If you've been following legal developments on the Web in the last couple of years, you know that there is significant concern regarding privacy and data security. This concern is driven by consumers' fears over identity theft.

In a well-known case filed against Lifeisgood.com, the Federal Trade Commission (FTC) announced in a press release dated January 17, 2008, that Life Is Good agreed to implement the following 5 administrative, technical, and physical safeguards for data security:

     1.  Designate an employee or employees to coordinate the information security program.

     2.  Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place.

     3.  Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness.

     4.  Develop reasonable steps to select and oversee service providers that handle the personal information of customers.

     5.  Evaluate and adjust its information-security program to reflect the results of monitoring any material changes to the company's operations, or other circumstances that may impact the effectiveness of its security program.

In dealing with my ecommerce clients, I've discovered that the recommendation that is followed least is Recommendation No. 4 -- bind your service providers.

All too often, even the most diligent ecommerce and SaaS businesses focus exclusively on internal security measures in developing their data security policy and program. As the FTC reminds us with recommendation No. 4, it's also very important to consider implementing data security measures in the form of contractual requirements binding service providers who have access to your site -- and to your site's databases where personal information is stored.

The Gramm-Leach-Bliley Act (GLB) is a federal statute that permitted consolidation among businesses in the financial services industry. GLB also provided requirements for financial services businesses to protect the security of consumer's financial information.

Prior to the Lifeisgood.com case, the FTC sued financial service companies in a series of cases known as the "Safeguards Cases" for failure (among other things) to "require service providers, by written contract, to protect consumers' personal information". This requirement has now found its way into the FTC's claims against businesses that are not in the financial services sector, as indicated by the FTC's case against Lifeisgood.com.

So, this is the classic liability scenario: you own operate a website that sells goods or services, but you outsource certain functions to a website hosting, SEO, or website maintenance service provider. These service providers' services are viewed by your customers as provided by you. If a service provider violates a privacy law or creates a data security breach, then -- you guessed it -- your customers who are damaged will seek to hold you liable.

To avoid liability, you should bind your service providers that have access to personal information with legally enforceable agreements. In these agreements, your service providers should agree to abide by your privacy and data security requirements.

In addition, consider the following points for these agreements:

• representations and warranties -- including (i) that your privacy policy requirements will be followed, (ii) that entering into the contract does not violate another agreement, and (iii) all applicable privacy and data security laws will be followed;
• notices, audits, reports, and controls -- including (i) notice of change in privacy or data security practices, (ii) notice of any data security breach, (iii) right to audit at least annually, and (iv) records requirements; and
• indemnities -- including any breach of representations and warranties.

It will be difficult to negotiate an agreement that provides all of the foregoing safeguards; however, merely bringing them up for discussion will nail home the point that you're serious about privacy and data security. At the very least, your agreement should provide for basic levels of privacy and data security protection.

Copyright © 2009 Chip Cooper

This article is provided for educational and informative purposes only. This information does not constitute legal advice, and should not be construed as such.

WANT TO USE THIS ARTICLE IN YOUR EZINE OR WEBSITE? You may, as long as you reprint the article in its entirety with live links and include this blurb with it:

Leading Internet, IP and software lawyer Chip Cooper has automated the process of selecting and drafting website documents for small websites with his MyLegalFirewall website documents drafting service. Discover how quick, easy, and cost-effective it is to determine which legal compliance documents you need and to draft them online. Grab your FREE Special Reports, Determine Which Legal Documents Your Website Really Needs, Draft Your Own Website Privacy Policy, and Write Your Own Website Marketing Copy – Legally, at ==> http://www.digicontracts.com/