Contracting for Cyber-Security Service Agreements

By Brad Peterson and Julian Dibbell

When wireless carrier T-Mobile discovered earlier this month that personal data entrusted to it by some 15 million customers had been stolen from servers maintained by its credit processor, Experian, T-Mobile learned a hard but increasingly familiar lesson: A company’s data security is only as strong as the weakest link in its supply chain.

In the ordinary course of 21st century business, companies often expose their data to other companies, particularly service providers. Those providers may be engaged specifically to process data (as Experian was by T-Mobile), or they may simply be given access for incidental reasons. Either way, any weakness in the security practices of a company’s service providers can expose the company to cyber-attacks as surely as if the weakness were its own.

Data breaches have grown so common that they seem almost inevitable, but that doesn’t mean companies should stop doing everything they can to avoid them. The costs are real: Data breaches damage brands and reputations, disrupt business operations and relationships, require costly investigations, and invite a range of threatening legal responses, including consumer class actions, shareholder derivative suits, and FTC and other regulatory actions.

All told, the average data breach costs more than $3.8 million. When a data breach does happen, having a service provider involved adds complications that, according to one estimate, increase the cost of breach by an average of 10 percent.

The good news is that by contracting well, you can reduce the likelihood and severity of these risks. In contracting with a new service provider (or renegotiating with an existing one), a company intent on minimizing its data breach risks should focus on three questions.

First, is the provider capable of complying with adequate data protection and privacy standards? Second, will the provider agree to comply with those standards? And third, will the provider remain properly motivated to live up to its agreement? In summary, contracting for cyber-security is primarily a matter of selecting the right provider, securing the right commitments and setting the right incentives.

Selecting the Right Provider

To weed out risky providers, you must first know the challenges you face. The contracting team needs to align with the company’s cyber-security experts.

As first steps, identify the types of data that the provider might access, understand the nature of the cyber-security risk for each type of data, and find the relevant parts of your information security plan. Then, consider whether the risks might be mitigated through technical or operational measures, such as encrypting data or limiting access to it.

If there is a data security concern, then any Request for Information (RFI) or other preliminary market review should include questions about data security practices. Many companies have form questionnaires based on their own information security plans, and, in the absence of such a form, requests for information about security certifications may be a fast approach.

For high-risk data, consider using security audits and reviews as part of any initial site visit, just as you would review any other aspect of production. Estimate what it will cost to be sure that the equivalent level of security is maintained over time.

Neuroscientist reveals a new way to manifest more financial abundance

Breakthrough Columbia study confirms the brain region is 250 million years old, the size of a walnut and accessible inside your brain right now.

Learn More

Picture of Guest Author

Guest Author

TRENDING AROUND THE WEB

If you want a more meaningful love life as you get older, say goodbye to these 6 behaviors

If you want a more meaningful love life as you get older, say goodbye to these 6 behaviors

The Blog Herald

People who are rich but live like they’re poor usually display these 8 subtle traits, says a psychologist

People who are rich but live like they’re poor usually display these 8 subtle traits, says a psychologist

Global English Editing

7 types of family members you only really need to see once a year (at most)

7 types of family members you only really need to see once a year (at most)

Personal Branding Blog

9 traits of people who never allow success or money to get to their head, says psychology

9 traits of people who never allow success or money to get to their head, says psychology

Small Business Bonfire

Intuition: If you’re not listening, you’re missing the certainty of the universe

Intuition: If you’re not listening, you’re missing the certainty of the universe

The Vessel

If you’re going through challenging times, these 6 habits will make you stronger

If you’re going through challenging times, these 6 habits will make you stronger

Jeanette Brown