Lessons Learned… Consider Indemnification Provisions for Vendor and Third Party Service Providers

Our client, a company that provides care coordination services, had signed an agreement with a bank for the bank to provide a lock box service for payments from the company’s customers, primarily insurers and third party administrators. When the company was informed by the bank that there was a security incident involving the lock box, it also learned that the lock box service had been outsourced to a third party vendor. The company called Mateer Harbert for help in handling its response to the security incident.


What happened?

The lock box was used for company customers to send in payments for services rendered by the company. The lock box vendor processed the payments and captured payment data for the items received in the lock box. When the lock box vendor experienced a security incident, all information on the customer’s checks was potentially exposed, as was all information about individual service recipients that accompanied the payments, including names, dates of treatment, possible diagnosis, and the like.

Our Response

The Mateer Harbert team immediately jumped into action by helping the company work through the extensive information provided by the bank and lock box vendor and formulate a plan of action. We negotiated with the bank’s attorneys on the content and timing of communications to affected individuals and assisted the company in responding to questions and concerns of its customers. We also assisted the company in evaluating their insurance coverage and options and coordinated with the company’s cyber liability insurance carrier.

Lessons Learned

It is imperative to learn from these types of unexpected data breach scenarios. Businesses should consider taking the following preventative steps, particularly when it applies to any sort of service involving personal information/data:

  • Ask vendors about any third party relationships that could involve your confidential information prior to signing contracts.
  • In the event third party relationships are in place, require adequate information security measures and cyber liability insurance on the part of the vendor and any third party to whom the vendor entrusts your confidential information.
  • Consider including an indemnification provision, requiring the vendor to indemnify and defend you from any liability you incur as a result of the vendor or third party.

Identifying and addressing third party issues up front and before signing any contractual agreement are imperative today. At Mateer Harbert, one of our objectives is to work with our clients to address these possible contractual issues prior to embarking on the final signature. Don’t ever forget that old saying by Ben Franklin, “an ounce of prevention is worth a pound of cure.”

Shareholder Mary A. Edenfield provides legal counsel and strategic advice regarding healthcare, labor and employment, and technology law issues. She can be reached at (407) 425-9044, or by email at [email protected].

This blog and these materials are not intended to provide legal advice.  They do not represent the legal opinions of the firm, nor should they be regarded as the legal positions of any client of the law firm of Mateer Harbert, P.A. They are provided for general informational purposes only.  These materials should not be used as a substitute for the advice of qualified legal counsel.

Share and Enjoy !