Vendor roles before, during and after data breaches need nailing down

By Ellen Marie Giblin on December 30, 2014

Recent data security breaches of Target, Home Depot and Goodwill, all of which involved a vendor as the point of entry or source of credentials allowing access to the company’s data assets, have highlighted the importance of paying attention in advance of a breach, as well as after one, to vendor contracts. There has been increased focus on whether vendor contracts have provisions that address risk control, allocation, breach response, indemnity and other issues that can arise in the breach context. Once a breach occurs in which vendor vulnerability has a role, increasingly there are demands for recovery from the vendor involved, and at times litigation. Faced with the costs resulting from a data breach, stakeholders in corporate information and risk governance are calling for the vendors’ heads, or their applicable insurance, on a platter.

Clear contractual provisions and a well-structured vendor risk management program can help mitigate these issues at the beginning of the vendor’s service contract.  Many issues that arise, and surprise, during the course of a data security breach may be addressed in the drafting of the vendor service contract. Vendors often want to exert control of the agreement and “use its paper” in contract negotiations. A company negotiating with a vendor may not be in control of every aspect in the vendor relationship. However, a company can review each contract along its supply chain for the roles and responsibilitiesof its vendors and their teams, be clear about obligations of each party to the contract, and confirm that the company’s contracts with its vendors are consistent with the representations it has made to its customers as well as with the company’s own legal obligations with regard to data security and breach response. Clear and concise contract language as to the respective obligations of the company and its vendor can be an important for guiding a vendor and its employees that will be engaged with a company in data security and breach response under a company’s Incident Response Plan in fulfilling its duties.

Set forth below are types of provisions to consider when a company is reviewing a vendor contract.

PRE- BREACH DATA SECURITY PROVISIONS AND PRACTICES

  • Background checks of, and non-disclosure agreements by, the vendor’s employees and subcontractors (including volunteers and interns) with access to the data of an organization or that organization’s customers, and requirements that the vendor provide a copy of its non-disclosure agreement template and background check matrix, by level of exposure to your data, and a certification that all employees managing your data are in compliance with the vendor’s onboarding program.
  • Confirmation that the vendor’s privacy policies and practices are in compliance with the company’s information governance program, and with contract requirements that are present in the company’s customer agreements and privacy policies, and certification of compliance to meet the company’s contractual and legal requirements.
  • Vendor audit of its own audit data security practices, and consideration of whether it can confirm and provide its compliance and audit certifications and confirm their authenticity before executing the agreement. For example, what type of audits have they completed?  Have they confirmed that no material changes have taken place to affect the validity of the certifications?
  • Confirm the vendor will administer privacy and confidentiality training to all employees and subcontractors handling the organization’s personal data and confidential information.
  • Conduct a regular assessment of the vendor’s privacy and confidentiality compliance, and assignment of responsibility in the company for this function.
  • Limits on the vendor’s employees’ and any subcontractor’s access to sensitive, employee and personal data, such as Social Security or driver’s license numbers, financial account data (for example, credit card information), financial or medical information profiles, and other highly sensitive information if unauthorized disclosure would cause considerable reputational damage, legal liability and financial loss.
  • An agreed upon process to manage privacy and confidentiality complaints related to the vendor service arrangement, including both a review by the vendor of the company’s Incident Response Plan and a review by the company of the vendor’s incident response plan, with any gap between the two plans addressed.
  • Delineation of the respective roles to be played by the vendor and the company regarding incident management, and a process to resolve any issues or complaints that arise regarding those roles.
  • Provisions specifying which party to the agreement will have control and ownership of the data throughout the lifecycle of the contract.
  • Suggest and agree upon the exit plan to migrate the data out of the vendor’s system, if the contract is terminated, and consider including such terms and conditions to be in effect upon termination or expiration of the agreement.
  • Termination assistance services, fees, charges, or other compensation and provision of vendor provide and update contacts and any changes in its incident response plan process and/or procedure.
  • Indemnity provisions as to who controls and pays for incident investigation, response, claims, legal fees and costs.
  • Provisions that the vendor maintain certain insurance that would apply to both its own breach response costs and liabilities, and any obligations of or on behalf of the company that the vendor assumes in the agreement.
  • Consider whether to include subrogation provisions or waiver of rights of subrogation in the event of an incident.

