[BreachExchange] FTC Encourages Vendor Contracts to Address Privacy and Security Risks
Audrey McNeil
audrey at riskbasedsecurity.com
Wed Apr 11 22:18:22 EDT 2018
https://www.natlawreview.com/article/ftc-encourages-vendor-contracts-to-address-privacy-and-security-risks
Speaking at the National HIPAA Summit in Arlington, VA this past week
(April 3, 2018), the Federal Trade Commission (FTC) highlighted the
importance of healthcare providers having information security agreements
in place with vendors. “Companies need to have contracts in place to
specifically address privacy and security”, said Molly Crawford, the Chief
of Staff for the FTC’s privacy and identification division.
Crawford further provided that new solutions for handling data are not
governed by longstanding federal rules and statutes for healthcare privacy
and security, including HIPAA. While noting that the FTC works closely
with the Department of Health and Human Services, “the FTC is the primary
consumer protection agency” Crawford said and reinforced the role the FTC
will play in protecting consumer data.
It is estimated that almost 2/3rds of data breaches are tied to or directly
caused by third-party vendors. This is at a time when companies are
increasingly engaging third-party vendors to provide services. It is a
fact. More third party vendors mean a higher risk of a data breach.
While a third party vendor management program is critical for managing
vendor relationships, these programs must go beyond surveys and
assessments. Companies need to hold vendors contractually liable for the
actions and inactions with regard to their security. An effective way to
do this is through a separate information security agreement (ISA) as an
exhibit to the underlying procurement, master services or licensing
agreement. The ISA should address technical issues (e.g. auditing,
employee management, encryption), but also address legal issues associated
with security, including provisions related to indemnification, liability,
breach response and insurance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180411/cdd9a001/attachment.html>
More information about the BreachExchange
mailing list