When someone else is the target of a data breach, you might think you couldn’t possibly be held responsible. That holds true in some cases, but when you’re working in a digital world where outsourcing is common, there’s a catch.
“Any sensitive data you’re in possession of must be protected by you at all times,” according to experts at b2b integration platform Adeptia. “If you pass that data on to someone else and they mishandle it, you can be held responsible if you were never supposed to give them access to that data in the first place.”
The reality is, many contractors outsource to other contractors without express written permission from their client. If you do that, it’s not only a breach of contract, but it’s also a quick way to make your client the next data breach victim.
Don’t sign anyone else’s contract without adding data security clauses
Traditionally, the person paying for services signs the agreement belonging to the person performing the work. Sometimes that doesn’t work because both parties are attached to specific clauses in their agreements, and both want their agreements signed. You could negotiate for days and weeks trying to find a solution, or you can do what most people do – sign both agreements.
Not following data security best practices is just one mistake that can tank your digital marketing efforts. Not having a clause to require data security is followed won’t give you any legal recourse.
If you’ve got a data security clause in your agreement, but the other person doesn’t, push them to add one to their agreement before signing. If you end up in court, the judge might find a reason to toss out your agreement and only consider the other person’s.
Five details to include in your data security clause:
1. Email communications.
After signing the contract(s) with your contractor, you’ll be sending them sensitive information via email and attachments. You might be setup to send encrypted emails, but that might not be your contractor’s MO.
You need a clause requiring all email communications be encrypted end-to-end. Habits are hard to break, and some people may not understand why their Microsoft or Gmail account isn’t already secure. They may not understand that Gmail’s encryption only works on Gmail’s servers, and all emails pass through many other servers before reaching their destination.
If data isn’t encrypted when it leaves their mailbox, it’s vulnerable. To make it easy, give them access to a third-party end-to-end encryption tool like Virtru, at least for the time they work for you.
2. Prohibit note taking in email drafts.
Make sure your contractor isn’t taking notes inside of an email draft. It’s convenient, but it’s risky when you’re dictating passwords and account information.
3. Password communication rules.
Never allow passwords to be sent via email if you can help it. Require a phone conversation or a password-protected PDF document. Think twice before sending passwords through encrypted email. Although the passwords will be safe from hackers, if your contractor’s laptop is stolen and they haven’t signed out of their email, the thief will have access to the email with your password. Also, never allow contractors to save your passwords in their browser for the same reason.
4. A document delete clause.
A contractor that works from several different machines will need to make copies of your documents to make them available from each machine. A clause that requires the contractor to document each copy of a document they make is a good idea. Additionally, require them to delete certain documents you don’t want them to retain. Of course, you’ll have to take them at their word, but if you end up in court later, you’ve got proof they agreed to delete those files.
5. Using public Wi-Fi to perform work.
When you hire a contractor, they’re probably going to perform some of the work from a coffee shop or restaurant. The Wi-Fi networks in most public places aren’t secure. They require no password and leave everyone vulnerable to malicious man-in-the-middle attacks.
Make sure your contractor understands the importance of keeping your data secure. If they must use public Wi-Fi, require them to connect using a VPN that encrypts their data. Make a special request that they not access your FTP account unless they’re on a secure network. This may not be possible if they rely completely on public networks, but it doesn’t hurt to make the request.
Take data protection seriously
By creating data security clauses, you’re protecting your data as well as anyone else’s data you need to transmit to a third party. Data breaches come with hefty fines of up to $1.5 million per year, so there’s no reason to take a chance.