With the exponential growth of cyber threats, cloud computing and remote working, contract provisions regarding data security requirements have also expanded in size and frequency. It has become common practice to prepare schedules to detail (and limit) security requirements. Customers and vendors both have a vested interest in clearly identifying expectations and obligations for such requirements. In this week’s Contract Corner, we explore considerations when it comes to drafting security schedules.
Protecting Customer Data
Customers entrusting sensitive and confidential data and information to their vendors will want stringent data security requirements to ensure that such information remains protected. Typical requirements include the following:
- Current Security Controls. Security devices and processes are rapidly improving in response to ransomware and other cyber threats. Customers will look to their vendors to maintain state-of-the-art security protections for their data, including detailing such protections in an original schedule and providing updates on future improvements.
- Breach Response. To comply with data breach laws and regulatory requirements, customers will require specific commitments regarding notification and response times, including keeping current with any changes to such laws and regulatory requirements. The recent adoption of GDPR-like requirements in China highlights the importance of such provisions.
- Device/Software Requirements. Customers typically seek that vendors require employees to use vendor-managed laptops and other devices and that vendors maintain current antivirus software and other forms of software protection on those devices.
- Configuration. Customers look for stringent password requirements and connectivity management by vendors that prevent intrusive connections to customer or vendor systems that may impact the services.
- Training Standards. Customers will seek confirmation that vendor employees are (and remain) fully trained to combat cyber threats and bolster cybersecurity awareness.
In response to customer concerns and requirements, vendors frequently provide form security schedules describing the technology and processes they employ to protect customer data. Attempting to get “ahead of the game,” vendors look to specify their obligations and limit liability for data events beyond their control. Important considerations include:
- Security Control Disclosure. Vendors will typically provide a description of the organization’s security controls in a template security schedule. However, there is a fine balance that vendors need to strike in these descriptions both to maintain the integrity and security of their systems and to protect the confidentiality of the vendors’ (and their other customers’) data.
- Risk Assessments. Customers often request the ability to perform risk assessments on their vendors’ security processes. These assessments can be intrusive and costly. In response, vendors could offer to their own risk assessments but that can be problematic as the results of those risk assessments may need to remain private in order to protect a vendor’s resulting security strategy. Therefore, vendors will often offer to provide third-party security assessments such as System and Organization Controls (SOC) reports as a substitute.
- Incident Management. Vendors will look to lay out their specific responsibilities in the event of a security breach incident and avoid standards that may be impossible to meet, such as immediate notification and remediation.
The surge of remote working has brought with it the need for vendors and customers alike to consider how they will address and maintain organizational security standards outside of traditional vendor locations, as well as changes or additions that are required for security schedules. A few important considerations for remote work include the need to establish a secure VPN connection to a service location, maintain physically secure home office setups, and access to devices that are approved by customers. In order to limit risks that accompany remote working environments, customers also may seek to limit remote working by vendor employees in accordance with guidelines set forth by government authorities.