With an array of state and federal laws regulating data breaches, organizations face more expansive compliance obligations in the fight against data breaches than ever before. But in the modern world, no organization is an island. Reliance on contractors multiplies the surface area of entry for breaches, and though organizations may not have a direct hand in the data securities policies in place with their service providers, they still bear the brunt when personal data is stolen as a result of mishandling.
Law firm Mayer Brown recently addressed the discipline required to keep service providers in check when it comes to this threat. In a webinar titled “Contracting for Cybersecurity and Privacy Protections,” which brought together partners Brad Peterson and Paul Roy, the firm illustrated not only the high level of risk associated with “contractors gone wild,” but also offered practical tips to keep them in check.
The session began with an outline of what organizations risk when their data security requirements do not align with those of their contractors and suppliers. As noted by Peterson, “You cannot outsource cyber and security risks to a third party, the data-owner owns the risk. … Damage to your brand and reputation, stress for decision makers and regulations, securities suits and class actions from consumers are all potential ramifications of a risk.”
The group also noted that evolving law in the European Union, such as the recent invalidation of the Safe Harbor agreement, puts a further onus on data owners to lock down the way data transfer is managed within their contractor network. Evolving technologies like Big Data analysis also make the area more complicated. Contractors may have stipulations pre-packaged in their client agreements that allow them to glean insight from the data they’re provided.
“These tools allow suppliers to create insight from their information. Big Data usage may not violate any of the traditional terms, because it requires use of data rather than disclosure,” Roy pointed out.
The risks of data security misalignment are well documented by breaches, and as noted by Verizon’s Data Breach Investigation report, as many as 70 percent of threatened or actual data breaches where the motive was known occurred as a way to gain access to a secondary target. In light of this fact, organizations that rely heavily on a network of contractors and subcontractors would do well to more actively manage those relationships.
First and foremost, it’s critical for organizations to have written plans that address the potential data risks and map out the response that will come after a breach has been identified. Past that, however, Roy and Peterson suggest that the appropriate steps to address risks associated with contractors shake out from three primary buckets.
1. Selecting secure suppliers
- All organizations are unique and therefore have specific compliance challenges and goals. Determine what data will be accessed by the supplier and categorize it by sensitivity and risk. Before engaging in a relationship, send potential suppliers questionnaires appropriate to the information they will have access to. This should address things like current technology implementation, access rights and notifications policies.
- Identify the gaps between your standards and the suppliers proposed actions. In this way organizations can identify gaps and negotiate agreements to address those gaps.
- Lean on third parties to audit the responses and track records of potential suppliers, and make decisions based on their findings.
2. Negotiating necessary contract terms
- According to Roy and Peterson, the verbiage of contract negotiation is matters (or commitments), options and protections. Commitments are service provider promises to comply with certain steps, options are available service additions that can be employed by clients—sometimes at an additional cost—that can provide better oversight, and protections are agreed upon standards that must be employed to proceed with the relationship.
- Within those tiers of a service agreement, clients should require the supplier have internal measures that coalesce with their own data security, such as restricting subcontractor access to data.
- Require background checks for those who may have access to data.
- Consider working in verbiage where possible that shifts some liability to the contractor; for example, requiring them to pay for credit monitoring or regulatory fines in the event of a breach.
- Ensure that contractors meet a minimum bar relative to security standards and best practices surrounding encryption, storage, and access.
3. Governing contract to ensure compliance
- Employ a team of cybersecurity specialists to oversee the management of data both internally and externally.
- Require that contractors regularly audit their data security efforts.
- Consider the maintenance of data maps, which allow organizations to determine which areas of your system are accessible by outside parties.
- Consider the constant evolution of data security laws and regulatory obligations, and update both your internal standards and those of contractors.
As Peterson said at the conclusion of the webinar, “Contracting for cybersecurity is a critical component to your security and needs to be done in a way that considers new risks. It begins by knowing your company’s requirements and finding suppliers that fit those needs, negotiating the terms, and then managing those relationships.”
Reprinted with permission from the October 22, 2015 edition of Legaltech News © 2015 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.