Reed Smith Client Alerts

Increasingly, organizations look to third parties to collect, process, and store their data.  In some instances, organizations reduce their net risk by outsourcing these data functions to companies with a core competence in data protection.  In many other cases, the economic benefit of outsourcing can come at a compliance cost. Estimates of how often data breaches are caused by third-party vendors and service providers vary widely. We have seen estimates from 12 percent to 63 percent.1 Below, we identify key considerations for organizations to reduce this compliance and data protection risk.

1. Conduct Privacy and Data Protection Risk Assessments that Cover Third Parties

Conducting a comprehensive privacy and data protection risk assessment can help an organization mitigate its risk exposure. Risk assessments should cover third-party access to its data, systems, and facilities. The assessments help an organization identify threats and vulnerabilities, and take steps to mitigate them. The Federal Trade Commission first imposed this requirement on financial institutions pursuant to the Gramm-Leach-Bliley Act2, and it has expanded to cover other entities.3 Often, parties can leverage existing assessments conducted by trusted third parties. The documentation associated with a draft and final contract should record an organization’s key understandings of data access, and the organization should have a process in place to revisit the sufficiency of controls before allowing the vendor more extensive access.