Cybersecurity continues to dominate news headlines and permeates all aspects of society; the transportation industry is no exception. Businesses are adapting to this new reality by shoring up technology and educating employees regarding best practices and risks associated with an online presence. While necessary, these steps do not insulate a business from all cyber risks. In today’s interconnected society, data is no longer confined to the traditional brick and mortar perimeter of a business. As businesses adapt to this new reality, they often outsource their data management to third parties, potentially putting that data at risk.
The transportation industry is data intensive, and information traditionally maintained on paper is increasingly transitioning to digital conduits. Transportation management systems, ELDs, AOBRs, and in-cab cameras are only a few of the new services relied on by the industry; these services are often provided and maintained by third parties. In addition, the maintenance of sensitive employee and business data, as well as the wide range of documents required by the Federal Motor Carrier Safety Regulations, is being maintained electronically. In the past, it was commonplace to manage such data in-house; however, as businesses grow and the amounts of data generated increase, maintaining data in-house is no longer feasible or cost effective. Businesses are turning to the convenience and cost effectiveness of third-party service providers to store and manage their data. Placing your business’s data in the hands of a third party does not, however, ensure that your data is safe or that your business will be adequately protected should something run a foul. A business’s electronic data is quickly becoming its most valuable asset—an asset worth protecting. If data is trusted to a third party, the parameters of what is expected to keep your data safe should be memorialized in a contract with that service provider.
The first step in protecting your data is to know what data you have. Not all data is created equally. For example, if your data is subject to state or federal regulations, or contains sensitive business data, its protection should be a priority and not discretionary. Knowing what data you have, and its value to your business, will help you identify steps that should be taken to protect it.
Once you know what data you have and want to protect, a key component to any contract is to identify who “owns” the data. The original point of collection typically determines ownership. Both a business and the service provider will have access and control over the data; however, identifying the owner is essential as the owner is ultimately responsible for the safekeeping of the data and compliance with applicable state or federal laws or regulations. If you, as the owner, use a cloud-based service provider to store data and that service provider suffers a cyber incident, you are responsible for any ramifications flowing from that incident; the service provider is not responsible.
Another key component to any third-party contract is access to your data. If you, as the owner, are responsible for safekeeping data, you must have access to it. When you use a third-party service provider, you lose some measure of control over your data; your access to your data is dependent on the service provider and the reliability of its network. In the event of a cyber incident, it is imperative that you have access to your data in order to mitigate the incident and respond. While you would assume you would have access, all too often businesses are forced to respond to a cyber incident in a vacuum, as they are not provided direct access to their data or the facts and circumstances surrounding an incident. Imagine responding to a motor vehicle accident and only having access to the data shared by the investigating officers; unfettered access is critical.
Addressing the allocation of risk between parties is common in business contracts, most often in the form of indemnification clauses and insurance requirements. Indemnification clauses are not novel in the transportation industry, but the extent of the indemnification for a cyber incident involving a third-party service provider comes with a twist. It is common for third-party service provider contracts to attempt to limit the indemnification obligations of the service provider to a multiplier of the contract price, often between three and five times the contract price. Depending on the nature and scope of the services provided, such limitations are often insufficient and do not afford adequate protection in the event of a cyber incident. There is no hard and fast rule to determine appropriate indemnification requirements; each business must assess the value of its own data and the ramifications that would flow from its loss. The key is to be mindful of such clauses and manage the risk appropriately.
Businesses generally have policies and procedures that provide employees with the dos and don’ts of the workplace. Increasingly, cyber policies and procedures are being adopted by businesses in order to ensure that employees follow good cyber practices. Whatever cyber best practices your business holds itself to, it should expect the same from its service providers. If your business has cyber policies and procedures, cyber insurance, or an incident response plan, your service providers should do the same. Similarly, third-party contracts should address how your data is stored and who has access. If you maintain your data on-site in a secured location and restrict employee access to data based on what is reasonably necessary for an employee to perform his or her job, the same should be true with respect to your service providers. Is the service provider storing your data in a secured facility with restricted access? Is the service provider prohibited from engaging subcontractors or sharing your data with others? Do not assume that your data is secure simply because you use a service provider; you must communicate and delineate your security expectations to the service provider.
Implementing one or all of the above recommendations will be for naught if such provisions are not enforced. One final component to any third-party contract is the right to perform an audit. An audit provides for the ability, and the right, to monitor the service provider’s compliance and ensure that your data is secure.
Strategic third-party contracting practices will not eliminate all cyber risks but is an additional arrow in the quiver as you strive to protect sensitive data. The dependency on service providers is ever increasing; as it increases, protecting your business and its data is more critical than ever.