Fact is that data privacy and security laws primarily hold the data controller responsible for compliance – i.e., the customer in a service provider relationship. The customer has to ensure that the data made available to the service provider has been collected in compliance with privacy laws, data subjects have consented or received notice, filings have been made, etc.
The service provider – as the data processor - has typically only three duties under data privacy laws: to follow its customer’s instructions, keep the data secure against unauthorized access and notify the customer if data security is breached. Therefore, it is important for customer and service provider to reach a reasonable agreement about what level of security is appropriate for particular types of data and who should be doing what.
For example, if a customer hires a service provider to store archival statistical data, music files or strongly encrypted information in the cloud, it may not be necessary for the service provider to invest heavily in security features because unauthorized disclosure of such data would not typically harm the data subjects.
On the other hand, back-up copies of credit card transaction information should be very carefully guarded (and this should be reflected in the cloud services agreement) because such information is actively pursued by hackers to steal identities and commit fraud.
Data in a CRM, HRIS or data storage solution can also include highly sensitive information (e.g., US social security numbers, a primary target for identity thieves and hackers) and should be adequately protected even though most of the data typically stored in HRIS or CRM systems is of little or no interest to hackers.