Do you sleep well at night knowing your vendors are appropriately securing your clients’ sensitive data? In the age of big data, every company must devote significant resources to protect itself from cyberattacks on its systems, and most companies have significantly invested in their own cybersecurity as a result. But an inward focus is not enough. One area of vulnerability increasingly subject to exploitation is the access to systems and data given to third-party vendors. Many of the world’s most notable (and costly) data events involved hackers exploiting vendor access or systems. One of the largest data breaches in history—the Target breach—did not occur due to a breach of Target’s systems at all. Rather, the systems of a third-party HVAC vendor were compromised, and the access given to that vendor was subsequently exploited. Similarly, noteworthy breaches of Wyndham Hotels’ data did not occur due to a breach of the hotel’s main network. Hackers instead accessed third-party hotel networks that used the Wyndham brand, and in turn gained access to Wyndham systems.
As a result, it is increasingly important for companies to pay close attention to relationships with any vendors that access personal data or sensitive commercial data. Although we typically think of this protection as a highly technical affair based on encryption and multilevel passwords, there are practical, commonsense steps that a general counsel can use to minimize liability in the case of a breach of a vendor’s systems.
First and foremost, companies should conduct appropriate cybersecurity due diligence on the front end when engaging a new vendor. Understanding a potential vendor’s system protections can help when negotiating the contractual protections necessary to protect the company throughout the vendor relationship. For example, vendors commonly insist on limiting their own liability to the amount of money received under the contract. If the company has conducted due diligence on the vendor, it can better adjust other contractual provisions to deal with the risk associated with such a vendor. Perhaps the company can insist on regular in-person audits of the vendor’s systems to ensure that it meets ever-evolving industry standards. Perhaps the company can limit the vendor’s data access or require that the vendor provide services on-site under company-employee supervision. With appropriate diligence, companies can effectively avoid the somewhat common problem of a small vendor creating a large loss that would collapse the vendor into bankruptcy and leave the company footing the bill, or, worse yet a contract in which a vendor is not liable at all due to restrictive contractual provisions.
Second, companies must carefully draft provisions to ensure that a vendor is contractually obligated to protect data. To be enforceable, some jurisdictions require precise and definite language; mere recitals regarding “adequately safeguard[ing]” data may be insufficient. Kuhns v. Scottrade, 868 F.3d 711, 717 (8th Cir. 2017). In drafting these provisions, a company should consider whether it can dictate particular vendor practices, such as placing multiple levels of restrictions on data access, ensuring that data facilities are secured in a particular manner, and setting minimum standards for creating and storing system credentials. Depending on the relative bargaining power between company and vendor, the company may also be able to include technical requirements relating to intrusion detection, system scans, and other protections against security vulnerabilities. All of these will cost the vendor money, but if the company is able to demand specific security protections, it should do so. Alternatively, a company could insist that the vendor present evidence of accepted industry security certifications, such as PCI DSS for payment cards or ISO 27001 certification for overall information security.
Additionally, certain contract terms can help better position a company in the event of a cybersecurity event. For instance, requiring the vendor to notify the company in a particular amount of time after a cybersecurity event can allow the company to control (or at least influence) the public narrative around the data disclosure and possibly mitigate adverse consequences of a breach. The days of 30 days’ notice are long gone; anything involving Europe triggers in 72 hours.
Companies should also pay attention to red flags that may arise over the course of their vendor relationship. If a small breach happens, pay attention to the vendor’s reaction. Did they notify promptly and follow through on any contract terms relating to a breach? Did the vendor satisfactorily resolve the vulnerability that led to the breach? If there were any deficiencies involved, take the opportunity to address the problems before a larger issue arises.
The lens through which a company is judged for its vendor supervision is a cloudy one and no precise requirements are specified. Section 5 of the Federal Trade Commission Act prohibits “unfair or deceptive acts or practices.” See 15 U.S.C. Section 45. Thus, we recommend that, in addition to doing due diligence on potential vendors and insisting on adequate contractual provisions, to ensure compliance with the FTC’s broad standard of conduct, a company should also consider periodically auditing the vendor to confirm that the representations made during the due diligence process are still accurate and contract protections are, in fact, being followed.
Moreover, concluding any vendor relationship should involve rigorous closing practices. For example, the company should make clear any continuing post-contract obligations regarding data. Best practices require return of all sensitive data obtained from the company by the vendor if possible. A next-best alternative is to obtain a certification of destruction of the information.
It is important for general counsel and compliance officers to remain aware of new developments in cybersecurity law. Just as technology rapidly changes, so do cybersecurity laws and regulations. Data involving Europeans now must have special protections, and China has substantially updated its cybersecurity law. We live in global world, and developments overseas can be as important as trends here at home. Having strong cybersecurity counsel in place who are familiar with the changing legal landscape and the best practices discussed herein can be critical to a company’s appropriate management of vendor relationships.
Angela Zambrano is a partner in Sidley Austin’s Dallas offices and firmwide co-leader of the commercial litigation and disputes practice. She can be reached at firstname.lastname@example.org.
Meaghan Nowell is an associate in Sidley Austin’s commercial litigation and disputes practice in Dallas. She can be reached at email@example.com.