Last Christmas’ data breaches at Target—one of the nation’s largest retailers—provided a painful lesson on the damage a data security breaches can do to consumer confidence and good. And Target was not alone. It joined Neiman Marcus and a growing list of other retailers who have experienced data loss, including a widely reported breach of more than 45 million T.J.Maxx and Marshalls customers in 2007.
Nor are data breaches isolated to the retail environment. This phenomenon has also hit financial institutions, marketing aggregators, and even bellwethers of the information technology sector. The question now becomes how all businesses can better shape their information technology services for greater security and increased consumer confidence.
Contracting With Third-Party Information Service Providers
Today, one of the factors complicating corporate data security is more use of—and trust in—third-party service provider who deliver (perceived) expertise in information management. Outsourcing is not going away, especially with today’s ongoing stream of technological advancements. To make sure their outsourcing relationships do not increase the chance of getting hacked, companies need to proactively negotiate terms related to data security and maintain the same level of governance externally as they do internally. And, by making sure the right contract terms are in place, an organization can even respond more quickly and effectively should they end up with facing an unexpected data breach.
Companies can begin protecting themselves by seeking increased clarity in the sourcing agreements they negotiate. While ambiguity breeds disputes, commitment to clarity eliminates questions about responsibility when events—as they always do —deviate from expectations. The specific terms in outsourcing contract where clarity matters involve operations, governance, and incident response.
Operations and the Outsourcing Agreement
First and foremost, an organization should require its outsourcing provider to maintain operational standards that are, at a minimum, consistent with those used within the organization. This may seem an obvious way to mitigate data security risks, but it is a requirement that organizations often overlook. Also consider these additional operational issues when negotiating an outsourcing agreement.
- Incorporate the organization’s minimum data management requirements into outsource contracts.
Perhaps most fundamental for a customer seeking to source data management is demanding adequate physical and electronic security of its data. Many organizations have invested significantly in defining the minimum requirements of the systems managing their data. This can include:
- The physical requirements of data centers
- Definition of control groups that have access to certain types of data
- User management policies
- The types of information that must be stored in encrypted form
- Minimum requirements that are expected of employees working with the organization’s data.
Yet, when it comes time to negotiate the confines of a sourcing agreement, organizations often ignore or throw aside those policies. Given that these requirements have often already been reduced to paper within an organization, translating those requirements into concrete contractual baselines for the vendor is often less complex than other potential disputed contractual terms. Further, incorporating these requirements up front often provides clarity and continuity in service delivery. At a minimum, companies should avoid diluting their own data security standards simply by entering into a sourcing agreement.
Insist on compliance with already-defined regulations
Beyond expressly laying out the data management requirements, insisting on compliance with internal, regulatory or industry best practices can be an essential component in contract design. At a minimum, customers should expressly require its providers to adhere to the growing myriad of state, federal, and international data privacy regulations. Note: this should be the floor, not the aspiration.
Other options include insistence on compliance with industry best practices: ISO 27001 and ISO 27002, PCI Data Security Standard, or the Control Objectives for Information and related Technology (COBIT) standards to name a few. Although these standards are inherently limited given their lack of flexibility or specificity to a particular organization, they nonetheless can provide a baseline for organizations that do not themselves have a mature security policy and also provide a reference point that will evolve independent of the contract as industry expectations change.
Define data ownership and levels of access
At a minimum, a customer of outsourcing agreements should demand that data remains its own and that vendors designate it as confidential. Establishing this requirement creates an operational framework for how the provider interacts with the data. Within that framework, customers should insist on contractual terms that clearly define where the data geographically resides and who can access or manipulate the data.
Companies should also seek to limit providers’ ability to pass data to third parties as each step the data moves away from the original source limits the control and can introduce unexpected or undesirable regulatory issues when the data passes from one jurisdiction to another. To the extent data must pass to third parties, outsourcing customers ought to demand approval, transparency, consistency in compliance with the original agreement, and culpability of the provider for the actions of its sub-contractors.
Governance and the Outsourcing Agreement
Few areas are more important to the success of outsourcing relationships than a robust governance regime. Without adequate oversight, corporations gain exposure to business disruption, legal liability, and a loss of customer goodwill. Sustainable governance stretches beyond merely defining visibility within each outsourcing contract; it requires constantly engaging the stakeholders on the importance of implementing and enforcing existing governance tools. Consider the following in order to provide a clear, well defined governance structure:
- Identify the governance team
Before negotiating an outsourcing agreement, it is important for a potential customer to understand who it will lean upon to guide the ship. Defining a consistent and stable governance team will help the organization through each phase of the outsourcing relationship. Often, this governance team should span across different vendor relationships to ensure consistency in management, oversight, and corporate guidance.
