ABSTRACT
Use the Three Tools for Better Integrating Information Security into the Contract Life Cycle
☐ Pre-Contract Due Diligence ☐ Key Contractual Protections ☐ Information Security Requirements Exhibit
Pre-Contract Due Diligence ☐ Develop a form due diligence questionnaire ☐ Ensure the questionnaire covers all key areas ☐ Use the questionnaire as an early means of identifying security issues
☐ Use the questionnaire to conduct an “apples-to-apples” comparison of prospective vendors
Key Contractual Protections ☐ Fully fleshed-out confidentiality clause ☐ Warranties
S Compliance with best industry practices; specify the relevant industry
S Compliance with applicable laws and regulations (e.g., HIPAA, GLB, etc.)
S Compliance with third-party standards (e.g., payment card industry, data security standard, payment application data security standard)
S Compliance with customer’s privacy policy S Prohibition against making data available offshore S Responses to due diligence questionnaire are true and correct
☐ General Security Obligations S All reasonable measures to secure and defend systems S Use of industry standard anti-virus software S Vulnerability testing S Immediate reporting of actual or suspected breaches S Participation in joint audits S Participation in regulatory reviews
☐ Indemnity against claims, damages, costs arising from a breach of security
☐ Responsibility for costs associated with providing breach notifications to consumers; control of timing and content of notice
☐ Forensic Assistance S Duty to preserve evidence S Duty to cooperate in investigations S Duty to share information
☐ Audit Rights S Periodic audits to confirm compliance with the agreement and applicable law
S Provision of any SAS 70, SSAE 16, or similar audits ☐ Limitation of liability should exclude breaches of confidentiality from all limitations and exclusions of liability
☐ Post-contract policing Information Security Requirements Exhibit
☐ Where appropriate, develop an exhibit, statement of work, or other contract attachment describing specific required information security measures
☐ Use of wireless networks ☐ Removable media ☐ Encryption ☐ Firewalls ☐ Physical security
Newspapers and trade journals feature a growing number of stories detailing instances in which organizations have entrusted their most sensitive information and data to a vendor only to see that information
compromised because the vendor failed to implement appropriate information security safeguards. Worse yet, those same organizations are frequently found to have performed little or no due diligence regarding their vendors and have failed to adequately address information security in their vendor contracts, in many instances leaving the organizations without a meaningful remedy for the substantial harm they have suffered as a result of a compromise. That harm may take a variety of forms: damage to business reputation, loss of business, potential liability to the data subjects, and regulatory and compliance issues.
