Protect & Defend columnist Ed Branam, DVM, is the veterinary and animal services program manager at Safehold Special Risk Inc. A 1977 graduate of the Michigan State University College of Veterinary Medicine, Dr. Branam has worked in the insurance industry for the past 20 years. He is a former Sacramento, California, veterinarian and a former veterinary affairs manager with Hill’s Pet Nutrition.Read Articles Written by Ed Branam
My article “Are You Prepared for a Data Breach?” [December 2017/January 2018] outlined the importance of addressing a veterinary practice’s cyber liability. Simply outsourcing administrative and financial responsibilities such as credit card processing, data storage, and payroll and benefits administration does not eliminate your liability should a breach occur.
Now let’s look at how to protect your business when using third-party vendors.
A common misconception among businesses of all sizes is that by outsourcing all or part of their information technology operations, the responsibility and legal liability for associated data also is outsourced.
There is no arguing the benefits of outsourcing IT services, whether they be cloud storage, payment processing, human resources or website hosting. Utilizing outside vendors to perform such services provides notable rewards such as streamlined operations, reduced IT costs, better flexibility and time to market, and overall business improvement. But any organization that outsources its computing or allows a third party to retain care, custody and control of private data assets is exposing itself to risk.
Federal and state laws dictate that the data owner, not the vendor, is ultimately responsible for protecting the data. When a vendor experiences a significant service failure or data privacy breach, the owner of the impacted data must demonstrate regulatory compliance, including conformity with federal and state notification laws and other consumer remediation requirements. Failure to comply can carry steep fines and other penalties.
The data owner is ultimately responsible and legally liable, regardless of where or how the data breach occurred.
As I noted previously, almost half of all data breaches took place while the data was with a third-party vendor, according to the 2016 “Cost of Data Breach Study” conducted by IBM and The Ponemon Institute. This would include protected data in the hands of outsourcers, cloud providers and business partners.
For this reason, managing outsourced vendors must be a critical part of any network security and privacy risk-management program. Large commercial organizations perform vendor vetting as part of a well-established risk-management function. Typically, this activity is properly funded and staffed as part of a larger IT and risk-management department.
Smaller businesses usually do not have the dedicated personnel, budgeted resources or the management focus needed to carry out a comparable vendor management program. However, the smallest company can take steps to help manage third-party cyber risk.
Using a simple security questionnaire will help determine what the vendor is doing in the areas of:
- Information security management.
- Regulatory and compliance activities and certifications. (For example, compliance with payment card industry data security standards.)
- Protection and segregation of client-supplied data.
- Application development security practices.
- Service availability.
- Disaster recovery planning.
- Incident response planning.
- Reviewing vendor-provided external audit reports, conducting external vulnerability scans and examining written privacy policies and practices also are recommended.
In addition to the above, one of the most critical aspects of vendor management is executing a well-written contract. Some of the must-have provisions to include in any service level agreement or outsourcing contract are:
Incident Response Procedures
How the vendor handles data breaches should be an addendum to the contract. The contract should call for a forensic assessment of what happened and which data might have been exposed, and clarification as to what the customer can and can’t do in terms of accessing the vendor’s system after a breach to assist in the investigation and response.
Vendor pushback is not uncommon because vendors do not want to permit such access to their systems, but access can be negotiated and may depend upon the size of the contract and the leverage of the parties involved. Regardless, a formal incident response plan is needed between the customer and the vendor.
Limitation of Liability
Many contracts will limit the vendors’ liability to a certain number of months of fees and will specifically exclude any consequential damages. Often, this does not come close to covering the customer’s actual loss even when the breach was the vendor’s fault. Contract language should clearly spell out how costs relating to the data breach will be allocated.
Federal and state laws often require certain controls, such as encryption, firewalls and access limits, to be in place to safeguard customer data. These also can be included in the contract.
At the very least, a “reasonable security” standard should be included, as what is “reasonable” from a data security standpoint can change from day to day. The vendor should be expected to employ current security standards.
Assessment and Audit Rights
If a breach occurs, the customer will want to be involved in the investigation. The right to assess and audit should be included in the contract.
Indemnification or Reimbursement
Such a clause allows the customer to be fully covered for costs related to a breach, whether they be upfront response costs or later judgments, fines or penalties associated with regulatory actions. The legal liability falls into the data owner’s lap, not the vendor’s, so the customer must have contractual protection for these costs when the vendor is responsible for a breach. The costs can be significant and may include, but are not limited to, attorney’s fees, forensic investigation expenses, credit- or identity-monitoring services, consumer notification costs, call center services, public relations expenses, and fines or penalties.
The contract should contain a clause requiring the vendor to purchase cyber insurance to cover a breach, and the customer should be named as an additional insured party whenever possible.
While outsourced IT services provide a multitude of benefits for any business, especially at small to midsize businesses where resources and IT budgets are limited, allowing your data to be under the care, custody and control of a third party brings significant risk. Implementing simple vendor management procedures and having strong contracts in place with any outsourced provider is essential to properly managing such risk and to ultimately protecting your balance sheet and reputation.