Data Security Protections in Outsourcing Agreements
A key finding in the Trustwave 2012 Global Security Report is that in 76% of data breach investigations a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies. This should concern any company that outsources the processing, storage or transmission of personally identifiable information (PII) to suppliers of IT or business process outsourcing services.
With the average cost of a data breach in excess of $5 million and the associated reputational risk, outsourcing customers should review their contracts to ensure they contain appropriate commitments and accountability from the supplier with respect to data security. Below is a brief outline of some of the key provisions that should be part of an outsourcing agreement.
Supplier Commitments: Suppliers should commit to the following:
Data Security Program – To maintain a comprehensive program with appropriate safeguards, procedures and controls for the protection of customer data. The customer should have the right to periodically review the program and audit supplier’s compliance with the program and other contractual requirements.
Legal / Regulatory Compliance – To comply with all existing and future data privacy and security laws applicable to the services. This commitment should include compliance with laws imposed on the customer for which the customer is dependent on the supplier’s performance to remain in compliance. If the supplier will handle personal health information (PHI), a HIPAA-compliant business associate agreement should be made part of the contract.
PCI DSS Compliance – To comply with PCI DSS requirements / guidelines and maintain PCI certification at the appropriate level (e.g., Level 1 Service Provider) if payment card information will be handled by the supplier.
Customer Policies – To comply with the customer’s written policies and procedures relating to data privacy and security, as they may evolve and change over time. In the event that a change to the customer’s policies would require the supplier to incur material additional costs, it is reasonable for the supplier to seek additional compensation for compliance (provided the supplier is not otherwise obligated to make the change based on other requirements of the agreement).
Industry Standards – To comply with the standards and practices embodied in ISO/IEC 27001 and 27002, and other relevant industry standards, as they evolve and change over time.
Location of Customer Data – To process, store and transmit customer data only in jurisdictions authorized by the customer. In light of restrictions in the EU and elsewhere on trans-border flows of PII, the customer may want to set a default rule in the agreement that prohibits the supplier from transmitting PII outside of the jurisdiction of the affected individual absent the customer’s prior written approval.
Access / Use of Customer Data – To use customer data solely to provide the services under the agreement and to limit access to customer data to supplier personnel and subcontractors on a “need to know” basis.
Supplier Personnel / Subcontractors – To perform background checks on supplier and subcontractor personnel and provide appropriate training on security compliance. The supplier should assume responsibility for any failure of supplier or subcontractor personnel to comply with the requirements of the agreement regarding PII and other customer data.
Encryption – To encrypt PII using industry standard encryption technologies (or as otherwise directed by the customer) in connection with the transmission or storage of PII.
Breach Response – In the event of a data security breach to:
- Immediately notify the customer upon discovery;
- Investigate the root cause of the breach and present written findings to the customer;
- Remediate the underlying causes of the breach; and
- Fully cooperate with the customer in responding to the breach.
The customer should have the right to control the response to any security breach involving PII, including notifications to affected individuals, credit bureaus and governmental authorities.
Supplier Accountability: Suppliers should have a high level of accountability under the agreement for any failure to meet their commitments relating to data security, including the following:
Cost of Breach Response – Reimbursing the customer for all reasonable costs incurred by the customer in responding to a data security breach for which the supplier is at fault, including:
- Forensic and investigative costs;
- Legal expenses;
- Fines and penalties;
- Compliance with breach reporting laws and industry standards organizations (e.g., PCI), including notices to affected individuals, credit bureaus and governmental authorities;
- Credit monitoring services;
- Call center support; and
- Other measures required by applicable law or that are customary at the time of the breach.
Indemnification – Indemnifying the customer for any third party claims or actions arising out of any breach by the supplier of its data security related obligations. For claims involving improper use or disclosure of PII, the customer should consider negotiating the right to retain control of the defense of the claim.
Liability Limits – Ideally, agreeing to unlimited liability for breaches of its data security commitments or, at a minimum, a limitation of liability framework that will enable the customer to recover a substantial portion of the losses it is likely to occur in the event of a data security breach for which the supplier is at fault. Some possible approaches to this issue are discussed in a previous SourcingSpeak blog posting: Are You Protected When Your Suppliers Lose Your Data?
Termination – Accepting the customer’s right to terminate the agreement for cause if the supplier commits a material breach of its data security obligations. The customer should not have to wait until there is a security incident or afford the right to cure the breach before terminating.
If your outsourcing agreement is missing some of the important protections described above, you should consider negotiating more favorable terms with the supplier at the next available opportunity.