers. The company gives the service provider access to account information – including customers’ preferred payment methods – and the service provider creates a spreadsheet of the data. The contract between the company and the service provider doesn’t include any requirement to maintain reasonable security. The service provider doesn’t have firewalls in place, doesn’t encrypt data at rest or in transit, and doesn’t implement system logs or an intrusion detection system. By failing to require reasonable security in the contract and failing to specify the security measures the service provider must put in place, the company missed an opportunity to safeguard its customers’ confidential information.

Example: A national staffing agency recruits employees from across the country to work from home to conduct data entry. The company hires regional HR contractors to help new employees fill out their initial personnel paperwork. The HR contractors go to the new employees’ homes to have them complete the appropriate forms, which contain sensitive personal information, including Social Security numbers. The HR contractors photograph the forms and then use the new employees’ personal computers to upload and email the information back to the staffing agency. The better practice would be for the staffing agency to specify in its contract a more secure method for conveying the information and to contact the HR contractor immediately if sensitive data is sent in contravention of that provision.

Verify Compliance.

You count your change, confirm your hotel reservations, and review your credit card statement. Double-checking just makes sense. That’s why careful companies verify that service providers are complying with security-related contract provisions.

Example: A retailer that sells camping gear hires a company to develop an app with information about hiking trails. The retailer intends to market the app with the claim that it will not collect geolocation data unless the user affirmatively opts in and the retailer includes a clause to that effect in its contract with the app developer. Before releasing the app, the retailer tests it and determines that the app collects geolocation information from all users and transmits it to an ad network. By spelling out its expectations in the contract and testing to see that the developer has honored them, the retailer can get the problem corrected before the app is released.

The message to security-centric companies is to build your expectations into your contracts with service providers that will have access to sensitive information. In addition, make sure you have a way of monitoring what they’re doing on your behalf.

by Thomas B. Pahl, Acting Director, FTC Bureau of Consumer Protection
used with permission from FTC.gov and itnewsforyou.com

Share this:

  • Share
  • Facebook
  • LinkedIn
  • Twitter

YOURS FREE!

The 7 Most Critical IT Security Protections Every Business Must Have In Place. PLUS: Healthcare & Data Security chapter from the Bestseller, "Under Attack!"

Sign Up Now

Under Attack!

Now Available on AMAZON!

Recent Posts

Click here to view our recent posts.

Archives

Subscribe to Our Blog via Email

  • (919) 929-3080
  • (919) 929-3087
  • PCSsales@pc-net.com
  • PCSsupport@pc-net.com
  • Contact Us
    • Linkedin
    • Twitter
    • Facebook
Mailing address:
Progressive Computer Systems
615 Eastowne Drive
Chapel Hill, NC 27514
Directions

YOURS FREE !

The 7 Most Critical IT Security Protections Every Business Must Have In Place. PLUS: Under Attack! Book Chapter.
Sign Up Now for Your Free Chapter

HP Virtualization

© 2020 Progressive Computer Systems