igh-profile breaches at Target and Home Depot, in which hackers gained access to networks through the companies’
service providers, caught the public’s attention. In response, regulators issued new cybersecurity guidance or began to enforce existing regulations against companies to improve their information security and privacy governance. The regulatory pressure has helped somewhat. The Ponemon Institute’s 2017 Cost of Data Breach Study reports that the amount of time from breach to discovery decreased from 201 days in 2016 to 191 days last year, and that the average time to contain the breach declined by four days. Furthermore, the appointment of a chief privacy officer and the use of security analytics saved companies $3 and $7, respectively, per compromised record compared to 2016.
Nevertheless, data breaches are ubiquitous. In 2017, 1,579 data breaches were reported, according to the Identity Theft Resource Center, a 45 percent increase over 2016. The average cost to U.S. companies was $7.5 million, a 5 percent increase.
But here’s one of the biggest challenges. As businesses have become more digital and interconnected, cyber criminals have more companies to attack. Hackers have begun to attack companies’ service providers more frequently, which causes breach costs to increase by $17 per compromised record, according to the Ponemon study. Despite the growing threat, only 44 percent of respondents to a recent Ponemon survey reported that managing service provider risk is a priority at their companies.
This lack of urgency is troubling, because a company’s failure to address service provider risk suggests that the firm may have deficiencies in its information security program. More importantly, a perception may be created that outsourcing a service absolves the company from liability if the service provider experiences a security incident. This perception is wrong, because statutes, regulatory guidance and the public all look to the company, not the service provider, for redress.
This is where the chief legal officer should enter the conversation. CLOs need to explain the legal requirements to management; at the same time, they are critical to minimizing service provider risks. But they can’t manage this issue in a vacuum. They are dependent on the specific facts and circumstances of the relationship. The best way to minimize this risk is to develop a robust privacy and security program to be used when the vendor accesses the company’s network or customer data.
Presumably the CLO’s company has already created a program of its own that works well and that it regularly tests. The next step is to review the vendor’s own program to ensure that it is as robust and secure as that of the company it is servicing. (Or, if the vendor does not yet have a strong program, collaborate with it to create one.)
The CLO would be a logical choice to be part of the cross-functional team that should be assembled to lead this effort. Other participants from the CLO’s company might include its chief security information officer, the head of IT and the chief privacy officer. On the vendor’s side, it may wish to tap its own in-house lawyer, the head of IT, the chief risk officer or even the CFO. Realistically, however, certain service providers may lack personnel with the technical, human, financial or legal resources that their larger counterparts have at their disposal. The company may have to persuade the service provider to retain an “outsourced” chief information security officer to manage its data security initiatives.
After the team has established or modified the vendor’s program, they can turn to the task of drafting the service provider agreement that they will use to guide the ongoing relationship between the two entities. These agreements are essential to protect the CLO’s company from service provider risk. Among other things, the agreement should: (1) include representations and warranties regarding regulatory compliance and industry standards; (2) impose a standard of care equal to, or better than, the company’s privacy and information security practices; (3) limit disclosures to third parties without consent; (4) require prompt notice after a security incident; (5) create procedures to ensure return or destruction of company data upon termination of the agreement; and (6) develop a cost allocation mechanism for responding to a security incident, including indemnification or insurance.
Alternatively, if the company’s business units negotiate these agreements with limited input from the legal department, the CLO should ensure that an enterprise-wide service provider policy exists, and includes mandatory data security language to be included in all agreements. At a minimum, the company’s service provider policy must require that data security language cannot be changed without the express approval of senior management.
Monitoring the service provider’s compliance with its data security program is essential to ensuring that its risk controls are correlated to address current and emergent security threats. Yet, 56 percent of respondents in the Ponemon report said that their companies do not monitor the security and privacy practices of service providers to which they grant access to sensitive or confidential information, typically because the service providers do not allow independent monitoring to verify security practices. This obstacle is best overcome by having a contractual requirement to allow periodic audits. The sensitivity of the company’s data, or the breadth of the service provider’s access to the company’s network, should determine the frequency and intensity of the audit. As an additional step, for service providers whose access is considered “high-risk,” the company should have the provider participate in the company’s incident response exercises so that the company can observe its processes during a security incident and address any necessary remediation.
In sum, companies must ensure that their service providers’ security practices are equal to or better than their own. Companies must also monitor service providers’ compliance with their stated data security practices to ensure that their controls can contain current and evolving threats. This requires firms to develop strong privacy and data security practices that match the legal framework in which they operate and the risks that they face. The CLO’s role is crucial to ensure that the results will safeguard the company’s reputation, limit breach costs and avoid unwanted regulatory scrutiny and litigation.
Denver Edwards, a principal in the financial institutions practice at the law firm of Bressler, Amery & Ross, P.C., is a former senior counsel in the Enforcement Division of the Securities and Exchange Commission and the Office of the Comptroller of the Currency. One of his areas of focus is cybersecurity and regulation. He can be reached at dedwards@bressler.com