From time to time, both our firm and our clients are asked to execute some sort of agreement regarding information security as part of a vendor contract. In short, the agreement is an attempt to ensure that the vendor has sufficient technological, administrative and physical security measures to safeguard the confidentiality, integrity and availability of data provided to the vendor. Like so many aspects of information security, reviewing these agreements requires a multi-disciplinary approach because they impact the legal, technological and business operations of the vendor.
Remember the moral to the story of the blind men trying to describe an elephant? Each discipline within the vendor company reviews these agreements with the perspective inherent in their experience within that discipline. To an attorney, the agreement is a legal issue. (Outside counsel is generally worse about this than inside counsel because inside counsel often has a business, as well as legal, perspective.) The agreement seeks to impose upon the vendor legal obligations, duties regarding notice, compliance with applicable laws, industry standards, security “best practices,” and other safeguards. The attorney will recognize that a requirement to provide the engaging entity with forensic reports obtained by the vendor in response to a data breach could result in a waiver of the vendor’s attorney-client privilege or other legal protections in subsequent litigation or government investigation. Every “problem” with the agreement, to the lawyer, is a legal issue.
Meanwhile the IT manager, while possibly unaware that the disclosure of a forensic report could result in a waiver of privilege as to communications on that subject, may instead see that some of the technical safeguards mandated by the agreement are not feasible for the vendor. Similarly, while the vendor’s IT manager may approve an administrative safeguard because the company’s infrastructure allows for it, and the attorney may approve of the legal implications of that safeguard, someone in a business unit may recognize that the same requirement imposes a substantial burden on the vendor’s employees – resulting in a loss of productivity. These issues are only the tip of the iceberg. Many other interconnected issues are involved in these information security agreements. We have not even mentioned how the vendor’s obligations under the agreement may jeopardize the vendor’s cyber (or other) insurance coverage due to a policy exclusion regarding voluntarily assumed contractual obligations.
Require encryption for data in transit? The attorney is not likely to have a problem with that. But IT may be the one to recognize that the company does not have the capability to do that. Limit access to the customer’s data held by the vendor to those employees with a need to access it? Oh, sure, we have that policy. But the business unit may recognize that, in practice, obtaining access to the information by someone not on that team is simply a matter of sending an email to a database administrator with no explanation as to why access is needed. A subsequent audit by the client — and these are increasingly common — sets up the vendor for a breach of that agreement that was entirely preventable if the client discovers that workaround.
Assemble a team to review these ancillary agreements before you obligate your company to them. That team should consist of, at the very least:
- An executive of the company
- Leaders of the business units that will be affected by the proposed security agreement
- Counsel, whether in-house counsel or outside counsel, with an information security practice
- A managerial level IT representative
- Risk management (or anyone with knowledge of the vendor’s insurance risk plan and policies)
- A leader on the vendor’s breach response team
Each of these perspectives has a role in evaluating information security agreements. The more intricate the work to be provided and the more complex the vendor’s operations and IT and information security environments, the more there is at stake in the engagement and the more comprehensive the contract review must be. Pitfalls can be operational, legal or technological, and it is rare for any one person to have the perspective to scrutinize these agreements from all angles.