Managing vendor risks includes putting pen to paper. Organizations are increasingly susceptible to risks outside their controlled IT infrastructure as they engage third-party vendors to manage online platforms and process data. Even though an organization may have little to no control over a vendor’s security practices, it bears the ultimate responsibility for safeguarding its own data and systems. Accordingly, an organization’s systems are only as strong as their weakest link.
Below we list key considerations to keep in mind when onboarding vendors in order to mitigate against vendor cybersecurity incidents that could impact an organization’s operations, revenue, legal risks and reputation in the marketplace.
Defining Information Security Practices
As a first line of defence, the best way to mitigate against vendor breaches is to make sure the vendor is contractually required to maintain strong information security practices and policies that are in line with legal and industry-specific standards. However, with increasingly sophisticated hackers, vendor breaches are becoming more frequent. We list below some best practices for organizations to keep in mind when contracting with vendors.
Data retention. A data retention clause should, at minimum, (a) limit access to data on a need-to-know basis (including by promptly revoking access during employee offboarding); (b) limit use of data to only what is necessary to fulfill the vendor’s obligations; (c) secure the return or deletion of records (including emails) at termination or on request (with an obligation to certify such destruction); and (d) address the preservation of evidence in event of a cybersecurity incident (investigative reports, logs, etc.).
Data breach notification. Vendors should be required to alert the organization to an actual or suspected incident involving its data (including personal information) within a timely manner, even where absent a legal obligation to do so. The notices should be detailed enough to allow the organization to take appropriate steps to mitigate impacts and comply with its legal obligations (e.g. types of data [including personal information] involved, approximate number of affected individuals, and details regarding the investigation and any remedial steps taken).
Security controls. The types and degree of physical, technical, organizational and administrative measures that are contractually mandated should be tailored to the sensitivity of the data involved and the method of transfer. Examples of sensitive information that attract more stringent security safeguards include financial information, health information, reputationally sensitive information, social insurance numbers, trade secrets and confidential commercial information.
Further, where emails are primarily used to transfer data, it is advisable to require multi-factor authentication, regular phishing simulations, geo-blocking sign-ons from jurisdictions where offices or employees are not located, and disabling legacy protocols that could be used by third parties to download mailbox contents (a common point of access in cases of business email compromise).
As a general practice note, organizations should avoid broad terms that might create ambiguity in contractual interpretation (e.g. “reasonable measures,” “sufficient controls,” “best practices” and “undue risk”) and use quantifiable and recognized security standards instead (e.g. PCI DSS, NIST and ISO 27002).
It is not uncommon for vendors to use third parties, or sub-processors, to assist in carrying out the vendor’s data processing obligations.
Given that vendors enter into separate agreements with sub-processors to which the organization is not a party, the organization’s agreement with the vendor should address whether (a) sub-processors are bound by the same or similar security and confidentiality obligations as the vendor; (b) data is leaving the province or country (which may trigger additional consent obligations); (c) there are any risks involved in the data transfer (e.g. where access to data may be subject to the laws of a foreign jurisdiction); and (d) liability has been appropriately allocated in the event of a breach in the sub-processing arrangement.
Similar considerations apply when vendors use sub-contractors that will have access to confidential or proprietary information of the organization.
Setting out Liability and Indemnification
A standard “liability cap” limits a party’s liability to a specified amount of fees paid under the contract or some other monetary amount. Costs incurred in responding to a cybersecurity incident can be astronomical.
Consequently, organizations should consider negotiating a higher cap or an exception to the standard liability cap for breaches of confidentiality, privacy and security incidents of the vendor if they wish to potentially recover costs such as legal fees, forensic investigation and remedial fees, and ransom payments. It is also advisable to require the vendor to maintain adequate insurance to fund these potential liabilities.
While there is no “one size fits all” when it comes to mitigating against vendor risks in contracts, the above-noted considerations are a good starting point. Risk tolerance will vary between organizations, so parties are encouraged to consult with counsel to ensure that risks are appropriately allocated and mitigated depending on the specific contract.
The authors would like to thank Katie Helou for her help in preparing this blog post.