Tips for Keeping Data Security in Target When Negotiating Third-Party Outsourcing Agreements
By Seth A. Northrop
Seth A. Northrop is a trial attorney, and former entrepreneur, at Robins, Kaplan, Miller & Ciresi LLP, Minneapolis, where his practice focuses on intellectual property, and global business and technology sourcing. He has substantial experience with complex commercial litigation disputes involving various technologies including software and hardware design, analytics, networking, database and e-commerce systems.
Data breaches, however, are anything but isolated–and they certainly have not only impacted Target. Contemporaneously with Target, for example, Neiman Marcus confirmed its own data breach.2 Both Target and Neiman Marcus are on a growing list of retailers that have experienced data loss, including a widely reported breach of more than 45 million T.J.Maxx and Marshalls customers in 2007.3 And it is not a phenomenon that has hit only retailers: highly publicized attacks have hit financial institutions, marketing aggregators and even bellwethers of the information technology sector.
Moreover, the dizzying barrage of threats that corporations face is further complicated by ever-growing diversity in the devices and systems they must secure, the increasing interconnectedness of their organizations and an increased trust in third-party service providers to deliver perceived expertise in information management. That level of trust, however, often leads organizations into complacency when it comes to managing personal and confidential data. A recent 2013 survey by Trustwave put this threat in perspective: of the 450 global data breaches examined, almost two thirds were connected to third-party providers of information technology services.4
Increasing technology complexity ensures that sourcing will continue to be a fixture for organizations. Accordingly, being proactive about negotiating terms with these third-party providers related to data security and maintaining the same level of governance externally as internally are critical to ensuring that outsourcing does not put companies in the target of hackers. Moreover, these measures ensure that when those organizations become the next Target, they are able to respond swiftly and effectively. The specific contractual terms that deserve a prospective outsourcer’s focus span across operation, governance and incident response.
The Outsourcing Agreement
The starting point for minimizing risks from third-party technology providers is the clarity of the negotiated sourcing agreement. Commitment to clarity can minimize questions about responsibility when events–as they always do–deviate from expectation.
Perhaps the most obvious, but often overlooked, component of sourcing agreements that mitigate data security risk relates to how the vendor actually acts to protect the outsourcer’s data. Often, outsourcers do not require that the vendor’s security policies meet even the outsourcer’s minimum expectations of itself. A 2013 Ponemon Institute study sponsored by Experian identified significant gaps between the more stringent in-house data security practices to which corporations hold themselves and those to which they hold their various vendors.5 In other words, corporations were applying a higher standard to themselves than third-party information services providers.
In part, this negative gap stems from the heightened confidence the outsourcer has in the vendor’s ability to secure information. This trust, however, often is misplaced. Outsourcers therefore should focus on translating their confidence in vendors into concrete contractual expectations that ensure their data is treated at least as carefully by vendors as it is in-house.
In addition, consider these specific tips when negotiating the sourcing agreement:
Do not expect the vendor to view your own security policies as the minimum requirement.Perhaps most fundamental for an outsourcer seeking to source data management is demanding adequate physical and electronic security for its data. Many organizations have invested significantly in defining the minimum requirements of the systems managing their data. These can include the physical requirements of data centers, the definition of control groups that have access to certain types of data, user management policies, the types of information that must be stored in encrypted form and the minimum requirements expected of employees working with the organization’s data. Yet, when it comes time to negotiate a sourcing agreement, those policies often are ignored or thrown aside. Given that these requirements often already have been reduced to paper, translating them into concrete contractual baselines can be less complex than other potential disputed contractual terms. Further, they can provide clarity and continuity in service delivery if incorporated. At a minimum, companies should avoid diluting their data security standards simply by entering into a sourcing agreement.
Insist on Compliance. Beyond expressly laying out the data management requirements, insisting on compliance with internal, regulatory or industry best practices can be an essential component in contract design. At a minimum, companies should expressly require that providers adhere to the myriad state, federal and international data privacy regulations. But this should be the floor, not the aspiration. Other options include insisting on compliance with industry best practices, such as ISO 27001 and ISO 27002, PCI Data Security Standard, or the Control Objectives for Information and related Technology (COBIT) standards. Although these standards are inherently limited given their lack of flexibility or specificity to a particular organization, they nonetheless can provide a baseline for companies that do not have a mature security policy and also provide a reference point that will evolve independent of the contract as industry expectations change.
Demand data ownership. At a minimum, an outsourcer should demand that data remains its own and be designated as confidential. This requirement creates an operational framework for how the provider interacts with the data. Moreover, within that framework, companies should insist on contractual terms that clearly define where the data geographically resides and who can access or manipulate it. Organizations also should seek to limit providers’ ability to pass data to third parties because each step away from the original source limits their control and can introduce unexpected or undesirable regulatory issues when the data passes from one jurisdiction to another. To the extent data needs to be passed to third parties, companies ought to demand approval, transparency, consistency in compliance with the agreement and culpability of the provider for the actions of its sub-contractors.
