By Alan M. Burger and James J. giszczak
Members
McDonald Hopkins LLC
Don’t Risk Customers’ Data
Protect your business when a vendor handles clients’ personal information
m Any compAnies Are under the mis-
taken and dangerous impression that
outsourcing risky tasks involving personal identifiable information to third
parties equates to outsourcing the liability associated with those tasks. In
fact — aside from the traditional legal
concepts of agency, in which the acts of
the third-party vendor are attributed to
the principal — current laws, rules and
regulations specifically do not allow a
total shifting of the risk and liability associated with the handling of personal
identifiable and confidential information. Massachusetts, for instance,
mandates that companies take steps
to ensure that third-party vendors are
complaint with its laws with respect to
personal information.
It is important that organizations, including mortgage origination companies, evaluate their exposure to these
risks and take steps to protect themselves. Commercial mortgage brokers
often work with other professionals —
“ When working with
third-party vendors
that have [access to
your clients’ data],
you must take steps
to ensure your clients’
personal
identifiable
information
is protected.”
from environmental consultants performing due diligence to accountants
creating a business valuation — and
these third parties often have access
to clients’ sensitive information. When
working with third-party vendors that
have such access, you must take steps
to protect your clients’ personal identifiable information.
Brokers and their companies also
should have their risk manager do a
careful review of anticipated risk in light
of their own policies and procedures.
This should include a review of insurance policies as well as ensuring that
the acts of third-party vendors are covered — even with the existence of the
contractual terms recommended below.
The following discussion outlines
baseline tasks a company should ask
of its third-party vendors such as un-
derwriters, servicers and law firms.
Certain concepts, terms and conditions
also are recommended when formulat-
ing written agreements with vendors
that may handle personal identifiable
or confidential information.
Vendor inquiry
When attempting to reduce risks and
liability associated with handling personal identifiable or confidential information, best practices begin with
asking the right questions and requesting the right documentation.
Create a confidential personal-iden-tifiable-information questionnaire,
and require vendors to complete it as
a condition of initial engagement and
at the renewal of existing agreements.
Concepts that should be covered in the
questionnaire include:
• identification of computer and data
storage systems that will be used;
• identification of encryption policies
and procedures;
• existence of written policies and procedures relating to the handling and
destruction of personal identifiable
information;
• identification of policies and procedures implemented to limit access to
personal identifiable information;
• description of training given to personnel who will have access to personal identifiable information;
• written policies and procedures re-
lating to a data breach or release of
personal identifiable information;
• identification of insurance policies,
especially including cyber-risk and
coverage relating to data breaches or
disclosures.
Contractual provisions
Even if you choose to limit your inquiry
of the vendor, in addition to ensuring
proper insurance coverage is in place,
the insertion of data security and privacy provisions in your contracts is recommended — and in some instances
required by law.
Contractual provisions relating to data
and data handling should generally:
• Acknowledge that the vendor may be
receiving personal identifiable infor-
mation and is responsible for compli-
ance with applicable law;
• mandate compliance with notification requirements to those whose
personal identifiable information is
being stored by the vendor;
• specify prohibitions against access
to and use of information provided;
• mandate minimum safeguard
standards;
• mandate processes and procedures
relating to destruction and return of
personal and identifiable information
and confidential information;
• mandate requirements in the event
of a breach;
• mandate insurance requirements;
Illustration: Dennis Wunsch
• mandate the ability to access prem-
ises and review policies, procedures
and records;
• mandate compliance with applicable
trade industry standards, including,
if applicable, Payment Card Industry
Security Standards; and
• mandate use of counsel of your
choosing when addressing the concepts of defense, indemnity and
hold-harmless.
As the costs and expenses associated with an unauthorized data release
continue to skyrocket, shifting the risks
associated with the handling of personal identifiable information becomes
a critical component in risk analysis
and contracting. Careful coordination
with risk professionals, insurance professionals and legal staff is necessary
to help mitigate costs associated with
these risks. •
Alan M. Burger, a member in McDonald
Hopkins LLC, is the co-chair of the firm's
data-privacy and network-security group;
he also provides counsel in complex busi-
ness litigation. Contact: (561) 472-2963 or
aburger@mcdonaldhopkins.com. James
J. giszczak, a member in the firm’s West
Bloomfield, Mich., office, is the co-chair of
the firm’s data-privacy and network-security
group; trade secret, non-compete and unfair
competition practice; and labor and employ-
ment group. Contact: (248) 220-1354 or
jgiszczak@mcdonaldhopkins.com.
