Contracting for Cyber-Security Service Agreements

By Brad Peterson and Julian Dibbell

When wireless carrier T-Mobile discovered earlier this month that personal data entrusted to it by some 15 million customers had been stolen from servers maintained by its credit processor, Experian, T-Mobile learned a hard but increasingly familiar lesson: A company’s data security is only as strong as the weakest link in its supply chain.

In the ordinary course of 21st century business, companies often expose their data to other companies, particularly service providers. Those providers may be engaged specifically to process data (as Experian was by T-Mobile), or they may simply be given access for incidental reasons. Either way, any weakness in the security practices of a company’s service providers can expose the company to cyber-attacks as surely as if the weakness were its own.

Data breaches have grown so common that they seem almost inevitable, but that doesn’t mean companies should stop doing everything they can to avoid them. The costs are real: Data breaches damage brands and reputations, disrupt business operations and relationships, require costly investigations, and invite a range of threatening legal responses, including consumer class actions, shareholder derivative suits, and FTC and other regulatory actions.

All told, the average data breach costs more than $3.8 million. When a data breach does happen, having a service provider involved adds complications that, according to one estimate, increase the cost of breach by an average of 10 percent.

The good news is that by contracting well, you can reduce the likelihood and severity of these risks. In contracting with a new service provider (or renegotiating with an existing one), a company intent on minimizing its data breach risks should focus on three questions.

First, is the provider capable of complying with adequate data protection and privacy standards? Second, will the provider agree to comply with those standards? And third, will the provider remain properly motivated to live up to its agreement? In summary, contracting for cyber-security is primarily a matter of selecting the right provider, securing the right commitments and setting the right incentives.

Selecting the Right Provider

To weed out risky providers, you must first know the challenges you face. The contracting team needs to align with the company’s cyber-security experts.

As first steps, identify the types of data that the provider might access, understand the nature of the cyber-security risk for each type of data, and find the relevant parts of your information security plan. Then, consider whether the risks might be mitigated through technical or operational measures, such as encrypting data or limiting access to it.

If there is a data security concern, then any Request for Information (RFI) or other preliminary market review should include questions about data security practices. Many companies have form questionnaires based on their own information security plans, and, in the absence of such a form, requests for information about security certifications may be a fast approach.

For high-risk data, consider using security audits and reviews as part of any initial site visit, just as you would review any other aspect of production. Estimate what it will cost to be sure that the equivalent level of security is maintained over time.