Organizations should include some additional protections around data breaches in their vendor contracts. In addition to data breach notification and reporting, the contract should require the vendor's active cooperation in investigating and remediating any such incident. This is important because data breach notification statutes and bank regulatory requirements make it clear that the buck stops with the financial institution. In the end, it must determine for itself what happened in the vendor breach, the risk of harm to its customers, and how to respond. While it can contract with the vendor to notify affected individuals, the financial institution is ultimately responsible if a notice required by applicable law or regulatory guidelines is not made.
As a corollary, the contract should require the vendor to refrain, to the extent permitted under applicable law, from issuing a data breach notice to the financial institution's customers without the institution's prior review and approval. Whether or not to issue a data breach notice and the contents of any notice involve reputational, customer relations and financial considerations, as well as legal and regulatory ones, and any risk assessment and decision-making must follow the incident response plan that regulated financial institutions are required to maintain.
Although not required by regulatory guidance, PCI DSS or statute, financial firms should also consult with their counsel about contractual protections to shift the financial losses of a vendor breach. Even apart from any third-party liability or statutory or regulatory penalties, the out-of-pocket costs associated with a breach can run into the millions of dollars. They include such items as the forensic investigation to determine what and whose data was compromised, the closing and reissuing of accounts and replacement of payment card plastic, legal review of state data breach statutes to determine compliance obligations, the sending of breach notices, and, of course, fraud losses resulting from identity theft.
A financial institution should include data breach protections by requiring its vendors by contract to indemnify and hold it harmless from costs and losses resulting from the unauthorized access or use of sensitive data in the vendor's possession, as well as from any failure by the vendor to comply with applicable law or its confidentiality and security obligations under the contract. Needless to say, such an indemnity is worthless unless the vendor has adequate financial resources to satisfy a claim, which is why federal regulatory guidance recommends additional risk mitigation measures such as pre-contract and periodic review of audited financial statements, and requiring suitable insurance from the vendor.
Vendors will undoubtedly attempt to limit their liability (such as through a cap on liability and/or customary language stating the vendor is not responsible for lost data), so careful negotiation of these points is critical. At the very least, a vendor should be required to indemnify for data breach-related claims, costs and losses resulting from its negligence or from other wrongful behavior, such as a breach of contract or failure to comply with applicable legal or regulatory obligations.
About the author:
Andrew M. Baer is an attorney with long experience in technology, e-commerce and information security matters relating to the financial industry. He is the founder of Baer Business Law, LLC (www.baerbizlaw.com), a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. He can be contacted at firstname.lastname@example.org.
HOW TO MANAGE SECURITY RISKS IN VENDOR CONTRACTS
Vendor contract management: Regulatory guidance is risk-based
Vendor audit and monitoring contractual rights
Data breach protection: Implementing vendor breach safeguards
Vendor risk management: process and documentation