Companies are increasingly entrusting third party service providers (e.g. cloud storage, IT outsourcing, data processing etc.) with their most valuable confidential data and information and relying on those service providers to ensure the security of that confidential data and information.
So the big question is, once you have handed over your confidential information to your supplier or allowed them to have access to your internal systems, how can you be sure that they will treat your confidential information with the same degree of care as you?
As the size and amount of data and information that we need to store grows bigger and bigger and the ways that we store that data and information becomes more and more complex, the things that need to be done to ensure that data and information is kept safe and secure also needs to change.
These are some of the key ways that you might ensure that your supplier keeps your data secure:
1. Enter into a confidentiality agreement with your prospective supplier or supplier
A “no brainer”; especially as a “standard form” confidentiality agreement can be drafted to cover your particular business requirements. Once you have an appropriate standard form confidentiality agreement you can then require each and every one of your service providers to sign up to it.
2. Before appointing your supplier, carry out due diligence on them
- What operational and technical measures do they have in place to ensure the security of your confidential information?
- Do they have any security accreditations (e.g. ISO standard or “Cyber Essentials”)?
- Do they come recommended?
3. Before appointing your supplier, and on an ongoing basis once you have appointed your supplier, assess the risks involved in them having access to your data
- What data do they have access to?
- How do they access that data?
- What could happen to that data?
- How will you know if something happens to your data?
- What action needs to be taken if something happens to your data?
4. Ensure that your supply agreement is drafted in such a way as to form the blue print for your relationship
- What plans, policies and procedures must your supplier follow: yours, theirs, ones specifically drafted for the contract, or a combinations of all three? As a minimum these should include:
- data security (physical (e.g. all doors with locks on them must be kept locked at all times), organisational (e.g. only employees at management level should access data) and technical measures (e.g. all data is to be encrypted) that need to be in place);
- business continuity and disaster recovery plan; and
- incident response plan.
- What training must your supplier give to its employees and contractors to ensure that they are competent and aware of the obligations placed on them under the supply agreement?
- What monitoring and reporting must your supplier submit to including; regular review meetings, assessments against key performance indicators, escalation procedures and ongoing risk assessments?
- What procedures should be followed if one or both parties wishes to amend or adapt the contract to guard against new threats or different ways of handling confidential information?
- What are the contractual consequences of a breach by your supplier; is it possible to take action to remedy the breach, should the supplier be given another chance or is it time to terminate the contract?
- What standards, awards and accreditations must your supplier achieve and maintain?
- What types and levels of insurance cover must your supplier have?
5. Keep everything under review
- Is your supplier complying with its obligations under your supply agreement?
- How is your data changing?
- Are there new ways of storing your data?
- Are there new ways of protecting your data?
With data security breaches being costly (including reputational damage, fines from regulators, increases in insurance premiums etc.), it is important to ensure that you have mechanisms and checks in place to ensure that your data is secure whoever holds it or wherever it is held.
Freeths can assist you in all aspects of data and information security, including drafting and negotiating appropriate documentation to ensure that you manage the risks associated with giving your third party service providers access to your confidential data and information.
This note does not cover the specific requirements under Data Protection legislation in relation Personal Data but such issues are likely to be relevant if your Supplier is handing over documents containing Personal Data to your supplier.
If you would like further information or assistance, please get in touch on 01782 202020 or email firstname.lastname@example.org.
Sarah Beardmore is a Senior Associate in Freeths' Commercial team, based in our Stoke-on-Trent office. Sarah has a broad range of commercial expertise dealing with commercial contracts, outsourcing arrangements, franchising, intellectual property, information technology and data protection and privacy.