Scotsman Guide > Commercial > January 2011 > Article

 Enter your e-mail address and password below.


Forgot your password? New User? Register Now.
   ARTICLE   |   From Scotsman Guide Commercial Edition   |   January 2011

Don’t Risk Customers’ Data

Protect your business when a vendor handles clients’ personal information

Don’t Risk Customers’ Data

Many companies are under the mistaken and dangerous impression that outsourcing risky tasks involving personal identifiable information to third parties equates to outsourcing the liability associated with those tasks. In fact — aside from the traditional legal concepts of agency, in which the acts of the third-party vendor are attributed to the principal — current laws, rules and regulations specifically do not allow a total shifting of the risk and liability associated with the handling of personal identifiable and confidential information. Massachusetts, for instance, mandates that companies take steps to ensure that third-party vendors are complaint with its laws with respect to personal information.

"When working with third-party vendors that have [access to your client's data], you must take steps to protect your clients’ personal identifiable information."

It is important that organizations, including mortgage origination companies, evaluate their exposure to these risks and take steps to protect themselves. Commercial mortgage brokers often work with other professionals — from environmental consultants performing due diligence to accountants creating a business valuation — and these third parties often have access to clients’ sensitive information. When working with third-party vendors that have such access, you must take steps to protect your clients’ personal identifiable information.

Brokers and their companies also should have their risk manager do a careful review of anticipated risk in light of their own policies and procedures. This should include a review of insurance policies as well as ensuring that the acts of third-party vendors are covered — even with the existence of the contractual terms recommended below.

The following discussion outlines baseline tasks a company should ask of its third-party vendors such as underwriters, servicers and law firms. Certain concepts, terms and conditions also are recommended when formulating written agreements with vendors that may handle personal identifiable or confidential information.

Vendor inquiry

When attempting to reduce risks and liability associated with handling personal identifiable or confidential information, best practices begin with asking the right questions and requesting the right documentation.

Create a confidential personal-identifiable-information questionnaire, and require vendors to complete it as a condition of initial engagement and at the renewal of existing agreements. Concepts that should be covered in the questionnaire include:

  • Identification of computer and data storage systems that will be used;
  • Identification of encryption policies and procedures;
  • Existence of written policies and procedures relating to the handling and destruction of personal identifiable information;
  • Identification of policies and procedures implemented to limit access to personal identifiable information;
  • Description of training given to personnel who will have access to personal identifiable information;
  • Written policies and procedures relating to a data breach or release of personal identifiable information;
  • Identification of insurance policies, especially including cyber-risk and coverage relating to data breaches or disclosures.

Contractual provisions

Even if you choose to limit your inquiry of the vendor, in addition to ensuring proper insurance coverage is in place, the insertion of data security and privacy provisions in your contracts is recommended — and in some instances required by law.

Contractual provisions relating to data and data handling should generally:

  • Acknowledge that the vendor may be receiving personal identifiable information and is responsible for compliance with applicable law;
  • Mandate compliance with notification requirements to those whose personal identifiable information is being stored by the vendor;
  • Specify prohibitions against access to and use of information provided;
  • Mandate minimum safeguard standards;
  • Mandate processes and procedures relating to destruction and return of personal and identifiable information and confidential information;
  • Mandate requirements in the event of a breach;
  • Mandate insurance requirements;
  • Mandate the ability to access premises and review policies, procedures and records;
  • Mandate compliance with applicable trade industry standards, including, if applicable, Payment Card Industry Security Standards; and
  • Mandate use of counsel of your choosing when addressing the concepts of defense, indemnity and hold-harmless.

As the costs and expenses associated with an unauthorized data release continue to skyrocket, shifting the risks associated with the handling of personal identifiable information becomes a critical component in risk analysis and contracting. Careful coordination with risk professionals, insurance professionals and legal staff is necessary to help mitigate costs associated with these risks.


Fins A Lender Post a Loan
Residential Find a Lender Commercial Find a Lender
Scotsman Guide Digital Magazine

Related Articles



© 2019 Scotsman Guide Media. All Rights Reserved.  Terms of Use  |  Privacy Policy