Under the Thumb: Regulatory Compliance When Outsourcing Cybersecurity Management
Managed security services are often a natural “add-on” when outsourcing IT services given that data protection is integral to application development, software as a service, and cloud storage, among other services. More recently, managed security services has become a “niche” sourcing alternative that many companies are considering as they seek to leverage supplier’s expertise in cyber threat assessment, detection and response. One critical consideration to keep in mind prior to outsourcing your cybersecurity is that you cannot outsource your regulatory responsibilities. In a sense, you may hire a supplier to protect your and your clients’ data and cyber infrastructure to the degree required of your organization under the law, but if those legal standards are not met by the supplier, your organization remains liable.
Under U.S. laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Federal Information Security Management Act (FISMA), executive orders and state-specific regulations, or the UK Data Protection Act, you may outsource day-to-day information management; you may not outsource your regulatory liability. If a breach occurs, your organization must notify your own clients, state Attorneys General and federal agencies, as applicable. Enforcement actions may be taken against your organization based on violation by a supplier, regardless of your organization’s knowledge, involvement, or lack thereof. For example, the Consumer Financial Protection Bureau (CFPB), a relatively new federal agency formed in 2011 under The Dodd-Frank Act, explicitly targets its enforcement powers at the conduct of both financial institutions and their service providers.
As of 2012, the CFPB announced that it expects “supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with federal consumer financial law” and avoids harm to consumers. And what is one of the biggest risks of harm facing consumers in 2015? Loss or improper disclosure of consumers’ personal and financial data, which may occur over the Internet, via smart-devices and related applications, at merchant points of sale when making card payments, or even at the hands of a rogue employee within your organization or that of your supplier. If the CFPB investigates your organization, as a matter of course they will likely investigate your service provider(s), if any, and focus on areas of consumer data security and risk of identity fraud.
But remaining under the thumb of various regulatory regimes doesn’t mean that you shouldn’t take advantage of managed security outsourcing. So what does it mean?
- Know before you select a managed security services provider. Complete due diligence on the suppliers’ then-current regulatory compliance status pre down-selection. Particularly emphasize the systems and experience needed to comply with agencies that have authority over your organization.
- Shift the risk of breach to the party best able to avoid such risk at the lowest cost. Negotiate contractual obligations requiring the supplier to comply with relevant cybersecurity law and indemnify your organization for supplier-caused breaches of data security and confidentiality obligations. Bear the risks that your organization can more easily defray than a supplier.
- Keep up with the law. Institute a rigorous process in-house or via outside counsel to regularly update your supplier(s) on regulatory changes that are applicable to your organization’s business. You know (or should know!) better than a supplier what your obligations are and what actions you’re capable of undertaking in the event of information loss or disclosure.
- Document your vendor management processes and actions, particularly any security incidents, related communications with the supplier, corrective measures and resolutions.
- Check in periodically. Include audit rights provisions in your outsourcing agreement and exercise those rights regularly. Pleading ignorance won’t absolve your organization of a compliance violation, but timely awareness of a problem may allow you to fix it and/or the supplier relationship before a violation occurs.