Data breach protection: Implementing vendor breach safeguards

Organizations should include some additional protections around data breaches in their vendor contracts. In addition to data breach notification and reporting, the contract should require the vendor's active cooperation in investigating and remediating any such incident. This is important because data breach notification statutes and bank regulatory requirements make it clear that the buck stops with the financial institution. In the end, it must determine for itself what happened in the vendor breach, the risk of harm to its customers, and how to respond. While it can contract with the vendor to notify affected individuals, the financial institution is ultimately responsible if a notice required by applicable law or regulatory guidelines is not made.

As a corollary, the contract should require the vendor to refrain, to the extent permitted under applicable law, from issuing a data breach notice to the financial institution's customers without the institution's prior review and approval. Whether or not to issue a data breach notice and the contents of any notice involve reputational, customer relations and financial considerations, as well as legal and regulatory ones, and any risk assessment and decision-making must follow the incident response plan that regulated financial institutions are required to maintain.

Although not required by regulatory guidance, PCI DSS or statute, financial firms should also consult with their counsel about contractual protections to shift the financial losses of a vendor breach. Even apart from any third-party liability or statutory or regulatory penalties, the out-of-pocket costs associated with a breach can run into the millions of dollars. They include such items as the forensic investigation to determine what and whose data was compromised, the closing and reissuing of accounts and replacement of payment card...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Seven GRC best practices for information security Shifting to a flexible information security framework Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights How to manage security risks in vendor contracts Red Flags Rule and preparing for new regulations Companies lagging in PA DSS compliance Social media: Risk management strategies for financial institutions FFIEC guidance on RDC: Guidance overview FFIEC guidance on RDC: Risk management basics Business partner and vendor security issues New vendor risk assessment tools address cloud computing Don't forget the cleaning crew in your vendor management program Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Vendor risk management: process and documentation How to manage security risks in vendor contracts Download presentations from Financial Information Security Decisions 2009 Advocacy group looks to foster trust in foreign service providers Shared Assessments aims to ease third-party security evaluations Security questions to ask SaaS vendors when outsourcing services Data breaches and prevention strategies Bank computer technician indicted in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Data breach lawsuit puts spotlight on bank's security measures Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Zeus Trojan hitting banking customers hard TJX settles with banks for $525,000 RBS WorldPay agrees to market VeriFone end-to-end encryption Programmer accused of stealing proprietary code from financial firm

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Shared Assessments Program  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

plastic, legal review of state data breach statutes to determine compliance obligations, the sending of breach notices, and, of course, fraud losses resulting from identity theft.

A financial institution should include data breach protections by requiring its vendors by contract to indemnify and hold it harmless from costs and losses resulting from the unauthorized access or use of sensitive data in the vendor's possession, as well as from any failure by the vendor to comply with applicable law or its confidentiality and security obligations under the contract. Needless to say, such an indemnity is worthless unless the vendor has adequate financial resources to satisfy a claim, which is why federal regulatory guidance recommends additional risk mitigation measures such as pre-contract and periodic review of audited financial statements, and requiring suitable insurance from the vendor.

Vendors will undoubtedly attempt to limit their liability (such as through a cap on liability and/or customary language stating the vendor is not responsible for lost data), so careful negotiation of these points is critical. At the very least, a vendor should be required to indemnify for data breach-related claims, costs and losses resulting from its negligence or from other wrongful behavior, such as a breach of contract or failure to comply with applicable legal or regulatory obligations.

About the author:
Andrew M. Baer is an attorney with long experience in technology, e-commerce and information security matters relating to the financial industry. He is the founder of Baer Business Law, LLC (www.baerbizlaw.com), a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. He can be contacted at andrew@baerbizlaw.com.