Retaining Service Providers
The Safeguards Rule requires you to oversee your service providers. There are four subparts to this requirement. First, you must take reasonable steps to select – and only retain - service providers that are capable of adequately protecting customer data. There are software-based programs that can manage this task. This will require the cooperation of your service providers. If they won’t cooperate, you must find service providers that will.
Written Contract
Second, you must obligate your service providers by written contract to implement the safeguards necessary to protect customer data. This obligation can be baked into the contract itself, be added as an addendum to an existing contract, or be a free-standing Safeguards Agreement, but it must be in writing.
Periodically Assess
Third, you must “periodically assess” your service providers with respect to this obligation. The same software used to vet service providers can support this effort as well.
Monitor
Fourth, you must monitor your service providers on an ongoing basis to verify they are maintaining adequate safeguards. This does not mean “continuous” oversight, but it must be regular. This last obligation is potentially overwhelming. Fortunately, the software we’ve been referencing probably satisfies both the “assessing” and “monitoring” requirements, and accomplish those tasks inexpensively.
