You Are The Company You Keep: Managing Third Party Privacy Risk

Privacy regulators across Canada are signalling an increased focus on a particular risk area: namely, reliance on service providers. In the past few weeks, we have seen a few key developments:

• The  Announcement of a joint investigation by the Privacy Commissioner of Canada, and the Privacy Commissioner for British Columbia, into a company relied on by landlords for background screening of potential tenants.
• The release of a new guidance document, Privacy and Access in Public Sector Contracting with Third Party Service Providers, by the Information and Privacy Commissioner of Ontario (see the bulletin drafted by Jennifer Hunter,  Privacy and Access Considerations When Contracting With Third Parties: The IPC Provides New Guidance to Public Entities) for organizations subject to Ontario's Freedom of Information and Protection of Privacy Act (FIPPA). The guidance builds on the positions articulated in the  IPC's Privacy Complaint Report¹ from February 2024 regarding McMaster's use of third party proctoring software (the “McMaster IPC Report).
• The Privacy Commissioner of Canada released its  Annual Report to Parliament on June 6. One of the breach trends identified in the Report related to service providers: “Breach reports showed that third-party service providers, particularly IT and software providers, were targeted more frequently by threat actors.”

Further, the recently reported Ticketmaster privacy breach involved a service provider. By way of a filing with the US Securities and Exchange Commissioner, LiveNation (Ticketmaster's parent company) stated: “On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) ….”² [emphasis added]

These events serve as a good opportunity to revisit what has always been an important topic. What are the risks that arise from relying on service providers to handle personal information and how can those risks be best managed?

YOU CANNOT OUTSOURCE ACCOUNTABILITY

It is a common misconception that if a service provider experiences a data breach, they are the primary party accountable for it. It is true that there can be some direct accountability for service providers under privacy laws. For example, the European Union's GDPR includes various provisions that apply directly to data processors, bringing them into the scope of regulatory oversight. Ontario's health privacy law (PHIPA) imposes certain (minimal) requirements on service providers. And in Canada's proposed Consumer Privacy Protection Act³ there is an explicit obligation for service providers to notify the controlling organization of any breach of security safeguards. But it is the organization that controls the personal information (PI) that bears primary responsibility for it, and this includes responsibility for the actions of any service providers they engage to handle that PI. For example, in the Personal Information Protection of Electronic Documents Act  or PIPEDA (the federal privacy legislation currently in effect) this requirement is set out as follows:

Under PIPEDA, like many other privacy laws, a transfer for the purpose of processing PI is considered a “use” (not a disclosure) by the controlling organization. So, while there may be some risk allocation through contract to a service provider (e.g., costs for a breach), if it's your information, it's your breach, which means you answer to the regulator, and to the individual whose information was affected, for it. Therefore, it is critical to trust the service provider you are dealing with. Trust comes from knowledge and control.

KNOW THY PROVIDER

Accountable organizations are expected to conduct due diligence on their service providers' data handling and security practices to evaluate and manage the related risks. For mature, sophisticated companies, this can be a meaningful exercise, in which detailed information is exchanged through questionnaires and discussions. But for smaller companies, this process can be difficult. Proper due diligence requires experienced resources (who know what to ask and how to evaluate the answers) and cooperation from the service providers themselves, who may not be willing to commit many resources to this task when only a small contract is at stake.

This lack of transparency can lead to a company getting caught off guard at how their providers are behaving. For example, there have been a number of high profile incidents involving the Meta (formerly Facebook) Pixel, which is a piece of code that website owners can add to their websites to allow tracking of user interactions on those websites, such as page views, purchases, and other activities. This data is then used for various purposes, including ad targeting, analytics, and conversion tracking. Through various investigations, The Markup revealed that many entities using the Pixel were sending highly sensitive information (e.g., medical conditions, prescriptions, mortgage application details, information from tax filings) to Meta without even realizing it.⁴

Further, many service providers will market themselves as compliant with various privacy laws as a way of assuring potential customers they can be trusted but these claims can be exaggerated or even outright false, particularly when coming from providers located in the United States. This issue was recently addressed by the Federal Trade Commission in its complaint against online therapy provider, BetterHelp. The FTC alleged that BetterHelp had engaged in deceptive marketing practices by implying to its customers that a third party had reviewed its privacy and information practices and determined they met the requirements of the federal health privacy law (the Health Insurance Portability and Accountability Act, or HIPAA):

So it is important to gather intelligence from as many sources as possible before engaging a service provider and apply a healthy dose of skepticism to any assurances provided. Sometimes industry groups will do certain types of investigation of vendors on behalf of their community. Also, the government agency Ontario Health oversees a provincial verification process for virtual healthcare solutions.

But knowing your provider is not enough; you must also control that provider.

CONTROL THY PROVIDER

Since the controlling organization remains responsible for the information, it is essential to have a contract with a service provider that binds them to behave in a way that allows that organization to meet its legal obligations. The contract should set limits on who can access the information and for what purposes; it should set out how the information will be secured; and it should address what will happen if/when a privacy incident occurs, including obligations to cooperate with the controlling organization for incident management and share in the financial burden of any ensuing damage.

