Unexpected Liability for Service Providers
With “hacking” and identify thefts becoming all too common place, each service provider must place more and more emphasis on protecting itself from legal liability caused by not only its own actions, but the actions of the company(ies) to whom it outsources. This article provides an introduction to contracting for service providers with an eye toward gaining legal platform upon which to adequately defend itself, if necessary.
In addition to government compliance, which will vary depending upon the industry, any company that collects personal information during the course of providing its services must take steps to safeguard itself from legal liability arising due to unwanted disclosures. One way to provide a legal safety net is to consider the applicable issues in the service provider’s agreement. The following is an abbreviated checklist.
- Whether personally identifiable information will be provided to service provider’s employees, and if so, what measures are taken to narrowly tailor the need to expose such information to only those employees or third parties who need to know in order to provide the service. In considering this, a service provider may want to consider identifying types of employees or third parties that may be exposed to such information, or even listing such persons and having them sign a confidentiality agreement with respect to such information.
- When does a service provider have to notify a customer of a security breach? Is there an obligation to notify customers of a potential privacy-related compliance issue? Or, only when a security breach has occurred? If a security breach is defined, service providers will be required to undertake all tasks from notification to remediation and payment for such remediation upon receipt of a complaint.
- While necessary, service providers will want to limit their contractual obligations to comply with compliance with IT management standards such as the International Organization for Standardization certification.
- If the service provider receives credit card information of customers, then at the very least, the following issues must be considered:
- Limitation of access of personal information to authorized employees or parties
- Securing business facilities, data centers, paper files, servicers, backup systems and computing equipment (mobile and other equip with info storage capability;
- Implementing network/ device application, database and platform security
- Securing info transmission storage and disposal
- Implementing authorization and access controls with media, apps, operating systems and equipment
- Encrypting highly sensitive personal information stored on any mobile media
- Encrypting highly sensitive transmitted over public or wireless networks
- Strictly segregating personal information from and info of service provider or its other customers so that personal information is not commingled;
- Implementing appropriate personnel security and integrity procedures and practices (conducting background checks, and providing appropriate privacy and info security training to service providers’ employees.
If you have any questions regarding your liability for disclosure of personal information, please contact:
Natalie Remien at:
nremien@lgattorneys.com or (312) 368-0100.
Recent Amendments to the Illinois Personal Information Protection Act
The threat of the theft or accidental disclosure of electronic personal information is on the rise. On January 1, 2017, new legislation went in effect amending the Illinois Personal Information Protection Act (the “Act”) to expand the definition of protected personal information and increase certain security and notification requirements for data breaches. Important amendments to the Act include:
- Expanded definition of “Personal Information” for which notice of a breach is required to include certain medical and online account information. The definition of “Personal Information” includes an individual’s first name or first initial and last name and any of the following:
- social security number;
- driver’s license or State identification card number;
- account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
- medical information (including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, including such information provided to a website or mobile application);
- health insurance information (including an individual’s health insurance policy number or subscriber identification number or any other unique identifier); and
- unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
The definition of “Personal Information” also includes an individual’s user name or email address in combination with a password or security question and answer that would permit access to an online account.
- Expanded Notification Requirements. If a security breach involves an individual’s user name or email address, in addition to a password or security question answer that can allow access to an online account, notice is required to inform the individual that his account information has been breached and that he should promptly change his user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the individual uses the same user name or email address and password or security question and answer.
- Expanded Data Security Requirements for Data Collectors. Any data collector that owns, maintains, stores, or licenses records that contain Personal Information must implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
- Compliance with HIPPA. The Act also provides that any covered entity or business associate that is subject to and in compliance with the privacy and security standards for the protection of electronic health information established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (“HIPPA”) and the Health Information Technology for Economic and Clinical Health Act shall be deemed to be in compliance with the provisions of the Act, provided that notification of a breach is provided to the Illinois Attorney General within five business days of notifying the Secretary of Health and Human Services.
If you have any questions regarding the Personal Information Protection Act’s application to your business or your obligations under the Act, please contact:
koneill@lgattorneys.com or 312-368-0100.