Subscribe to the
Corporate Law Advisory Newsletter
to stay up-to-date on the latest news and best practices.
Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
Editor: Vanessa Lloyd, Corporate Counsel Marketing, LexisNexis
Contributing Editor: Tom Hagy, HB Litigation Conferences LLC, former VP LexisNexis and Publisher of Mealey’s™ Litigation Reports
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
Contracting in a World of Data Breaches and Insecurity: Managing Third-Party Vendor Engagements
By David Katz Nelson Mullins Riley & Scarborough LLP
One only has to log on to their favorite news aggregation website to read the most recent and shocking headlines describing the disastrous, costly and often painfully public consequences of some unfortunate company’s data breach. Even more distressing, is that in some cases the company’s data breach may have been entirely out of their control and a direct consequence of a third-party vendor’s negligence, failure of adequate security controls or the third party may have been simply the most recent victims of a cyber security attack.
No matter what the cause, once the proverbial cat is out of the bag and the brand is damaged, it becomes impossible in an unforgiving world of aggrieved consumer data breach victims to even remotely suggest that it was the third-party vendor’s fault and the company is not to blame.
Some recent examples of larger data breaches where the third-party vendor’s liability has impacted a company occurred in September of 2011, when the U.S. Defense Department's TRICARE health program was required to notify 4.9 million beneficiaries of a data breach which occurred when backup tapes were stolen from the car of an employee of one of TRICARE's business associates. A second example involving a compromised vendor occurred in the spring of 2012. In this breach large financial institutions began monitoring accounts and replacing payment cards after news that Global Payments Inc., a payments processor, had been breached, exposing an estimated 1.5 million accounts.
Although breaches may not in all cases be preventable, organizations should commit themselves to a risk-based approach to determine the appropriate legal, privacy and information assurance due diligence when engaging and contracting with a third-party vendor that may be receiving or have access to data from the organization. The scope and methodology for conducting third-party vendor risk assessments should be proportional to the types and sensitivity of data exchanged and the capacity of the organization to conduct a comprehensive evaluation of the privacy and security infrastructure of the third-party vendor.
For the purpose of this article, data is understood to mean personal information that can be used to identify, locate or contact any individuals or information that is confidential to the organization. This article will be to explore the key elements that organizations should consider as they establish a third-party vendor management program.
The ultimate goal of a functioning program is to appropriately identify and mitigate the risk of exposure that exists as a result of the engagement of a third-party vendor that may receive or access the organization’s data. This exposure could be as broad as a full-blown data breach requiring mass notifications or as limited as any other unauthorized access or disclosure of the organization’s data. Additionally, this article will, at a high level, consider the critical contractual elements which are essential to managing privacy and information assurance risk from a legal perspective.
The Case for Vendor Management
As organizations begin to examine and weigh the risks associated with a failure to fully identify and appropriately vet either new or existing vendors that may be receiving or accessing confidential corporate data, customer or employee data that is Personally Identifiable Information (PII), one can imagine the steady increase in the anxiety level among privacy, information assurance, risk management and legal professionals leading the organization. Given the legal and regulatory environment which currently exists for organizations that may have suffered a data breach, it is critical that the flow of and access to data be closely scrutinized prior to the release of, or granting access to, the organization’s data. Even more critical, is that the appropriate due diligence measures are established by clear policies, specific and detailed standards, and that these policies and standards are enforced. Finally, insistence on adherence to these policies and standards along with a robust program of review and oversight must be clearly communicated from the top down. To the extent that companies fail to conduct their own due diligence and make a careful record of that process, they operate in an environment which could potentially expose the organization.
What is Vendor Management?
Vendor management is a multi-functional process involving elements of IT, Information Assurance, Legal, Compliance, Risk Management and the Internal Business Owner. In short, these parties are working in concert in an attempt to identify and mitigate the potential risks created by engaging a third-party vendor that may have access to or receive data from the organization. As the risk landscape and regulatory environment continue to evolve, these elements must work in unison to create a process that is properly calibrated to the organization to credibly, methodically and defensibly identify and determine an acceptable level of risk to the organization. Only through mutual cooperation and alignment of these individual business units can this process properly function.
What Are the Risks?
The risks of failure to establish an appropriately scoped program are potential loss of ownership rights to the organization’s data, lack of data security, lack of data privacy protections and controls, loss of data backup and recovery, inappropriate or incomplete incident response, failure to notify of data loss or data breach, brand erosion or collapse, loss of shareholder confidence, increased regulatory scrutiny or action and potential class action litigation.
Who Owns Vendor Management?
Effective vendor management requires organizational commitment from senior executive leadership of the organization. This process should be owned by Risk Management and led by the compliance and legal teams. Finally, the internal business owner must also own this process. An internal audit must assure that adequate controls are in place and can be tested to demonstrate a reduction in risk to the organization.
How is Vendor Management Governed?
The governance process is a key element of the vendor management program as it provides the oversight and control mechanism established by the organization over the policies and procedures, and standards for the engagement, evaluation and ultimate approval or rejection of the vendor. The lack of adequate governance standards and organizational controls over the vendor management process can lead to disruption, data compromise, data loss, financial loss, brand damage, and for public companies, diminished shareholder value. The organization must develop a variance process in the event that the internal business owners cannot, out of necessity or some other equally plausible scenario, engage in the vendor management process. An oversight role must be part of any variance process and variance must be reviewed regularly.
