Compliance Best Practices for Information Security: A Perspective

Information technology, and particularly data security, compliance has become a very hot topic in recent years, due in large part to the emergence of cloud computing and the increase in the number of reported security breaches. A decade ago, the typical IT contract contained little detail relating to information security or compliance in general, other than the standard homage to confidentiality and compliance with applicable laws and regulations.

Times have changed, however, and today one of the top concerns of companies purchasing technology products or implementation services is the integrity and security of the data being processed. Companies in all industries are faced with dramatically increased scrutiny from regulatory authorities, and privacy and security practices are a favorite focus for the current generation of class action plaintiff’s lawyers. As a result, many large purchasers of technology systems are attuned to the significant financial risks of a data security breach and are demanding increasingly more stringent controls in their current contracts with technology and service providers.

Not having a meaningful information security policy is a competitive disadvantage as a vendor. Moreover, many vendors have agreed to indemnify their customers in circumstances that could include a security breach, and, as recent cases have shown, the damages associated with these breaches can be staggering.

Regulatory compliance is largely a sector-specific matter. Some industries have been subject to privacy and data security regulation for years. For example, companies in the financial services industry generally are familiar with the privacy and data security requirements of federal laws like the Graham-Leach-Bliley Act (GLB) and the Financial Industry Regulatory Authority Act (FINRA). Similarly, most health care companies understand that they are subject to the Health Insurance Portability and Accountability Act (HIPPA). However, companies in other industries may be less attuned to the fact that they handle sensitive financial and health information of employees or customers that are subject to laws such as GLB, FINRA and HIPPA.

If a company currently does not have comprehensive privacy and data protection, it should be a high priority for management. Depending on size and resources of the company, the preferred approach would be to develop, memorialize and implement a comprehensive information security strategy and plan, addressing internal and external access and use of all IT systems, and then plug the company’s information security requirements into each vendor agreement. Another approach, while perhaps not as effective—but meaningful nonetheless—would be to distill the requirements (without developing an overarching strategy) bearing in mind any industry-specific mandates and attempt to negotiate those requirements into vendor agreements (assuming that those agreements are in fact negotiable).

Conceptually, a customer should consider at least the following in its agreements with vendors:

1. As a threshold matter, mandate that the vendor use reasonable security measures to prevent unauthorized access to the customer’s data and other sensitive information;
2. Require the vendor to adhere to an information security policy that would set forth the technical requirements associated with any access to the customer’s systems;
3. If no company policy exists, describe the applicable security measures (such as encryption, intrusion detection systems, incident logging and virus screening) to be used by the vendor;
4. Include audit rights (or access to periodic audit reports, coupled with meaningful access to the auditors);
5. Require that an approved response and remediation plan be implemented by the vendor if there’s a security breach; and
6. Require that the vendor carry broad insurance coverage specific to security breaches (and thus beyond standard errors and omissions coverage).

While in practice there is usually some negotiation around the edges, the above six basic tenets are generally well-accepted. In addition to these generally applicable concepts, if there are any sector-specific laws or regulations that apply to specific types of data, it is preferable to include specific covenants, representations and warranties in a contract regarding the handling of such data. But expect resistance as the vendor will likely be unable (or unwilling) to differentiate between various data types.

A related subject is data governance, which conceptually is tied to confidentiality. In essence, data governance addresses when, where, how and to what limited purposes the data can be accessed, stored, transferred, processed and used. For example, can customer data be transferred outside the United States? Similarly, is it permissible for customer data be aggregated (even if anonymized) and accessed by the vendor, even if only to see trends?

Of course, with each of these items, the devil is in the details. For example, with respect to insurance, is the policy triggered by any security breach regardless of cause (including unlawful-third party acts)? And is the customer a named insured party on the policy? In a cloud setting, while generally uniform, it’s also worthwhile to consider security practices at facilities used by the vendor to deliver the cloud services. That said, security breaches may be as likely on on-site systems, so care should be taken to develop and enforce appropriate internal security policies.

As a customer, ultimately the company (and not the vendor) is responsible for the proper handling of confidential personal and business information. Stated otherwise, if there’s a security breach that results in the unauthorized disclosure of confidential personal and business information, the company is not absolved from liability just because the breach was due to some act or omission of the vendor. Accordingly, robust security policies and recourse against the vendor in case of a breach (bearing in mind the economics of the transaction with the vendor) are of paramount importance.

Developing a comprehensive information security strategy requires a multidisciplinary approach, involving IT, operations, compliance, finance and legal. Even if, due to expediency, an ad hoc approach is taken, all relevant stakeholders should be consulted. As an example, the finance team is often asked to consider insurance requirements and the overall costs of implementing even transaction-specific security measures and systems.

The cost and effort involved in creating, implementing and monitoring good information security practices could be dwarfed by the cost of remediating a major security breach. Moreover, while financial risks can be managed by insurance, the reputational damage caused by security breaches has a long tail and can plague a company for many years. Given the enormous financial and reputational risks of a security breach and the increased scrutiny from regulators and attention form class action lawyers, any company that has not addresses its data security practices should make this a high priority.

All views expressed herein are solely those of the author and should not be attributed to Greenberg Traurig.

**********

About the Author

John Pavolotsky is a member of the Greenberg Traurig’s Intellectual Property and Technology practice group. His practice focuses on technology transactions and other intellectual property matters. Prior to joining GT, he was corporate counsel of SugarCRM Inc. and general counsel of Fourth Dimension Software.

Print PDF