On September 15, 2017, the Federal Trade Commission published the ninth blog post in its “Stick with Security” series. As previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Make sure your service providers implement reasonable security measures, highlights the importance for companies to ensure that the service providers they engage with implement reasonable security measures.
The FTC’s post describes three ways companies can ensure that their service providers implement appropriate security measures:
- Conduct Due Diligence: Just as a consumer wouldn’t buy a used car without inspecting it first, companies should take reasonable steps to understand how information they place in another’s control will be used and secured.
- Put It in Writing: Companies should ensure that security expectations, performance standards and monitoring methods are reduced to writing in a contract. This may include, for example, ensuring a service provider has firewalls in place, encrypts data at rest or in transit, and implements intrusion detection systems.
- Verify Compliance: Even after companies have included security-related provisions into their contracts with service providers, prudent companies will regularly monitor and verify that service providers are indeed complying with the contractual requirements.
The guidance concludes by noting that the key message for companies is that they should build their security expectations into their contracts and make sure there is a way to monitor that the service providers are meeting those expectations.
The FTC’s next blog post, to be published on Friday, September 22, will focus on putting procedures in place to keep companies’ security current and address vulnerabilities that may arise.
To read our previous posts documenting the series, see FTC Posts Eighth Blog in its “Stick with Security” Series, FTC Posts Seventh Blog in its “Stick with Security” Series, FTC Posts Sixth Blog in its “Stick with Security” Series, FTC Posts Fifth Blog in its “Stick with Security” Series, FTC Posts Fourth Blog in its “Stick with Security” Series, FTC Posts Third Blog in its “Stick with Security” Series and FTC Posts Second Blog in its “Stick with Security” Series.