Integration Without Disruption
Integrating vendor management into the business process requires concentrated senior executive leadership and top-down organizational support. An organization failing to embrace a comprehensive vendor management process without the appropriate entity level buy-in cannot succeed. Initiation of this process may encounter resistance as increased diligence is likely to interfere with the agility of the contracting process. For this reason, it is critical to establish clear ownership and governance responsibility in the highest levels of the organization. The owners of the vendor management program must convincingly make the case that conducting this type of due diligence is as essential to the contracting process and offer as acceptance itself. It requires considerable education, training and communication of the risk and the overall value the process brings to the organization from a risk mitigation perspective. While an effective program may never adequately be monetized, the costs of an unsuccessful program will most certainly be.
The Legal Perspective to Protecting Data: Key Contractual Components
This list is not exhaustive and the contractual language needs to be specifically tailored after a comprehensive risk assessment. The purpose of providing these elements is solely to identify the core elements that should be a starting point as part of the negotiations with the third-party vendor.
1) Qualified Counsel & Clear Definitions. The organization must engage qualified counsel to draft the appropriate provisions specific to the transaction. These elements can be included as part of the original agreement or as part of an addendum or amendment to an existing agreement. The key elements of the essential contractual provisions should focus on providing a clear definition of personal information.
2) Vendor Compliance. The organization should, at a minimum, require the third-party vendor to represent and warrant compliance with all applicable federal, state and local laws, rules and regulations that pertain to the possession or use of personal information. The language should require the third-party vendor to comply with the organization’s privacy and information assurance policies and the organization’s notice of privacy practices.
3) Security Programs. The third-party vendor should be required to maintain to the extent feasible its own privacy and information security program, and conduct regular risk assessments of its security and information assurance practices. There should be a very clear requirement that the third-party vendor provide notification of a privacy or information assurance event and require the third-party vendor to take immediate steps to the extent possible to immediately address the event.
4) Audits. The organization should insist on audit rights and insist on the right to hire third parties if necessary to conduct the audits.
5) Safeguards. Organizations should require by contract that their vendors warrant they are capable of maintaining appropriate safeguards for the organization’s data.
6) Indemnification. Third-party vendors should be capable of providing broad based indemnification for their failure to comply with applicable privacy laws, for loss of the organization’s data, for negligence, gross negligence or bad faith, or any security breach involving the organization’s data.
7) Confidentiality. Finally, the organization should require a confidentiality provision ensuring adequate protection of the organization’s data. There should be specific provisions to address protection, destruction and return upon conclusion of the agreement.
It is important as a first step to begin to build executive support and a business case to conduct a third-party vendor risk assessment. At minimum, the organization must conduct a full inventory and accounting of all third-party vendors that have access to or receive data from the organization. Once this inventory is complete, management must work to build processes and procedures to ensure that the organization can fully implement a robust risk assessment process and can lay a foundation for engaging future third-party vendors. Organizations should consider hiring internal experts to align Legal, IT, Information Assurance, Compliance and Risk functions. Organizations must designate an executive owner and sponsor to engage senior management and then potentially the organization’s Board of Directors. Finally, organizations should consider initiating a Steering Committee that can direct proper engagement of the business owners, conduct variance reviews and provide management support in developing the vendor management process throughout the organization.
Disclaimer: The views and opinions expressed in this article are those of the individual sources referenced and do not reflect the views, opinions or policies of the organizations the sources represent.
Mr. Katz is a partner in the Atlanta office of the law firm of Nelson Mullins Riley & Scarborough LLP. His practice areas focus on matters related to general corporate transactions, outsourcing, regulatory compliance, consumer privacy and data security compliance, information governance, ethics, corporate governance and enterprise risk management. Previously, Mr. Katz was the Senior Legal Counsel, Compliance & Privacy Manager for Aaron’s, Inc., a publicly traded company headquartered in Atlanta, Georgia. Mr. Katz received his BA from the University of Georgia in 1996 and JD from the University of Baltimore School of Law in 1999. He received his CIPP/US designation in March of 2012. He is also a Certified Compliance and Ethics Professional (CCEP). Prior to joining Aaron’s, Inc., Mr. Katz was a Senior Assistant State’s Attorney in Baltimore, Maryland, and a Captain in the United States Army Reserve’s JAG Corps. He is currently an Adjunct Faculty member at Atlanta’s John Marshall Law School where he teaches Business Planning. Mr. Katz also serves on the Board of Directors for Hands On Atlanta, a non-profit organization that helps individuals, families, corporate and community groups strengthen Greater Atlanta through service at more than 400 nonprofit organizations and schools. Mr. Katz is married with three children and one white German Shepherd and lives in Alpharetta, Georgia, very close to the Chattahoochee river. His Tweets on privacy and information security can be followed on Twitter® @KatzFDavid. He can be reached at 404-322-6122 or by email at David.Katz@NelsonMullins.com