July 18, 2017 - Information Security & Privacy and Health Care Group News: Protecting Data: Vendors May Be Your Weakest Link
By: Dena M. Castricone and Daniel J. Kagan
Just last week, a Verizon Communications vendor misconfigured a cloud server that caused the information of 6 million Verizon customers to be exposed on-line. When a cyber incident or data breach occurs on your vendor’s watch, regardless of fault, you own the resulting legal obligations and costs. The best tools for managing the risk of using vendors are due diligence and adequate contract provisions.
Before engaging a vendor, you should consider the vendor’s ability to protect your information. One way to accomplish this is to create a vendor security checklist or questionnaire that all potential vendors must complete. For example, you could ask for:
Notably, vendor due diligence measures are required by New York’s Cybersecurity regulations and will be required by the EU’s General Data Protection Regulation when it takes effect in May 2018. And while not required by law in many other settings, vendor due diligence is quickly becoming a standard and expected business practice.
After the due diligence phase, you should ensure that the service contract contains important provisions. The following are examples of such provisions.
Required Security Measures: The contract should detail the security measures that you will require the vendor to implement. Be specific, while leaving open the option that new requirements may emerge, and reserve the right to periodically confirm that the vendor is in compliance. Again, engage your IT professionals.
Immediate Notice: This provision will require the vendor to provide you with notice within a very short time frame in the event of a security incident. Be sure to define "immediate." Twenty-four hours is ideal but three to five business days may also be acceptable.
Indemnification: The contract must have a strong indemnification provision that requires the vendor to cover all costs and expenses that flow from any security incident or breach of information it maintained, accessed or promised to secure on your behalf, including notification and reporting costs, legal fees, governmental fines and the cost of any litigation or claim brought against you relating to the security incident or breach.
For health care providers, vendors with access to protected health information must also enter into a business associate agreement ("BAA") under HIPAA. Your standard BAA should address the above provisions. If possible, avoid signing a vendor’s standard BAA because it likely will not protect your best interests.
If your entity experiences a breach or if you have any questions about data breaches or any other health law issue, please contact Dena M. Castricone, Daniel J. Kagan or Stephanie Sprague Sobkowiak.
2019 Murtha Cullina LLP All Rights Reserved.