Any company that uses a service provider should strongly consider including data security protections in the service agreement if the service provider has access to the personal information about the company’s employees or customers, such as social security numbers, etc.  A company’s failure to insist upon data security protections could expose the company to significant liability. At a minimum, the company’s agreement with the service provider should require the service provider to: (i) meet the industry standard of care related to protecting the personal information, (ii) maintain minimum security safeguards, and (iii) have a notice and incident response plan in the event of a breach. Even with adequate protections in place, companies should consider purchasing cyber insurance. Cyber insurance policies differ dramatically in terms of what  they  cover,  what  they  exclude,  and  the  amount  of retentions.  Strongly consider having your policy reviewed by someone with knowledge in the area.