ARCHIVED CONTENT
You are viewing ARCHIVED CONTENT released online between 1 April 2010 and 24 August 2018 or content that has been selectively archived and is no longer active. Content in this archive is NOT UPDATED, and links may not function.Extract from article by Zoe Argento, Philip Gordon, and Andrew Epstein
Before entrusting the vendor with personal information, the employer should execute a contract with the vendor that addresses the parties’ obligations and rights regarding personally identifiable information. At minimum, the vendor contract should stipulate that the vendor:
- promptly notify the employer of a data breach and provide all the information necessary for the employer to provide notifications satisfying applicable law;
- notify affected individuals under the direction of the employer;
- mitigate the harmful effects of a data breach, including reimbursing the employer for all the employer’s reasonable costs that result from the vendor’s data breach;
- indemnify the employer for all third-party claims arising out of the vendor’s data breach;
- maintain insurance that covers data breach response costs and liability for data breaches; and
- return or destroy an employer’s data at the end of the engagement.
A contract covering data security is not only a recommended practice; some laws require companies to obtain a written agreement regarding data security from vendors. For example, HIPAA requires that covered entities sign a contract with any “business associate” that handles protected health information on behalf of the covered entity. The HIPAA regulations explicitly require that the contract include a long list of data security provisions. The GDPR includes a similarly detailed list of provisions that EU employers must include in the contracts with vendors that process EU personal data on their behalf.
Read the complete article at Vendor Breaches and Their Implications for Employers
Additional Reading: