With an array of state and federal laws regulating data breaches, organizations face more expansive compliance obligations in the fight against data breaches than ever before. But in the modern world, no organization is an island. Reliance on contractors multiplies the surface area of entry for breaches, and though organizations may not have a direct hand in the data securities policies in place with their service providers, they still bear the brunt when personal data is stolen as a result of mishandling.
Law firm Mayer Brown recently addressed the discipline required to keep service providers in check when it comes to this threat. In a webinar titled “Contracting for Cybersecurity and Privacy Protections,” which brought together partners Brad Peterson and Paul Roy, the firm illustrated not only the high level of risk associated with “contractors gone wild,” but also offered practical tips to keep them in check.
The session began with an outline of what organizations risk when their data security requirements do not align with those of their contractors and suppliers. As noted by Peterson, “You cannot outsource cyber and security risks to a third party, the data-owner owns the risk. … Damage to your brand and reputation, stress for decision makers and regulations, securities suits and class actions from consumers are all potential ramifications of a risk.”
The group also noted that evolving law in the European Union, such as the recent invalidation of the Safe Harbor agreement, puts a further onus on data owners to lock down the way data transfer is managed within their contractor network. Evolving technologies like Big Data analysis also make the area more complicated. Contractors may have stipulations pre-packaged in their client agreements that allow them to glean insight from the data they’re provided.
“These tools allow suppliers to create insight from their information. Big Data usage may not violate any of the traditional terms, because it requires use of data rather than disclosure,” Roy pointed out.
The risks of data security misalignment are well documented by breaches, and as noted by Verizon’s Data Breach Investigation report, as many as 70 percent of threatened or actual data breaches where the motive was known occurred as a way to gain access to a secondary target. In light of this fact, organizations that rely heavily on a network of contractors and subcontractors would do well to more actively manage those relationships.
First and foremost, it’s critical for organizations to have written plans that address the potential data risks and map out the response that will come after a breach has been identified. Past that, however, Roy and Peterson suggest that the appropriate steps to address risks associated with contractors shake out from three primary buckets.
1. Selecting secure suppliers
2. Negotiating necessary contract terms
3. Governing contract to ensure compliance
As Peterson said at the conclusion of the webinar, “Contracting for cybersecurity is a critical component to your security and needs to be done in a way that considers new risks. It begins by knowing your company’s requirements and finding suppliers that fit those needs, negotiating the terms, and then managing those relationships.”
Reprinted with permission from the October 22, 2015 edition of Legaltech News © 2015 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.
You have no pages selected. Please select pages to email then resubmit.