Retaining Service Providers
The Safeguards Rule requires you to oversee your service providers. There are four subparts to this requirement. First, you must take reasonable steps to select – and only retain - service providers that are capable of adequately protecting customer data. There are software-based programs that can manage this task. This will require the cooperation of your service providers. If they won’t cooperate, you must find service providers that will.
Second, you must obligate your service providers by written contract to implement the safeguards necessary to protect customer data. This obligation can be baked into the contract itself, be added as an addendum to an existing contract, or be a free-standing Safeguards Agreement, but it must be in writing.
Third, you must “periodically assess” your service providers with respect to this obligation. The same software used to vet service providers can support this effort as well.
Fourth, you must monitor your service providers on an ongoing basis to verify they are maintaining adequate safeguards. This does not mean “continuous” oversight, but it must be regular. This last obligation is potentially overwhelming. Fortunately, the software we’ve been referencing probably satisfies both the “assessing” and “monitoring” requirements, and accomplish those tasks inexpensively.