PROVISIONS AS TO VENDOR’S ROLE DURING A BREACH

  • Detection of all incidents that involve the confidentiality, security or integrity of company’s data;
  • Procedures for response and containment of incidents that involve the confidentiality, security or integrity of company’s data;
  • Notification and communication from the vendor promptly and in compliance with contract terms regarding any incident that involves the confidentiality, security or integrity of company’s data, and consider expanding to include suspected incidents
  • Delineate the level of coordination the company wants from the vendor in incident response, taking into account the company’s own non-delegable legal duties as well as those of the vendor, and including provisions such as disclosure of all details of each incident that involves the confidentiality, security or integrity of company’s data and the containment and mitigation actions taken to date in accordance with your incident response plan;
  • Request the vendor to report on the current state of its security measures for its data center, networks, servers and SaaS application security. Additional considerations for review include firewalls, digital certificates, security scans, vulnerability assessments, and industry-recognized security certifications; and
  • Consider provisions for company approval and interface of any third party incident responders retained by or on behalf of the vendor, and require vendor cooperation with  any third party incident responders retained by the company, such as digital forensics contractors hired to analyze, contain or other-wise conduct forensics on vendor’s information systems, and with any insurers.

PROVISIONS AND PRACTICES AS TO VENDOR’S ROLE AFTER A BREACH

  • Comply with all contract notice provisions to notify your company in the event of a reportable security incident as defined in the contract;
  • Comply with all applicable country, state and federal security breach notification laws that apply to either the vendor and/or to the company as an entity that owns or maintains personal information;
  • Comply with the company contract and Incident Response Plan and refer all requests for information to the company contact to allow it to manage law and regulatory enforcement, press and customer questions;
  • Contact its insurers to ensure proper and timely notification under its policies, provide insurance details to the company;
  • Cooperate in the company’s investigation and incident response, and defense of any claims;
  • Promptly pay any amounts owed in the event of a breach to the company;
  • Disclose any liability known or insider act that may have caused or contributed to the breach; and
  • Execute on the exit plan for migrating data out of the vendor’s system if the contract is terminated after a breach. Consider including contract language addressing:
  • Terms and conditions in effect upon termination or expiration of the agreement;
  • Termination assistance services, fees, charges, or other compensation;
  • Control and ownership of data;
  • Source code disposition, including code escrow for any derivative works created during the contract term;
  • Specifications, documentation, information, and other assistance necessary to enable the organization to receive services from another provider; and
  • Cooperate in amending the contract to correct any deficiencies found in the company’s or the vendor’s incident response plan.

The percentage of data security incidents involving service providers, consultants and contractors continues to increase. Having a contract with such vendors that clearly speaks to the issues and obligations that arise when preparing for and responding to such incidents is an important part of building a vendor relationship that can withstand and address the issues and pressures of a data security incident  Thus, companies should carefully review their vendor contracts prior to delivering their data assets and providing access to their systems to a new service vendor and assess whether the contract includes adequate provisions to address the company’s data security and incident response and that the company may rely upon the contract with confidence in a time of crisis.

Good information and risk governance begins with addressing and agreeing upon the essential role of the company and each of its vendors before, during and after a data security incident. Company and vendor relationships and obligations can be mapped out during contract negotiations, with the data breach and data security issues, and compliance with internal, legal and insurer requirements addressed and accepted. Considering the important role vendors can play in preventing, addressing and reporting data security incidents and reportable breaches, it is well worth thoughtful drafting and reviewing of service and other vendor agreements to address data security and incident response, so that all are aware and prepared for their roles and responsibilities before, during and after a breach. The due diligence considered in this approach is a wise investment, and is one that can benefit companies both as user of vendors and when the company reverses roles and becomes the vendor, and is then able to make its contract representations and warranties to its customers, with confidence that it has the support of well drafted data security vendor agreements down its supply chain.

Ellen Marie Giblin

Ellen Marie Giblin is Counsel in the Boston office of Edwards Wildman, focusing her practice on global privacy and data protection and data breach response. Ellen is internationally recognized in the area of cybersecurity, privacy, data security, breach response, investigations, and information governance. She can be reached at [email protected]

RELATED POSTS

Malicious Credit Card Breaches by Year: 2009 – 2018

Data breach of 880,000 credit cards and personal information possibly disclosed says Orbitz

Case 992789: $2M Settlement with California Attorney General and Cottage Health Data Over Exposure of Patient Records

Case 1016705: $160M of Cryptocurrency Goes Missing in BitGrail System Breach