Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Know the Law: Who is liable for data breach?

Written by: Ramey D. Sylvester

Published in the Union Leader (12/19/2016)

Q: My company handles a lot of sensitive customer information (medical, financial, biographical) and has relationships with third party service providers that have access to the information. Can my company be held liable to our customers for my service provider’s mishandling of that data?

A. Bad news first.  Not only may your company be liable to your customers, your company may have to engage in costly notification and disclosure efforts, and may be subject to governmental auditing and penalties all due to your service provider’s mishandling of your customers’ sensitive information. 

In today’s computer and cloud-based business world, customer data can be accessed, and is often stored, by a company’s service provider or “vendor.” Vendors providing services such as: Software as a service (SAAS), payment processing, accounting, document destruction, and external IT all commonly have access to, and store, sensitive information of their clients’ customers.  Even your office supply delivery company, cleaning service, and building maintenance company has access to your customer information and could cause a breach either knowingly or accidentally. 

Depending on the privacy laws and regulatory requirements your company is subject to, you may be required to ensure that vendors are equipped to properly secure your sensitive customer data.  Regardless, your company will be responsible for your vendors’ failure to maintain the confidentiality of your customer data and for choosing to work with a vendor that is not data security compliant.  Should your vendor suffer a data breach, your company will be on the hook for customer notification requirements, governmental investigations, and penalties, in addition to any customer legal action. 

So what can you do to minimize these risks?  Establish a vendor management program to assess your vendors’ ability to handle sensitive customer data.  If the vendor will be handling sensitive customer data, make sure that the vendor has a data security policy and data breach response plan.  Further, require the vendor to have cyber insurance policies that will cover the costs of data breaches, and have the vendor sign a data security agreement that will require it to maintain the confidentiality of the customer data,  require it to indemnify your company for unauthorized disclosures of customer data, and establish auditing rights that will enable your company to ensure that the vendor is maintaining its data security standards. 

The bottom line is that since your company will be responsible for the mistakes of your vendors, you should take appropriate legal steps to protect your company and your customers.  

Ramey can be reached at [email protected].

Know the Law is a bi-weekly column sponsored by McLane Middleton, Professional Association.   We invite your questions of business law.  Questions and ideas for future columns should be addressed to:  McLane Middleton, 900 Elm Street, Manchester, NH 03101 or emailed to [email protected].  Know the Law provides general legal information, not legal advice.  We recommend that you consult a lawyer for guidance specific to your particular situation.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.