A large portion of the data breaches that occur each year involve human resource related issues. This includes situations in which HR data was lost, employees were inadvertently responsible for the loss of information about other people, or, in a small number of cases, a current or former employee maliciously stole or released information.
Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach. This part discusses what employers should look for in their contractual relationships with service providers.
Almost every employer utilizes service providers. Some service providers require information about employees in order to provide the employee with human resource benefits (e.g., health insurance, vision insurance, dental insurance, disability insurance, life insurance, parking, etc.). For example, in order for a health provider to send benefits information to a new employee, they must know the name of the employee, what premium should be charged, the employee’s health insurance elections, and the employees’ beneficiaries who will also be covered under the policy. Other service providers require information about employees in order to help employers manage the employment relationship (e.g., payroll processing, tax processing, benefits processing, disability processing etc.). For example, a tax preparer needs access to each employee’s Social Security Number, salary, and address in order to prepare, and/or submit W-2 forms for an employer.
As with any company, service providers cannot guarantee that the information provided to them will remain secure in all situations. While a guarantee may be impossible, employers have a vested interest in making sure that their service providers utilize reasonable security measures to help prevent the loss of data, and in understanding how their service providers will react in the event of a security incident. Employers should consider the following factors when reviewing a contract with a service provider:
- Security standard. A service provider that receives sensitive information concerning your employees should contractually represent and warrant that they are not only in compliance with law, but that they take reasonable and appropriate security measures to protect your employees’ information. If your organization has specific standards for the security protocols that it applies, consider integrating those standards into your agreement with the service provider. You may also wish to negotiate the right to audit the security practices of the service provider.
- Notification of a suspected data breach. If a data breach occurs that involves sensitive categories of information, states typically require that a service provider notify the data owner. State notification laws, however, often give a service provider flexibility to conduct an investigation of the security breach to understand its scope before putting you on notice. Many employers negotiate data breach notification provisions that exceed statutory requirements by forcing service providers to notify them when the service provider first suspects a data breach and not wait until after the service provider has completed an investigation and conclusively determined that a breach occurred.
- Notification of other suspected data security incidents. As discussed above, “data breach” is a legally defined term that typically refers to unauthorized access or acquisition of certain fields of sensitive information. Service providers often experience security incidents that, upon investigation are not, in fact, data breaches. For example, service providers that permit your employees to establish a user name and/or password in order to log-into an online portal often monitor employee accounts for indications that an unauthorized person has obtained an employee’s username and/or password and attempted to log-in. Depending upon what the attacker views once they have logged in, the incident may not qualify as a “data breach.” Specifically, the service provider’s network itself has not been compromised by the unauthorized log-in of authorized user credentials and, while the attacker may have viewed non-public information about an employee that information may not trigger a breach notification statute (e.g., if the information contained only the employee’s salary, or contained data elements that the attacker possessed prior to viewing the account). While this type of “unauthorized authentication” may not be the fault of your service provider, you may have an interest in having the service provider alert you of the situation so that you can advise an impacted employee that a third party appears to have access to their account credentials (e.g., user name and password) and may have accessed their information.
- The degree to which a vendor can, or should, be held liable for a data breach varies greatly. If the breach was caused by a third party (e.g., a criminal attacker), the service provider may not have been able to prevent the breach and, as a result, justifiably may feel that it should not be liable. Conversely, even when a breach was caused by a third party, between the employer and the service provider, the service provider may have had a greater opportunity to protect the data from attackers. As a result, an employer may justifiably feel that it should not be liable. The net result is that there are often reasonable arguments for, and against, assigning responsibility to a service provider when the service provider’s system was breached by a third party. In any case, it is important that employers understand the amount of liability that your vendors share in connection with a security incident and, if necessary, renegotiate your agreements to include industry-reasonable terms.
- Remediation of security vulnerabilities. The adage of “it’s not if, but when” applies to vendors just as it does to employers. As a result when establishing a vendor relationship, or negotiating a contract with a vendor, you should anticipate that a security failure will occur and plan what the parties’ respective obligations will be in such eventuality. Part of that discussion should include what obligations the vendor will have to remediate security failures that are identified as part of a breach. While some security failures are relatively easy to fix on a going-forward basis (e.g., patching a terminal that had an out-of-date operating system, or updating the malware signatures to an anti-virus program), other security failures may be more complex and even a diligent vendor may not be able to provide an immediate fix (e.g., redesigning a database, applying different at-rest encryption technologies, etc.). As a result, it may be difficult, if not impossible, for a vendor to warrant before a breach happens and a security vulnerability is identified that any and all vulnerabilities will be fixed – let alone provide a precise timetable for how long remediation may take. When searching for a middle ground some employers require that a vendor take “commercially reasonable” steps to remediate significant security vulnerabilities. Other employers draft their service agreement to allow them to terminate a relationship with a vendor for-cause if the vendor will not, or cannot, remediate a security vulnerability.
- Termination rights. Employers should remember to continually reevaluate throughout the vendor relationship whether the level of security that a vendor can offer matches the level of security required by the employer. If, at some point, there is a mismatch between an employer’s needs and a vendor’s capabilities, the employer may want the ability to terminate the vendor relationship without incurring penalties and transfer its data to a new provider.
- If the agreement that you have with a service provider imposes obligations upon them in the event of a data breach (e.g., to issue notifications to employees, to provide identity theft related services to your employees, or to defend and indemnify your organization), it is important to consider whether the service provider would have the financial ability to meet these obligations in the event of a breach. When thinking about a service provider’s financial capacity, remember that if a service provider experiences a network breach that impacts the information of some (or all) of their clients they may be liable to dozens, hundreds, or even thousands of companies – not just your organization. If you have doubts concerning their financial strength to absorb the impact of a data breach consider requiring that they maintain cyber-insurance and that your organization be identified as an insured on their policy.
TIP: A service provider that is willing to “guarantee” that your employees’ information will always be secure, or that represents that they have never had a data security breach, may be demonstrating a lack of data security-related maturity. In such cases, while a contractual guarantee is beneficial if a breach occurs, the service provider may be unwilling (or unable) to comply with their contractual commitments.