If you've been following legal developments on the Web in the last couple of years, you know that there is significant concern regarding privacy and data security. This concern is driven by consumers' fears over identity theft.

The Life Is Good Case - 5 Data Security Safeguards

In a well-known case filed against Lifeisgood.com, the Federal Trade Commission (FTC) announced in a press release dated January 17, 2008, that Life Is Good agreed to implement the following 5 administrative, technical, and physical safeguards for data security:

1. Designate an employee or employees to coordinate the information security program.

2. Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place.

3. Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness.

4. Develop reasonable steps to select and oversee service providers that handle the personal information of customers.

5. Evaluate and adjust its information-security program to reflect the results of monitoring any material changes to the company's operations, or other circumstances that may impact the effectiveness of its security program.

FTC Recommendation No. 4 -- Ignore It At Your Peril

In dealing with my ecommerce clients, I've discovered that the recommendation that is followed least is Recommendation No. 4 -- bind your service providers.

All too often, even the most diligent ecommerce and SaaS businesses focus exclusively on internal security measures in developing their data security policy and program. As the FTC reminds us with recommendation No. 4, it's also very important to consider implementing data security measures in the form of contractual requirements binding service providers who have access to your site -- and to your site's databases where personal information is stored.

The Influence of The Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLB) is a federal statute that permitted consolidation among businesses in the financial services industry. GLB also provided requirements for financial services businesses to protect the security of consumer's financial information.

Prior to the Lifeisgood.com case, the FTC sued financial service companies in a series of cases known as the "Safeguards Cases" for failure (among other things) to "require service providers, by written contract, to protect consumers' personal information". This requirement has now found its way into the FTC's claims against businesses that are not in the financial services sector, as indicated by the FTC's case against Lifeisgood.com.

The Scenario To Avoid

So, this is the classic liability scenario: you own operate a website that sells goods or services, but you outsource certain functions to a website hosting, SEO, or website maintenance service provider. These service providers' services are viewed by your customers as provided by you. If a service provider violates a privacy law or creates a data security breach, then -- you guessed it -- your customers who are damaged will seek to hold you liable.

What To Do?

To avoid liability, you should bind your service providers that have access to personal information with legally enforceable agreements. In these agreements, your service providers should agree to abide by your privacy and data security requirements.

In addition, consider the following points for these agreements:

* representations and warranties -- including (i) that your privacy policy requirements will be followed, (ii) that entering into the contract does not violate another agreement, and (iii) all applicable privacy and data security laws will be followed;

* notices, audits, reports, and controls -- including (i) notice of change in privacy or data security practices, (ii) notice of any data security breach, (iii) right to audit at least annually, and (iv) records requirements; and


* indemnities -- including any breach of representations and warranties.

It will be difficult to negotiate an agreement that provides all of the foregoing safeguards; however, merely bringing them up for discussion will nail home the point that you're serious about privacy and data security. At the very least, your agreement should provide for basic levels of privacy and data security protection.

Leading Internet, IP and software attorney Chip Cooper helps small websites achieve website legal compliance with his online contract drafting service - now, your website legal compliance doesn't have to be complicated or expensive. Discover how easy it is to be in compliance in today's highly regulated environment by claiming your FREE Special Report, Determine Which Legal Documents Your Website Really Needs, at ==> http://digicontracts.com/
Copyright 2009 Chip Cooper

No comments yet. Be the first one to comment.