Vendor contract review—what does that mean to you? Does it bring back bad memories? A last minute scramble to close a deal? Capitulating to oppressive limits on liability to meet a deadline? Dragging and dropping an executed .pdf file into an electronic folder where it will gather virtual dust? We like to tell a different story when it comes to vendor contract review and cyber risk mitigation. It is a bit more mundane but, if handled correctly, it will save you from unnecessary drama for years to come.
A vendor contract review should be a process during which all the real action happens long before you ever start drafting and redlining a contract. I am talking about the internal and provider-facing due diligence that should precede your “contract review.” That pre-negotiation review is an opportunity to explore your organization’s worst nightmares and appetite for risk. Data breach in the cloud, anyone? How about an HVAC vendor whose remote access account was used to gain access to customer payment card data? Vendor “contract review” really begins with a bit of introspection – an internal analysis with all the stakeholders.
The good news? If done right, on the other side of this internal evaluation and due diligence is an opportunity to find true partners. Service providers who understand the risks associated with your business model and the data that comes with it. Service providers who will engage in a meaningful discussion about risk allocation and who are in it with you for the long haul. Those contracts—the ones that emerge after thoughtful internal evaluation and due diligence, an in-depth RFP process, and a friendly negotiation of terms—those contracts will mean much more than words on paper.
What should you be evaluating during this process? The same questions will apply to your internal due diligence and your vendor RFP and contract negotiation. They include (and this list is just exemplary and not meant to be comprehensive):
- Data at Issue: Does the transaction involve the sharing of personally identifiable information or other sensitive information of your employees, contractors, or customers, or the storage, processing, transmission, or maintenance of such information?
- Information Security Programs – Yours and Theirs: Do you and your service provider have Written Information Security Programs? How does the vendor’s WISP map against the federal, state, and even international regulatory requirements that apply to your business and your own information security program?
- Industry Standards: Does the service provider comply with industry standards such as those promulgated by International Organization for Standardization, the National Institute of Standards and Technology, or the Payment Card Industry Data Security Standard (to the extent applicable)?
- Privacy – Restrictions on Use of Data: Will the provider limit access to the data to those employees and subcontractors who have a business need to access the data for purposes of providing the services pursuant to the agreement? Does the provider intend to use “aggregated” or “anonymized” information for purposes beyond providing the services such as improvement of its own services or marketing? If so, how is it “aggregated” or “anonymized”? Can it be re-identified?
- Subcontractors: Will the service provider identify all subcontractors and obtain your consent before giving subcontractors access to sensitive information? Will it contractually impose on its own subcontractors substantially similar duties?
- Changes in Functionality: Will the service provider give prior notice of any material changes to the functionality of the services that will adversely impact security, availability, or integrity of your data?
- International Data Transfers: Where are the provider’s servers/data centers? Will the data be processed in or transferred to other locations, and if so, when, where, and under what circumstances? What is the provider’s compliance plan for cross-border data transfers? Is it Safe Harbor certified? Are Standard Contractual Clauses or more sophisticated compliance mechanisms needed? How does the provider intend to deal with the changing privacy legal landscape in the EU and across the globe?
- Audits: Will the provider allow direct audits of its security? If not, will it supply a third party SOC 2 (Type 2) Report on an annual basis?
- Incident Response: Does the service provider have an incident response plan? How will you be notified in the event of a security breach or other incident? Will you have the ability to conduct your own investigation?
- Preservation and Disposal: Will the service provider agree to preserve information consistent with any instructions you provide, including any litigation holds? When and under what circumstances will the provider return and/or securely dispose of sensitive information?
- Government and Other Third Party Data Requests: Will the provider refuse to disclose data to any third parties in the absence of an unobjectionable lawful warrant, subpoena, court order, or discovery request? Will the provider give you sufficient notice to object to any disclosure and seek a protective order?
- Indemnification and Limitation on Liability: Will the service provider indemnify the company in the event of a data security breach? In what circumstances? Up to what limits of liability?
- Insurance: Will the provider maintain cyber liability insurance?
- Termination and Transition: What happens when the relationship ends? Under what circumstances can you terminate? Will the provider help you transition services over a reasonable period of time?