Data breach protection: Implementing vendor breach safeguards

Data breach protection: Implementing vendor breach safeguards

Andrew M. Baer, Esq., Contributor

Organizations should include some additional protections around data breaches in their vendor contracts. In addition to data breach notification and reporting, the contract should require the vendor's active cooperation in investigating and remediating any such incident. This is important because data breach notification statutes and bank regulatory requirements make it clear that the buck stops with the financial institution. In the end, it must determine for itself what happened in the vendor breach, the risk of harm to its customers, and how to respond. While it can contract with the vendor to notify affected individuals, the financial institution is ultimately responsible if a notice required by applicable law or regulatory guidelines is not made.

As a corollary, the contract should require the vendor to refrain, to the extent permitted under applicable law, from issuing a data breach notice to the financial institution's customers without the institution's prior review and approval. Whether or not to issue a data breach notice and the contents of any notice involve reputational, customer relations and financial considerations, as well as legal and regulatory ones, and any risk assessment and decision-making must follow the incident response plan that regulated financial institutions are required to maintain.

Although not required by regulatory guidance, PCI DSS or statute, financial firms should also consult with their counsel about contractual protections

    Requires Free Membership to View

    Login

    SearchFinancialSecurity.com members gain immediate and unlimited access to in-depth technical advice, strategies, and expert guides for securing data in high-risk financial environments. Join me on SearchFinancialSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchFinancialSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchFinancialSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

to shift the financial losses of a vendor breach. Even apart from any third-party liability or statutory or regulatory penalties, the out-of-pocket costs associated with a breach can run into the millions of dollars. They include such items as the forensic investigation to determine what and whose data was compromised, the closing and reissuing of accounts and replacement of payment card plastic, legal review of state data breach statutes to determine compliance obligations, the sending of breach notices, and, of course, fraud losses resulting from identity theft.

A financial institution should include data breach protections by requiring its vendors by contract to indemnify and hold it harmless from costs and losses resulting from the unauthorized access or use of sensitive data in the vendor's possession, as well as from any failure by the vendor to comply with applicable law or its confidentiality and security obligations under the contract. Needless to say, such an indemnity is worthless unless the vendor has adequate financial resources to satisfy a claim, which is why federal regulatory guidance recommends additional risk mitigation measures such as pre-contract and periodic review of audited financial statements, and requiring suitable insurance from the vendor.

Vendors will undoubtedly attempt to limit their liability (such as through a cap on liability and/or customary language stating the vendor is not responsible for lost data), so careful negotiation of these points is critical. At the very least, a vendor should be required to indemnify for data breach-related claims, costs and losses resulting from its negligence or from other wrongful behavior, such as a breach of contract or failure to comply with applicable legal or regulatory obligations.

About the author:
Andrew M. Baer is an attorney with long experience in technology, e-commerce and information security matters relating to the financial industry. He is the founder of Baer Business Law, LLC (www.baerbizlaw.com), a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. He can be contacted at andrew@baerbizlaw.com.


HOW TO MANAGE SECURITY RISKS IN VENDOR CONTRACTS

  Introduction
  Vendor contract management: Regulatory guidance is risk-based
  Vendor audit and monitoring contractual rights
  Data breach protection: Implementing vendor breach safeguards
  Vendor risk management: process and documentation

This was first published in September 2009

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top