Don't Be the Next Headline; Key Contractual Provisions to Reduce the Risk of Vendor-Related Data Breaches by Judy Selby
Pre-contracting due diligence: Entities should conduct thorough technical due diligence to access a prospective vendor’s security infrastructure, environment and practices. This issue was at the very heart of the Target data breach. Security issues can be exposed up front and vendors that are not up to the job can be disqualified. Note that healthcare providers may need to enter into Business Associate Agreements with prospective vendors during this stage.
Data ownership: The contract should specify who owns the data, particularly if the data is to be stored in the cloud.
Data exportation: The vendor should be required to promptly return or destroy all data in the vendor’s possession at any time upon request and upon contract termination. The entity may want to require an application programming interface to export data independently.
Third-party verifications: The entity should consider obtaining confirmation of third party reviews of the vendor’s system infrastructure and environment, which can be attached and incorporated into the contract. The standard to be employed depends on the nature of the vendor services.
Other security considerations: Depending on the circumstances, the following security considerations may be need to be addressed: encryption of data in transit and at rest, encryption of web-facing applications, vendor application of up-to-date security patches, physical security of the data center, and background checks on employees with access to the confidential data.
Security incident and breach notification: Vendors should be required to provide prompt notice of all security incidents and breaches involving the entity’s data. The entity should control the response to the security incident, including the decision as to whether notifications are required. In addition, the entity should be permitted to investigate the breach either on-site or remotely.
Compliance with laws: Entities should consider requiring the vendor to agree to comply with all applicable information security and privacy laws, such as HIPAA, HITECH, Massachusetts Standard for the Protection of Personal Information of the Commonwealth, and EU Protection of Personal Data Directive.
Subcontractors: At a minimum, the entity should require notification, or the right to approve, the use of any third parties providing services supporting the vendor's obligations under the contract.
Location of the data: Geographical location of the data must be indicated in order for the entity to assure compliance with data import/export regulations and local laws and to avoid unintended personal jurisdiction ramifications.
Monitoring rights: The entity must have the right to monitor and/or audit the vendor’s performance, including the ability to allow the entity’s auditors to conduct on-site reviews.
Governmental and third-party requests: The vendor must immediately notify the entity of all requests for disclosure of data by any party, including law enforcement or other government representatives, and give the entity control over the response.
Service level agreements: The entity may require uptime guarantees with monetary credits for failure to meet requirements. Predicted maintenance windows should take place during periods of minimal disruption.
Indemnity and Cyber Insurance: A key consideration for any entity is requiring indemnity for harm caused to third parties by the vendor's breach of confidentiality obligations, data security or privacy requirements, or noncompliance with laws. Entities also should require vendors to have adequate cyber insurance covering both data loss and data breach response. This creates greater assurance that a major data breach won’t bankrupt the vendor, and increases the likelihood that the vendor will be able to fulfill contractual obligations for financial compensation.
Business continuity/disaster recovery: The entity should vet the vendor’s business continuity and disaster recovery plans, which may be attached and incorporated into the contract.
Suspension of services: Particularly for critical applications, the entity should require sufficient notification, with time to cure, before the vendor may suspend services for any breach of contract.
Dispute resolution: Arbitration may provide the most efficient and cost-effective means to resolve disputes arising under the vendor agreement. Nevertheless, entities should carve out the right to seek immediate judicial relief for breaches of confidentiality or intellectual property rights.