- Require sufficient transparency
A governance team is only as effective as the information it has access to so it can assess the progress of the outsourcing relationship. In the context of data security, the agreement should require that the provider provide transparency in the security policies the provider follows. The governance team must have adequate audit rights that stretch beyond whether a vendor performs specific items in the statement of work—they must also enable the customer to explore adherence to applicable security policies, government regulations, and best practices. The contract should have clearly defined intrusion detection testing protocols, the results of which the vendor regularly provides to the customer’s governance organization. Finally, the team should place a strong focus on performance measurements through clearly defined Service Level Agreements related to areas such as network scanning, security policy management, antivirus management, and backup and recovery.
- Conduct continual vendor risk management
Typically, organizations focus their vendor risk management analysis to pre-contract due diligence periods. But, like any segment of technology, the assumptions can dramatically change as time progresses. By reassessing providers on a regular basis, the governance team will stay engaged in risk mitigation, proactively identify performance gaps, and identify potential exit strategies (and barriers) should the relationship unravel.
Incident Management Strategies and the Outsourcing Agreement
When a breach occurs, it is important that the sourcing agreement clearly delineates what needs to happen and whose has responsibility for taking all required actions. Expediency and clarity can often mean the difference between the organization containing damage or experiencing a public relations spiral. The following will help define roles, responsibilities, and outcomes in the event of a data breach.
- Demand immediate notification of a suspected breach
Outsourcing customers should insist that every outsourcing agreement includes a provision providing immediate notification of all suspected data breaches. Early notification can help the customer control damage, avoid the embarrassment of having a third-party source disclose the breach, and allow the organization to start the ball rolling on meeting its regulatory obligations. In contrast, a lack of early disclosure cripples the customer’s governance operations, inhibits the customer from crafting a response, and potentially exposes the customer to increased legal liability.
- Delineate cost allocation up front
Wrestling with contractual ambiguities about cost allocations in the middle data breach is one of the last things parties want to deal with. These costs can be significant as the organization struggles to shore up systems, compensate impacted individuals, and deal with the loss or interruption of business activity. By committing to clarity at the outset of the contract, the parties can better focus efforts on immediate remediation should a data breach occur.
- Insist on cyber security insurance
Few outsourcing providers can absorb the tremendous potential liability resulting from a data breach—particularly when it impacts large customers with even larger record sets. Negotiating cost allocations becomes largely meaningless when one party collapses under the weight of liability. Ensuring that the agreement contains adequate provisions for coverage of catastrophic events is therefore critically important to controlling risk and recouping losses.
- Be mindful of insurance liability caps
Providers are increasingly insisting on smaller and smaller caps on potential liability—sometimes insisting on a liability cap equivalent to only a few months of fees paid under the contract. Devising exclusions to the cap—for example, if the provider fails to timely provide notification of a breach, hides critical information, or otherwise unnecessarily exacerbates the harm to the customer—will substantially mitigate risk for customers considering outsourcing. At a minimum, customers ought to calculate their potential risk so that, should a large-scale breach occur, they have sufficient external coverage to cover losses that exceed negotiated caps.
- Insist on post-mortem root cause analyses
Customers should insistent upon terms that place clear obligations on the provider to perform, or assist with performing, a post-mortem analysis of each factor that contributed to a lapse in security. Often, hackers will test attacks on a system on a smaller-scale before instituting a large-scale attack. A robust system of detection, response, and analyses of these less severe attacks can help prevent large-scale breaches in the future.
Takeaway: Target Outsource Agreements to Minimize Risks to Data Security
The reality of today’s marketplace and ever-changing technological landscape means that Target will not be the only target of hackers. As a result, organizations across all industries must take proactive steps to prevent and react to data breaches in an effective and meaningful way. As most organizations will likely turn to sourcing providers, it becomes more important than ever to home in on data security when negotiating outsourcing agreements. A good place to start is to clarify terms surrounding operations, governance, and incident management.
The articles on our Website include some of the publications and papers authored by our attorneys, both before and after they joined our firm. The content of these articles should not be taken as legal advice.