■ Proposed subcontractors should be identified in writing to companies prior to being staffed on an engagement. The company should reserve the right to approve or reject any proposed subcontractors.
■ Vendors should accept responsibility for any subcontractor liability. Liability and confidentiality provisions in the subcontracting agreement should mirror the liability provisions in the professional services agreement.
Scan for Threats
■ Companies should have a provision in agreements with vendors that prohibits vendors from installing any program or code that would enable vendors to access company systems or that would otherwise impair or harm the system.
■ Companies should require that vendors scan any electronic file prior to delivery to companies for any viruses or any program or code designed to disrupt, harm, or otherwise impede company systems.
■ Monitor systems regularly for compliance and any threats. Routinely test systems and facilities for vulnerabilities.
Backup and Disaster Recovery
■ All information should be regularly backed up and securely stored in a remote location. The backup should use strong encryption to protect data. Know where the backup site is and how secure it is. Beware of vendors that use offshore backup facilities, particularly in jurisdictions with limited or nonextant intellectual property, privacy and security laws and regulations. It may be impossible in those jurisdictions to be certain that residual data is actually and completely deleted from local storage. In some cases, local laws may require retention of company data for years after expiration or termination of the vendor agreement.
■ Ensure the data is only transmitted via secure methods.
■ Confidentiality provisions should incorporate all types of information to which companies may potentially provide vendors access.
■ During the term of the agreement, clients should have the right to conduct, or have conducted on their behalf, an audit of vendors’ security measures.
Vendors should warrant that:
■ They have the authority to enter into this agreement, to perform all the services it requires, and to provide all necessary deliverables.
■ They will follow and abide by or, if applicable, maintain and enforce any physical security procedures with respect to the access and maintenance of the client’s data. Vendors should comply with the best industry security practices.
■ They will not make any deceptive claims regarding the privacy or security they provide regarding the data.
- - Gramm—Leach-Bliley
- - HIPAA Security Rule/HITECH Act
- - FFIEC Guidance
- - States (e.g., California, Massachusetts, Nevada)
- - Identity theft regulations
- - Federal Trade Commission Red Flags Rule (a federal law designed to protect against identity theft)
- - Vendors will not use, transmit, or make available client data outside of the United States without the client’s prior written authorization.
■ Consider requiring a warranty to reduce risk in vendor remote facilities. Language like the following is typically used:
Vendor represents and warrants that all vendor systems used in providing the services that access customer systems and the data therein shall be configured as follows: (i) all print screen, screen capture, and similar functionality shall be disabled; (ii) no customer data will be cached on vendor systems or transferred to any form of local storage media; (iii) the vendor systems shall not be capable of printing any customer data or other confidential information; (iv) all USB, FireWire, and other similar ports shall be disabled; and (v) all wireless services (e.g., WiFi, Bluetooth') shall be disabled. In addition, vendor shall not permit any recording devices (e.g., cameras, smartphones, audio records, video recorders) of any kind in the areas of vendor’s facilities where the systems are located that access and display customer data.
■ Their warranties are not confined to the warranties section of the agreement.
■ Their responses to the due diligence must be true and accurate.
■ Indemnification. Vendors shall indemnify clients from any third-party claims related to the vendors’ breach of confidentiality or its failure to comply with security requirements. That is, the vendor should protect the business from lawsuits and other claims that result from the vendor’s failure to adequately secure its systems.
Limitation of Liability
■ Typically, agreements limit the vendor liability to the amount of fees paid by the client, the total value of the agreement or a particular work order, or to a predetermined amount. There should be carve-outs for:
- - Indemnification of the intellectual property.
- - Breach of confidentiality.
- - Use of client’s name.
- - Misappropriation of intellectual property.
■ The company should be able to immediately terminate the agreement due to the vendor’s breach or for compliance failures.
Security Breach Notification
■ The agreement should specify who is responsible upon a breach of security regarding control of the notice to affected parties and the costs.
■ Ensure that vendors have adequate insurance in case of a security breach.
Destruction of Data
■ Ensure that the vendor destroys all data and certifies its destruction, including ensuring that all hardware has been sanitized or wiped clean. Procedures should be set forth for the secure disposal of media no longer needed.
■ Include language in the agreement that vendors shall take all reasonable measures to:
- Secure and defend their systems and facilities from unauthorized access or intrusion.
- - Periodically test their systems and facilities for vulnerabilities.
- - Immediately report any breaches or potential breaches of security.
■ Cooperate with the client on any regulatory audits or in reviewing information on security policies and procedures.
Information security protections as described in this chapter are important because they protect valuable assets in business. They establish due diligence, protect business reputation, and help companies avoid public embarrassment while minimizing potential liability. Using a three-step approach, including establishing vendor due diligence, contractual protections, and procedures for handling information, companies are able to secure their information.