Few areas are more important to the success of outsourcing relationships than a robust governance regime. Without adequate oversight, corporations are exposed to business disruption, legal liability and a loss of customer goodwill. Sustainable governance stretches beyond merely defining visibility within each outsourcing contract; it requires constantly engaging the stakeholders on the importance of implementing and enforcing existing governance tools.
Consider the following tips:
Define governance structure. Before negotiating an outsourcing agreement, it is important for a company to understand who it will lean upon to guide the ship. Defining a consistent and stable governance team will help the organization through each phase of the outsourcing relationship. Often, this governance team should span across different vendor relationships to ensure consistency in management, oversight and corporate guidance.
Negotiate sufficient transparency to enable governance. A governance team is only as effective as the information it has to assess the progress of the outsourcing relationship. In the context of data security, the agreement should require that the vendor provide transparency in the security policies it follows. There must be adequate auditing rights that stretch beyond whether specific items in the statement of work are being performed and instead enable the company to explore the providers’ adherence to applicable security policies, government regulations and best practices. The contract should have clearly defined intrusion detection testing protocols, the results of which are regularly provided to the company’s governance team. Finally, there should be a strong focus on performance measurements through clearly defined service level agreements related to areas such as network scanning, security policy management, antivirus management, and backup and recovery.
Conduct continual vendor risk management. Typically, organizations confine their vendor risk management analysis to pre-contract due diligence periods. However, like any segment of technology, the baseline assumptions can dramatically change as time progresses. By reassessing providers on a regular basis, the governance team will stay engaged in risk mitigation, proactively identify performance gaps and identify potential exit strategies (and barriers) should the relationship unravel.
When a breach occurs, it is important that the sourcing agreement clearly delineates what needs to happen and whose responsibility it is to act. Expediency and clarity often can be the difference between the organization containing damage or experiencing a public relations spiral. Some things to consider when negotiating an agreement include:
Demand immediate notification of breach. One important component that companies ought to insist on including in any agreement is expeditious notification if the provider suspects a breach. Early notification can help the organization control the damage, avoid the embarrassment of having a third-party source disclose the breach and allow the company to start the ball rolling on meeting its regulatory obligations. In contrast, a lack of early disclosure can cripple the organization’s governance operations, inhibit it from crafting a response and potentially expose it to increased legal liability.
Clearly define cost allocation. Dealing with ambiguity in cost allocation when responding to a data breach is one of the last things parties want to deal with during a crisis. These costs can be significant as the organization struggles to work tirelessly to shore up systems, compensate impacted individuals and deal with the loss or interruption of business activity. By committing to clarity at the front of contract, the parties can better focus efforts on immediate remediation should a data breach occur.
Insist on cyber security insurance. Few outsourcing providers can absorb the tremendous potential liability resulting from a data breach–particularly when it impacts large customers with even larger record sets. Negotiating cost allocations becomes largely meaningless when one party collapses under the weight of liability. Ensuring that the agreement contains adequate provisions for coverage of catastrophic events therefore is critically important to controlling risk.
Be mindful of liability caps. Increasingly, providers are insisting on smaller and smaller caps on potential liability–sometimes demanding caps equivalent to only a few months of fees paid under the contract. Devising exclusions to any such caps–for example, if the provider fails to provide timely notification of a breach, hides critical information or otherwise unnecessarily exacerbates the harm to the company–will substantially mitigate risk for organizations considering outsourcing. But at a minimum, companies ought to calculate their potential risk so that if a large-scale breach occurs, they have sufficient external coverage to cover losses that exceed negotiated caps.
Insist on post-mortem root cause analyses. Companies should insistent that breaches are accompanied by clear obligations by the provider to perform, or assist, in a post-mortem analysis of each factor that contributed to the security lapse. Often, hackers will test attacks on a system on a smaller scale before instituting a large-scale attack. A robust system of detection, response and analysis of these less-severe attacks can help prevent large-scale breaches in the future.
Preventing and reacting to data breaches caused by sourcing providers begins with anticipation and clarity. Target will not be the only target of hackers. As it becomes increasingly frequent for organizations to outsource critical data management functions, the risk only will increase. However, keeping data security in target when negotiating outsourcing agreements can substantially improve an organization’s ability to prevent an attack and respond should it occur.
4 TRUSTWAVE, 2013 GLOBAL SECURITY REPORT, available at http://www.trustwave.com.
5 PONEMON INST. RESEARCH REPORT, SECURING OUTSOURCED CONSUMER DATA (Feb. 2013), available at http://www.experian.com/innovation/business-resources/securing-outsourced-customer-data.jsp.
Copyright 2014, The Bureau of National Affairs, Inc.