A Q&A with David Navetta, Founding Partner of Information Law Group
When an organization outsources their computing or allows a third party to retain care, custody and control of their private data, they are exposing themselves to risk. I talked to David Navetta, founding partner of Information Law Group, about the precautions that organizations can take to protect themselves from vendor mishaps.
What cyber risk exposures or legal liabilities should a business worry about when outsourcing to a consultant, partner or cloud provider?
The key thing to realize is that in most cases when a vendor or third party is given access to a company’s or data owner’s sensitive information, the company is still responsible and legally liable for that information. So the data owner needs to know ahead of time what kind of controls are in place for security, who owns the information, and what will happen during a security event. All of this should be established up front so that if, and when, there is actually a security breach, the response will be swift and cooperative.
Contractually, how can an organization mitigate its risk exposures?
I usually recommend the inclusion of a data security schedule or some sort of exhibit that lists preventive controls and the requirements to implement these controls—for instance, encryption that would prevent a security breach from happening in the first place. There are actual laws that dictate that companies handling information must have a security program so you want to put those controls into the contract. You also want to do an assessment or audit during the term of contract—obviously, you want to look at the company at the beginning and do some due diligence and ask questions. But over the course of a long-term contract controls and measures can become obsolete or new types of attacks and vulnerabilities can emerge and may need to be addressed. That’s why you want to put in audit rights and assessment rights that allow you to look under the hood to make sure the vendor is keeping up to speed with current threats over time.
What are some must-have legal/contract items to include in any service level agreement or outsourcing agreement?
- Incident response procedures: Providers or outsourced vendors have their own process for handling data breaches but that process needs to be looked at and it needs to be as seamless as possible between customer and vendor. That’s why you must put contract terms in place and lay out a procedure that allows the customer to respond to a breach as if it’s happening internally. This should include forensic assessment, a specialized IT investigation of what happened in the breach and what data may have been exposed. Sometimes service providers don’t want customers poking around in their IT systems—but you can address that in the contract terms so it’s in place. You may get pushback from vendor, and you might have to try negotiation—a lot of that depends on the leverage and power of the parties involved, and the size of the contract.
- Liability is another issue: Most service providers put a limitation of liability clause into the contract—the vendor’s liability might be limited to six months’ worth of fees for a data breach, and the vendor can’t be held responsible for consequential damages. But that might not be anywhere close to what the loss is for the customer and then the customer gets left holding the bag, even though the breach was the vendor’s fault. It’s a huge negotiating point and even bigger companies find it difficult to get leverage on limitations of liability. From the vendor viewpoint, if a breach happens it might impact 100 customers, so if they don’t limit liability, they might have all 100 of those customers threaten a lawsuit.
- The concept of reasonable security: Laws often require certain controls, such as encryption, firewalls or access controls, and it’s not uncommon to see those listed out in a contract with a vendor. In addition, a lot of laws say you need to have “reasonable,” “appropriate” or “adequate” security—this is not necessarily defined because what’s reasonable on day one might not be effective down the line. A “reasonable security” standard should be in the contract to ensure the company is holding the vendor up to modern-day standards of security.
- Assessment and audit rights, including forensic assessment: If there’s a breach, you want to be able to have someone go in, take images of hard drives and go onsite to find out what’s going, so that should be in the contract.
- Indemnification and reimbursement: If there’s a lawsuit due to a security breach on the vendor side or the vendor failed to comply with requirements for either security or privacy, an indemnification clause allows the customer to not have to pay for attorney fees, or costs related to judgment or regulatory action. I usually put in a clause for reimbursement for personal information data breaches and there are five different types of costs it covers: attorney fees, forensic investigation, credit monitoring services, call center services, and PR-related expenses.
- Insurance: There should be a clause requiring the vendor to purchase cyber insurance to cover a breach, especially for smaller vendors who may not have a lot of money.
Thanks, Dave. In summary, as more clients consider leveraging online third party-controlled applications (e.g., cloud providers) for their computing and storage, it’s crucial to plan for an inevitable data breach incident. After all, statistics show that most companies will experience a data breach at some point in time. As such, it’s paramount to have in place a granular process that will give you some direct rights and control over the future breach investigation, remedy and notification to your customers.