Please do not leave this page until complete. This can take a few moments.
Outsourcing to third-party vendors has become a significant cost control strategy for businesses — one that also comes with significant monetary and reputational risk. The public sector, information sector (e.g., telecommunications, data processing and publishing industries) and financial services industry are the top three business sectors most affected by information security incidents, according to Verizon's “2015 Data Breach Investigations Report.”
With the average cost of a data breach reaching $3.79 million last year, according to the Traverse City, Mich.-based Ponemon Institute, it is critical to manage information security risk when outsourcing business operations.
Negotiating information security protections and response protocols up front is critical to your financial and reputational well-being. While allocating risk and liability for incidents often requires compromise, the following outlines some of the key considerations and contractual provisions that should be addressed in outsourcing arrangements.
Before a contract is signed, you should perform appropriate due diligence on any vendor that will have access to your most sensitive data. Create a questionnaire that addresses areas of risk, including information security policies, security controls and data destruction procedures.
Vendors should contractually commit to maintain a comprehensive written information security program addressing the administrative, technical and physical safeguards and controls they will use to protect your sensitive data.
Who is responsible for the costs associated with procedural or technological changes required of vendors as a result of changes to privacy or data security laws? These costs can be significant. If possible, allocate responsibility in the contract.
You should also try to get contractual commitments from vendors to comply with your business' information security policies and procedures. Vendors may push back, contending that it is either impractical or too costly. Be prepared for this by vetting prospective vendors' information security policies and procedures to identify gaps between theirs and yours. These can be addressed during contract negotiations.
Vendors should be restricted to accessing, storing, processing, or transmitting personal information only in jurisdictions authorized by your contract. They should be required to perform background checks on all employee and non-employee personnel that will have access to your data, to screen for those who have been convicted of or pled guilty to a crime involving breach of trust. All personal information stored or transmitted by vendors should be encrypted using the highest industry standards.
Vendors should be contractually obligated to notify you immediately in the event of an actual or suspected data breach. Even if a breach occurs that does not involve your data, you should be notified, as it can point to deficiencies in the vendor's information security policies that should be remedied. The contract should grant you and, if applicable, your regulators, broad rights to audit the vendor's information security practices and controls; consider also a requirement for vendors to undergo periodic third-party audits. You should have the right to terminate vendor contracts if they are not protecting your data as stipulated. Termination rights should not be dependent on an actual data breach.
The contract should specify that you have the right to control all customer-facing aspects of any breach involving your personal information, including notifications to affected individuals, regulatory authorities, and credit bureaus.
Vendors should be required to reimburse you for all costs related to a data breach for which they are responsible. Most will insist on negotiating a cap or argue for a negligence standard of liability, or no liability if they were in compliance with information security requirements dictated by the contract at the time of the breach.
By performing due diligence on prospective vendors and negotiating these and other protective measures and response protocols into your outsourcing contracts, you'll save yourself significant costs and headaches.
Josh Silver is a lawyer at Bernstein Shur in Portland. He can be reached at jsilver@bernsteinshur.com
Read more
The Giving Guide helps nonprofits have the opportunity to showcase and differentiate their organizations so that businesses better understand how they can contribute to a nonprofit’s mission and work.
Learn MoreWork for ME is a workforce development tool to help Maine’s employers target Maine’s emerging workforce. Work for ME highlights each industry, its impact on Maine’s economy, the jobs available to entry-level workers, the training and education needed to get a career started.
Learn MoreFew people are adequately prepared for all the tasks involved in planning and providing care for aging family members. SeniorSmart provides an essential road map for navigating the process. This resource guide explores the myriad of care options and offers essential information on topics ranging from self-care to legal and financial preparedness.
Learn moreThe Giving Guide helps nonprofits have the opportunity to showcase and differentiate their organizations so that businesses better understand how they can contribute to a nonprofit’s mission and work.
Work for ME is a workforce development tool to help Maine’s employers target Maine’s emerging workforce. Work for ME highlights each industry, its impact on Maine’s economy, the jobs available to entry-level workers, the training and education needed to get a career started.
Few people are adequately prepared for all the tasks involved in planning and providing care for aging family members. SeniorSmart provides an essential road map for navigating the process. This resource guide explores the myriad of care options and offers essential information on topics ranging from self-care to legal and financial preparedness.
In order to use this feature, we need some information from you. You can also login or register for a free account.
By clicking submit you are agreeing to our cookie usage and Privacy Policy
Already have an account? Login
Already have an account? Login
Want to create an account? Register
In order to use this feature, we need some information from you. You can also login or register for a free account.
By clicking submit you are agreeing to our cookie usage and Privacy Policy
Already have an account? Login
Already have an account? Login
Want to create an account? Register
This website uses cookies to ensure you get the best experience on our website. Our privacy policy
To ensure the best experience on our website, articles cannot be read without allowing cookies. Please allow cookies to continue reading. Our privacy policy
Comments