The Commission shall take steps to ensure that the activity of a service provider is conducted in accordance with WSSC policies and procedures designed to detect, prevent and mitigate the risk of identity theft whenever the Commission engages a service provider to perform an activity in connection with one or more covered accounts.

The Commission’s security practices depend on the people who implement them, including third-party contractors and service providers. Before any outsourcing of business functions can occur (i.e., payroll, web hosting, customer call center operations, data processing, or the like), the third party’s data security policies and practices must be reviewed and, where applicable, SAS70 reports obtained. If possible, a site visit to the third party’s facilities should be performed. Security measures appropriate for the type of data the service provider will be handling must be described in the contract with them. The contract must also specify that the third-party contractor or service provider immediately notify the Commission of any security incidents they experience, even if the incidents may not have resulted in an actual compromise of the PII. (GMO 09-01 § VIII)