A company can improve efficiency and reduce costs by outsourcing certain activities to third-party vendors. However, recent events have highlighted the substantial risks and potential liability that may arise when a company gives vendors access to its sensitive data or even its systems that handle such data. Companies of all sizes in all industries may be held accountable for vendor acts or omissions that cause or contribute to a data security incident. With that in mind, below are some practical strategies for mitigating and managing vendors and data-related risks.
Conduct Due Diligence
A company should, at a minimum, take the following steps as part of its due diligence regarding its data and its vendors:
Know the data. A company should conduct an internal audit to gain a thorough knowledge of the data that will be transferred to the vendor.
Understand the privacy and security laws. Federal and state data privacy and security laws and regulations may apply to a company’s data. Additionally, if the data is being transferred between states or between countries, or involves data regarding an individual from another state or country, many jurisdictions’ laws may be implicated. A company must pay particular attention to prerequisites related to international transfers of data.
Ask questions. Obtain a full understanding regarding what a vendor will be doing with the data and the scope and depth of processing activities they will be undertaking.
Identify potential internal and external threats that may permit unauthorized disclosure, misuse, alteration, or destruction of sensitive data, even for vendors whose functions do not necessarily involve direct access to such data. Additionally, determine what a vendor has done or may be doing to address cyber threats, particularly if the vendor will be gaining access to a company’s networks or systems. From a company standpoint, carefully consider walling off a vendor’s access so that only necessary and nonsensitive data can be accessed by the vendor, if appropriate.
Conduct due diligence before hiring the vendor. In doing so, carefully document the due diligence process. As part of the due diligence process, request the following information from the potential vendor:
- References and experience.
- Financial information.
- Security expertise of its personnel.
- Background checks on its personnel, if required by applicable law.
- Specific means and methods used to protect data, including privacy and security policies.
- Any past privacy or security-related complaints or investigations.
- Audit reports of security testing by your company or independent third parties.
- Security incident response policies, including assurances that security incidents will be communicated promptly if systems or data are potentially compromised.
- Contractual assurances regarding security responsibilities and controls.
- Nondisclosure agreements covering company systems and data.
Use Strong Contracts
The vendor contract is a critical component of managing risks associated with sensitive data. Certain laws like HIPAA and the Gramm-Leach-Bliley Act (GLBA) even impose specific requirements for vendor contracts. But regardless of whether any specific laws or regulations apply to the data at issue, a vendor contract should address the following issues:
Ownership and control of the data. Even when data transfer is involved, the company’s data should remain the exclusive property of the company. The vendor should be required to comply with any request regarding handling of the transferred data and precluded from obtaining or asserting any lien against the data.
Privacy. The vendor should be prohibited from using data except as required to carry out the contract and kept from disclosing the data without the company’s prior written consent.
Compliance. The vendor should warrant and represent that it will handle the data in compliance with all applicable data privacy and security laws and regulations, not to mention the customer’s internal policies.
Security controls. Assurances of adequate administrative, technical, and procedural access controls should be included. The vendor should be responsible for providing environmental, safety, facility procedures, and other safeguards related to the data while in its possession or control.
Breach notification and incident response. The contract should call for immediate notification of any actual, suspected, or attempted data breach and require full cooperation with any investigation or response to an incident.
Indemnification. The vendor should agree to defend, indemnify, and hold harmless its customer for any breach involving data in the vendor’s possession or control.
Termination. The contract should have an effective mechanism for the company to terminate it and to quickly gain control of all sensitive data provided or made available to the vendor.
Insurance Considerations
Adequate insurance also is a must for vendors. Whether the vendor’s insurance coverage is appropriate and effective to cover potential electronic data mishaps are important determinations.
Disputes continue to arise as to whether standard business insurance policies, such as commercial general liability (CGL) and commercial liability umbrella (CLU), provide any type of coverage for mishaps involving electronic data. Many disputes have arisen with regard to Coverage B, “Personal and Advertising Injury Liability,” under general liability policies. But businesses probably should be more skeptical of coverage under such policies now, given recent developments.
For example, for ISO standard CGL and CLU policies purchased or renewed after May 1, 2014, businesses should check for new endorsements that specifically exclude from coverage damages that typically arise out of a data breach. ISO sought and obtained approval for these new endorsements back in 2013, but the rollout date was May 1, 2014. (Some insurers, of course, may have been incorporating similar exclusions into CGL and CLU policies prior to that date.)
A breach affected by these exclusions may involve not only access to or disclosure of an individual’s financial information, credit card information, health information, or other type of nonpublic information, but also confidential business information such as patents, trade secrets, and customer lists. Therefore, a business should evaluate the potential need for a vendor to obtain different or supplemental insurance coverage that will permit risk transfer in the event of losses associated with a breach. This is true even as to vendors whose roles may not specifically relate to the gathering, transmitting, or storing of sensitive data. As one recent megabreach taught us, vendors (an HVAC company, for example) can inadvertently provide access to a business’ networks and sensitive data.
Beyond general liability, other types of business insurance policies (E&O, D&O, crime, and EPL) may incorporate some cyber coverage for certain types of losses, if bargained for by the insured. But, ultimately, it is questionable whether even this coverage could be adequate to fully indemnify a vendor’s customer against the wide range of risks presented by a data breach caused by the vendor. Any business working with a data-related vendor should not operate under an assumption that just because the vendor is in a specialized business, the vendor’s insurance coverage will serve as sufficient protection to the customer if the vendor fails to live up to its obligations to protect the customer’s data.
Now more than ever, companies must take effective steps to manage vendors that have access to sensitive data or systems where such data is stored. This includes conducting due diligence, negotiating appropriate contracts, monitoring the vendor’s activities, and ensuring adequate insurance has been obtained.