Although technically specific to FIPPA, the direction from the IPC on service provider contracts, as articulated in  the McMaster IPC Report and the new guidance document, Privacy and Access in Public Sector Contracting with Third Party Service Providers, is instructive, as it highlights key topics which should be addressed in any agreement:

• Ownership of Data. The entity who owns the data, controls the data. The contract must be clear that the service provider does not receive any ownership in the PI it is handling on behalf of the accountable party.
• Confidential Information. There must be a clear definition of the type of information to be protected and a requirement that anyone who will access it will keep it confidential.
• Collection, Use and Disclosure. The service provider should be restricted to only handling the information in the manner required to perform the services, in accordance with the instructions provided to it.
• Notice of Compelled Disclosure. The contract should require the service provider to notify the accountable party in the event it is subject to a requirement to disclose any of the PI. This allows the accountable party the opportunity to intervene, if appropriate, to challenge the disclosure.
• Subcontracting. It is important that the PI be protected in a consistent manner throughout the supply chain. As a best practice, if a service provider is permitted to itself rely on other entities when providing the services, the contract should require that it first get the approval of the accountable party, and it must also agree to flow down the same protections in any contract with its own providers.
• Security Controls. The contract should set clear expectations on the security controls that will be in place to protect the PI and it should include obligations to report on any incidents or unauthorized activity that occurs, so that the accountable party is then positioned to respond to and address any issues involving its PI.
• Audits. It is standard to include a right to audit a service provider periodically to evaluate its compliance with the contract. The frequency and scope of the audit right is typically negotiated.
• Retention and Destruction. When an agreement is at an end, the service provider generally does not require further access to the PI and, therefore, it should be returned or destroyed. There can be negotiated and time-limited exceptions for matters such as legal compliance and record keeping obligations.

And, of course, in addition to the provisions regarding protection of the PI, there is also a need to address financial risk allocation through indemnities and insurance clauses.

Of course, imposing restrictions on service providers can be easier said than done. Many companies do not have the negotiating power to require a provider to comply with the requirements to which it itself is subject. Agreements with cloud providers, in particular, tend to be in the form of click-wrap agreements, which are just “take it or leave it” arrangements. A helpful strategy when dealing with providers is to identify those who can demonstrate compliance with a relevant certification as determined by an independent, trusted party. For example, compliance with the ISO 27001 or 27701 standards or a SOC II certification provides some assurance about the information handling practices of a service provider. If these certifications exist, it is important to document them in the contract and require that evidence of continued compliance be provided throughout the term of the contract.

An often overlooked aspect of a service provider relationship is the need for a clear delineation of responsibility between the service provider and the customer. The protection of PI requires strong collaboration between the parties and the manner in which a customer leverages a service will impact the security of the PI. The customer must understand the functionality and settings it can, and should, take advantage of to keep the PI secure. For example, there have been reports that link the Ticketmaster breach to the cloud storage company, Snowflake.⁶ Snowflake has reported a campaign by external actors to target Snowflake customer databases, however it attributes the issue to compromised stolen customer credentials, as opposed to a breach of the Snowflake enterprise environment. As such, Snowflake has been encouraging its customers to implement multi-factor authentication.⁷

BEST PRACTICES FOR MITIGATING THIRD PARTY RISK

• Consider very carefully who you are relying on to handle the PI for which your organization is responsible. Do due diligence on the company being engaged. Obtain information from that entity about their information handling practices but also look for independent validation.

• Impose restrictions and obligations on the service provider by way of contract to ensure they are protecting the PI in the same way it would be protected when in your custody. And require that these same restrictions and obligations be reflected in any contracts with their own service providers.

• Monitor the service provider throughout the life of the contract to ensure they are acting appropriately and in accordance with the contract.

• Identify who in the organization is responsible for off-boarding the service provider at the end of the contract. That person must ensure the information has been securely returned or destroyed.

Footnotes

1.  https://decisions.ipc.on.ca/ipc-cipvp/privacy/en/521580/1/document.do 

2.  https://www.sec.gov/Archives/edgar/data/1335258/000133525824000081/lyv-20240520.htm 

3. This proposed legislation (Bill C-27) was introduced in the House of Commons on June 16, 2022 and is currently working its way through the legislative process. The Bill was referred to the Standing Committee on Industry and Technology on April 24, 2023. Since that time, the Committee has received over 100 briefs and heard from approximately 130 witnesses. The Committee is no longer accepting submissions which suggests the consultation process is coming to an end.

4. https://themarkup.org/series/pixel-hunt 

5. The FTC and BetterHelp ultimately resolved the matter by way of a consent agreement that included, among other things, a prohibition on such marketing practices.

6.  https://techcrunch.com/2024/05/31/live-nation-confirms-ticketmaster-was-hacked-says-personal-information-stolen-in-data-breach/ 

7.  https://community.snowflake.com/s/question/0D5VI00000Emyl00AB/detecting-and-preventing-unauthorized-user-access 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.