Published in The Legal Intelligencer 

By Martin T. Tully and Eliza T. Davis

As the U.S. data privacy law landscape continues to evolve, including new regulations promulgated under the CPRA, organizations in many states may find comfort in revised privacy policies, prepared templates and processes for responding to data subject access requests, and updated retention policies in light of data minimization dictates.

Introduction

2023 has been one of the most active years for privacy laws and regulations in the United States. In January, the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA), and the Virginia Consumer Data Privacy Act (VCDPA) both went into effect. In July, the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) become effective, closely followed by Utah’s privacy law in December. Moreover, in the past two months, five more states have passed comprehensive data privacy laws, which will go into effect in the next couple of years.

As the U.S. data privacy law landscape continues to evolve, including new regulations promulgated under the CPRA, organizations in many states may find comfort in revised privacy policies, prepared templates and processes for responding to data subject access requests, and updated retention policies in light of data minimization dictates. These actions are critical steps to data privacy compliance and preparedness. However, with more companies than ever outsourcing the processing of personal data, how would your organization answer this question: Do you really know how well your vendor has secured your personal data? It may come as a surprise to companies that they cannot simply rely upon the proscriptive and indemnification language in service provider agreements to demonstrate that they have taken sufficient measures to protect outsourced personal data that they control. On the contrary, it is important for businesses to revisit their vendor contracts as more and more GDPR-like data privacy requirements take root in the United States.

Outsourcing Data Functions or Moving Data to the Cloud Has Altered Security Risks

In earlier times, when most personal data was housed on premises, organizations could respond to the above question by stating, “as secure as we could reasonably make it with a variety of controls.” In 2023, however, the answer is more nuanced because over 60% of corporate data is reportedly stored in a cloud environment.

While cloud applications and storage have many advantages, is all that personal data more secure? While companies spend more and more time and resources complying with privacy regulations and making sure their own systems are safe and protected, third-party breaches are the most common type of data breach. Roughly 60% of all data breaches happen via a third-party vendor or provider. Common causes of data breaches with third-party vendors include unauthorized access via a company email account, hacking of an email provider, lack of encryption, unsecure websites, and improperly stored log-in information.

Need for Vendor Oversight, Audit, and Enforcement

Not surprisingly, data privacy and cybersecurity requirements increasingly aim to target third-party data breaches. New regulations require companies to ensure that the vendors and service providers they share personal and sensitive data with are equally equipped and vigilant in protecting such information. For example, the CCPA, as amended by the CPRA, requires companies to ensure that their vendors and service providers who handle personal data also comply with privacy regulations. The CPRA provides a right of private action for violations that result in compromised personal data (Civil Code Section 1798.150(a)) and requires that an organization enter into new agreements with service providers and third parties to which the organization discloses personal data it collects, confirming that the service provider or third party will likewise comply with the obligations of the Act (Civil Code Section 1798.100(d)).

More specifically, CCPA-covered businesses must include in their vendor contracts provisions that: ensure the vendors and service providers are complying with the CCPA; and grant the business that owns the data “the right to take reasonable and appropriate steps to ensure” compliance with the act, which may include “ongoing manual reviews and automated scans of the service provider’s system and regular internal or third-party assessments, audits, or other technical and operational testing at least every 12 months.”

Additionally, the CCPA regulations now impose consequences for companies that fail to perform vendor due diligence or risk assessments. The regulation notes that “a business that never enforces the terms of the contract nor exercises its rights to audit or test the service provider’s or contractor’s systems might not be able to rely on the defense that it did not have reason to believe that the service provider or contractor intends to use the personal information in violation of the CCPA and these regulations at the time the business disclosed the personal information to the service provider or contractor.” Thus, failure to include the requisite due diligence rights in the contract and to exercise them could result in the business not only having responsibility for notifying the owner of the data but also being held liable as if the breach had occurred within its own systems. See In re American Medical Collection Agency, Customer Data Security Breach Litigation, No. 19-md-2004, 2021 WL 5937742, at *37 (D.N.J. Dec. 16, 2021). In this regard, covered businesses that do not exercise their audit rights may: risk losing the argument that they should not be held responsible for a data breach or privacy violation that exposes personal data entrusted to a vendor; have a responsibility to notify consumers after a data breach incident; and be liable for any data breach as if the breach occurred within its own systems.

In sum, under the amended CCPA, contractual agreements and indemnification clauses with strong data protection language are no longer alone sufficient to protect the company in the event of a data breach or privacy violation at a vendor or service provider. In addition, the CCPA, VCDPA, and the CPA require that businesses regularly submit risk assessments when processing personal data that may present a significant risk to a consumer’s privacy, including processing for targeted advertising, profiling, and of sensitive personal data. It is difficult to prepare a risk assessment without conducting due diligence on how vendors and service providers handle the personal data entrusted to them. Thus, companies subject to laws that require regular risk assessments should consider conducting vendor audits.

How Can Companies Comply and Reduce Risk?

The following steps can help companies comply with legal requirements and reduce risks. The first step is to know where your data – and specifically where personal information you collect— resides. This step would be a particularly helpful part of an organization’s information governance program.

The second step is to gather and analyze your contractual arrangements with service providers (cloud and otherwise) that hold the personal information you collect and, in light of the CPRA requirements, to confirm that you have current written contracts with all such service providers.

The third step is to ensure that the terms of all contracts with service providers or contractors that hold the personal information you have collected conform to the requirements of the proposed CPRA regulations. Obligate the third-party service provider or vendor to comply with applicable privacy laws. Reserve the right to take reasonable and appropriate steps to help ensure that the vendor uses the personal data in a manner consistent with the business’s obligations, and to stop and remediate unauthorized use of personal data.

The fourth step is more complex and will entail more significant consideration, namely, depending on the circumstances and data held by the service provider or third party, developing appropriate due diligence protocols, processes, and schedules. In short, the risk assessments you conduct with service providers and third parties must be reasonable and appropriate to the circumstances, so they may vary.

Key Considerations

Notably, state data privacy regulations like the CCPA do not define what it means to audit or test a vendor’s compliance with privacy regulations. So, what should businesses do to fulfill their overview, audit, and enforcement obligations?

Businesses should consider including in any audit the following questions:

  • What is the vendor doing for security and compliance?
  • What compliance standard did they implement?
  • How does the vendor protect sensitive personal information?
  • Does the vendor outsource any IT or security functions?
  • What were the results of the most recent penetration test?
  • How does the vendor assess the security of the software it uses or develops?
  • How much cyberinsurance does the vendor have (per claim and aggregate)?

In addition, businesses should have a process to document and retain vendor questionnaires and audits. Due to the risks associated with not auditing or testing service providers, companies should make sure to retain all audits and efforts to test their service providers.

Conclusion

Put plainly, it is no longer sufficient only to have a service provider contract with the required provisions in place. The CCPA requires more affirmative scrutiny and has an extra bite. If a business does not meaningfully exercise its audit rights and the vendor fails to comply with legal requirements, the business may be imputed with knowledge of the vendor’s noncompliance and be held liable along with the vendor.

Martin Tully is a partner with the law firm Redgrave LLP. An experienced litigator, he focuses his practice on information law issues, including eDiscovery, information governance, and data privacy and cybersecurity. Martin can be reached at mtullly@redgravellp.com.