Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

October 19, 2015 How To

Protect sensitive data used by third-party vendors

Outsourcing to third-party vendors has become a significant cost control strategy for businesses — one that also comes with significant monetary and reputational risk. The public sector, information sector (e.g., telecommunications, data processing and publishing industries) and financial services industry are the top three business sectors most affected by information security incidents, according to Verizon's “2015 Data Breach Investigations Report.”

With the average cost of a data breach reaching $3.79 million last year, according to the Traverse City, Mich.-based Ponemon Institute, it is critical to manage information security risk when outsourcing business operations.

Negotiating information security protections and response protocols up front is critical to your financial and reputational well-being. While allocating risk and liability for incidents often requires compromise, the following outlines some of the key considerations and contractual provisions that should be addressed in outsourcing arrangements.

Before a contract is signed, you should perform appropriate due diligence on any vendor that will have access to your most sensitive data. Create a questionnaire that addresses areas of risk, including information security policies, security controls and data destruction procedures.

Vendors should contractually commit to maintain a comprehensive written information security program addressing the administrative, technical and physical safeguards and controls they will use to protect your sensitive data.

Who is responsible for the costs associated with procedural or technological changes required of vendors as a result of changes to privacy or data security laws? These costs can be significant. If possible, allocate responsibility in the contract.

You should also try to get contractual commitments from vendors to comply with your business' information security policies and procedures. Vendors may push back, contending that it is either impractical or too costly. Be prepared for this by vetting prospective vendors' information security policies and procedures to identify gaps between theirs and yours. These can be addressed during contract negotiations.

Vendors should be restricted to accessing, storing, processing, or transmitting personal information only in jurisdictions authorized by your contract. They should be required to perform background checks on all employee and non-employee personnel that will have access to your data, to screen for those who have been convicted of or pled guilty to a crime involving breach of trust. All personal information stored or transmitted by vendors should be encrypted using the highest industry standards.

Vendors should be contractually obligated to notify you immediately in the event of an actual or suspected data breach. Even if a breach occurs that does not involve your data, you should be notified, as it can point to deficiencies in the vendor's information security policies that should be remedied. The contract should grant you and, if applicable, your regulators, broad rights to audit the vendor's information security practices and controls; consider also a requirement for vendors to undergo periodic third-party audits. You should have the right to terminate vendor contracts if they are not protecting your data as stipulated. Termination rights should not be dependent on an actual data breach.

The contract should specify that you have the right to control all customer-facing aspects of any breach involving your personal information, including notifications to affected individuals, regulatory authorities, and credit bureaus.

Vendors should be required to reimburse you for all costs related to a data breach for which they are responsible. Most will insist on negotiating a cap or argue for a negligence standard of liability, or no liability if they were in compliance with information security requirements dictated by the contract at the time of the breach.

By performing due diligence on prospective vendors and negotiating these and other protective measures and response protocols into your outsourcing contracts, you'll save yourself significant costs and headaches.

Josh Silver is a lawyer at Bernstein Shur in Portland. He can be reached at jsilver@bernsteinshur.com

Read more

How To: Communicate after a data breach

Sign up for Enews

Comments

Order a PDF