In this article, we provide information about cybersecurity and independent contractors (ICs), as well as how to reduce the risk of legal liability stemming from your use of ICs. But first, we’ll take a look at a recent example of FTC enforcement against a company for lax cybersecurity – to preview the potential risk insufficient cybersecurity poses to businesses.
FTC Enforcement for Lax Cybersecurity
The Federal Trade Commission (FTC) recently published a press release regarding the action against CafePress, an online customized merchandise platform. The action relates to CafePress’ failure to implement reasonable security measures and its less-than-diligent response to the breach, including trying to conceal the incident.
The Case Against CafePress
Here’s a quick summary of some of CafePress’ failures:
- Sensitive and personal information was stored on its network in clear readable text (that is, it was not encrypted). The information included Social Security numbers and password reset answers, as well as names, email addresses, physical addresses, security questions and answers, and partial credit card numbers.
- Networks were not adequately secured, allowing hackers to access millions of users’ data. Some of this information was later found for sale on the Dark Web.
- CafePress did not investigate the breach for several months after becoming aware of it.
- Users were asked to update their passwords as part of an update to a password policy, instead of being told about the breach.
- Users whose accounts were hacked were charged a $25 ‘account closure fee’ for mandatory account closures following the breach.
As part of the settlement, CafePress will implement stronger security measures and pay $500,000 in redress to consumers whose data was breached.
FTC Guidance for Businesses that Collect and Store Personal and Sensitive Information
Helpfully, the FTC has put together guidance for businesses that collect and store personal and sensitive information. The guidance contains 10 key tips to address common vulnerabilities. The document also outlines practical information to help businesses reduce the risk these vulnerabilities pose.
Implementing Cybersecurity for Independent Contractors
The guidance doesn’t address is how to balance data security requirements and best practices with the stringent AB-5 test for independent contractors in California.
To be classified as an independent contractor, individuals must be free from the control and direction of the hiring entity, among other things. Yet hiring entities need to ensure any personal information they share with independent contractors is protected. So, how can they achieve that without exercising an impermissible level of control?
Independent Contractor Test Compliance in California
First, consider whether the independent contractor you’re hiring falls under the ABC test laid out under AB 5 (find more information on the test), or if they are subject to any of the professions excluded from AB5.
If excluded from AB5, the test to determine whether they are an independent contractor or an employee is less stringent. If you’re uncertain, you should work with an employment attorney to determine the correct classification of a worker.
Minimum Security Standards for Independent Contactors
If you’re certain the worker is an independent contractor, you can still include security standards in the independent contractor agreement. At a minimum, we recommend requiring the independent contractor to:
- Use a VPN while undertaking work for your company, particularly when accessing personal or sensitive information.
- Avoid downloading any personal or sensitive information to their device, wherever possible. You should also outline that any personal or sensitive information they do download must be deleted or destroyed when no longer necessary and in any event no later than when the engagement ends.
- Sign a non-disclosure agreement.
Company-Level Cybersecurity Standards
At the company level, you should implement processes and protections that limit the ability of independent contractors to access or download personal or sensitive information. You should also ensure that independent contractor access to personal or sensitive information is shown in your organizational data mapping.
Additionally, all ‘the usual’ protections should apply to your independent contractors too. At a minimum, you should require:
- 2-factor authentication whenever they login, and
- Ensure your systems require users to create unique usernames and passwords.
Additionally, independent contractors should only be provided access to the personal or sensitive information they reasonably need to successfully complete their work and access and downloads should be carefully monitored. There should also be systems in place that allow you to revoke access once the engagement ends.
If you need help managing your cybersecurity obligations, reach out. Our privacy attorneys would love to assist you.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.