This week’s article, which is part of our ongoing weekly series, “Cyber Insurance Compliance Insights from FTC Investigations” will reflect on why it is important for companies to apply sound security practices when developing new products.
Our weekly blog series is a spinoff of the new “Stick with Security: Insights into FTC Investigations”. This new weekly blog article series provides a recap of the FTC’s new weekly blog insights on data security and how these measures can help companies demonstrate cyber insurance compliance. For companies looking to obtain cyber insurance, it is essential to be able to effectively demonstrate that they have implemented baseline security measures.
Based on FTC cases, closed investigations, and questions posed by businesses, below are examples illustrating why it is crucial to implement sound security practices when developing new products.
Any entity that a company does business with can make them vulnerable, and as a result companies must make security a top criteria when choosing the partners and suppliers with which they’ll do business.
Do Your Due Diligence
Home Depot. Target. CVS. All three of these companies had data breaches that were caused by their service providers. As evidenced by these data breaches, information security is no longer an internal effort, but instead must be accounted for throughout a company’s entire business network – up and down the supply chain. Whether a data breach is a result from a direct hit on your company, or due to a service provider, your company is the data owner with the direct responsibility of the data breach. This is why it is crucial for your company needs to make sure its service providers implement reasonable security measures. Your company’s service providers should be able to demonstrate that they take their security seriously.
When conducting due diligence, some things to consider:
- Does the company meet your risk requirements?
- Does the company comply with all industry and regulatory standards?
- How will the company take appropriate steps to protect your data?
It is highly advisable that all service providers should be assessed based on their access to your confidential and proprietary information, access to your network, and criticality to your operations.
Put it In Writing
Data breaches are inevitable, especially when your outsourcing your data to third-parties. When a data breach happens, the company and service provider must contend with a matrix of obligations governing the disclosure of personal information under federal and state laws and regulations.
Therefore, the company must put in place appropriate contractual protections with each of its service providers having access to the company’s sensitive data to:
- Specify the service provider’s standard of care and its obligations with respect to the treatment of the company’s sensitive data.
- Minimize the risks and liabilities associated with a service provider’s security breach or the unauthorized use of personal information.
Besides building the company’s security expectations into your contracts with service providers, make sure you have a way of monitoring what they’re doing on your behalf. Long gone are the days when you let your most prized possession or asset out of your view, and without giving it any thought, you just assumed that the party you entrusted would take great care of it. This is why your company must conduct its due diligence and verify compliance with all of the service providers that have access to your company’s data, and computer networks.
Cyber Insurance Compliance Insights: Make sure your service providers have cyber insurance
When a data breach is caused by a service provider, your company will want the service provider’s cyber insurance policy to respond and be considered the primary policy due to the breach of their contractual obligations to keep your company’s data secure. This is why you want to get your service provider’s security clauses, and cyber insurance liability limits in writing before you contract with them. Indeed, failing to do so, will be too late and could ultimately be deemed negligence on your side when submitting your company’s cyber insurance claim.
Please be sure to check back next week for more Cyber Insurance Compliance Insights from FTC Investigations.