No one can ever be certain how much security is enough, but there are ways to protect your employer contractually to some degree of safety.  In some cases, the Federal Government is also “here to help.” 

Let’s first dispense with the latest round of “assistance” from the government—the so-called “Red Flags Rule” promulgated by the Federal Trade Commission (FTC).

According to the FTC, the Red Flags Rule requires certain businesses (check the regs to see if you or your supplier is subject) to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts.  By identifying red flags in advance, such organizations will be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft.

While only certain (many) businesses are covered under the Red Flags Rule, it’s very possible that other businesses will be subject to the rules in the future.  In any case, the rules give you good insight into the future of identity theft prevention programs that all organizations may implement—regardless of whether they’re required to or not.  You may decide to adapt a watered-down version of the rules in your procurement contracts, holding suppliers not already subject to the Red Flags Rule to a higher level of standard in protecting your organization’s data.  Be forewarned, some suppliers won’t be happy to see the language, but it’s better to ask and hear “no” than to not ask at all. 

The Red Flags Rule requires that those “service providers” who have access to the information that is protected by the regs to also comply with your organization’s Red Flag procedures.  If the service provider is conducting activities covered by the Red Flags Rule – for example, opening or managing accounts or billing customers – then the obligation to comply applies to them as well.   

The FTC recommends monitoring your service providers, which can include giving them a copy of your Red Flags Identification Program, reviewing their red flags policies, or requiring periodic reports about red flags they have detected and their response.  Keep in mind that an organization’s Red Flag procedures are not intended to be implemented instead of other information security procedures, but rather as an integral part of an overall information security program.

Now on to some contractual goodness relating to information security, where you’re drafting a contract with a service provider who will have access to information your organization wants to protect.  It’s assumed that you have an information security policy in place or in the works.   The policy is the document in which you establish the overall framework of your procedures to protect the varying types of important information your organization collects in order to serve its customers and provide employees with a good working environment.

Even if you already have a confidentiality agreement in place with a supplier, you may still be in a situation where you want additional protection and want to add an additional information security clause in a separate contract.  

This additional protection isn’t about protected health information (PHI), since of course the HIPAA requirements would apply. That requires an entirely different set of standards and is beyond the scope of this article.  Instead, the focus is on a “type” of information that is somewhere in between confidential and PHI.  For purpose of this article, that type of information is “protected data”, and that is the term appearing in the example provision provided below. Your state’s requirements are an important baseline here.  Your state may well have a definition of protected data and requirements to protect it. As always, all proposed contract terms should be reviewed by your attorney for compliance with state and local law. 

Put simply, this additional contract term obligates a service provider to have certain information security standards.  Here is a tried and tested example drafted by members of NRECA’s Vendor Management Office:

XX.         Information Security.  Service Provider acknowledges that [Your Organization Here] has implemented an information security program (the [Your Organization Here] Information Security Program, as the same may be amended) to protect [Your Organization Here]’s information assets, such information assets as further defined and classified in the [Your Organization Here] Information Security Program (collectively, the “Protected Data”).  Where Service Provider has access to the Protected Data, Service Provider acknowledges and agrees to the following.

XX.1       Undertaking by Service Provider.  Without limiting Service Provider’s obligation of confidentiality as further described herein, Service Provider shall be responsible for establishing and maintaining an information security program that is designed to: (i) ensure the security and confidentiality of the Protected Data; (ii) protect against any anticipated threats or hazards to the security or integrity of the Protected Data; (iii) protect against unauthorized access to or use of the Protected Data;   (iv) ensure the proper disposal of Protected Data; and, (v) ensure that all subcontractors of Service Provider, if any, comply with all of the foregoing.  In no case shall the safeguards of Service Provider’s information security program be less stringent than the information security safeguards used by the [Your Organization Here] Information Security Program as provided by [Your Organization Here] to Service Provider for this purpose.  The [Your Organization Here] Information Security Program is Confidential Information of [Your Organization Here].

XX.2       Right of Audit by [Your Organization Here].  [Your Organization Here] shall have the right to review Service Provider’s information security program from time to time during the term of this Agreement.  During the performance of the Services, on an ongoing basis from time to time and without notice, [Your Organization Here], at its own expense, shall be entitled to perform, or to have performed, an on-site audit of Service Provider’s information security program.  In lieu of an on-site audit, upon request by [Your Organization Here], Service Provider agrees to complete, within forty-five (45 days) of receipt, an audit questionnaire provided by [Your Organization Here] regarding Service Provider’s information security program.

XX.3       Audit by Service Provider.  During the term of this Agreement, no less than annually, Service Provider shall conduct an independent third-party audit of its information security program and provide such audit findings to [Your Organization Here].

XX.4       Audit Findings. Service Provider shall implement any required safeguards as identified by [Your Organization Here] or information security program audits.

XX.5       Indemnification by Service Provider. Without limiting Service Provider’s other obligations of indemnification herein, Service Provider shall defend, indemnify, and hold [Your Organization Here] Indemnitees harmless from and against any and all Claims, including reasonable expenses suffered by, accrued against, or charged to or recoverable from any [Your Organization Here] Indemnitee, on account of the failure of Service Provider to perform its obligations imposed herein.

If you’re comfortable with this language, and after you’ve checked it out with your counsel to address any state-specific issues, it’s recommend you spend some time with those service providers with whom you will be sharing your protected data.  Once they know how seriously you take your responsibility to protect your customer’ and employees’ information, they’re likely to be more amenable to your organization’s needs.