Page 50 - Cyber Warnings
P. 50
Terms of the agreement are often in flux though. No one size fits all here. Each side wants to
protect its own interests, and negotiations can (and will!) move in wildly different directions.
From your perspective though, the contract takes on deeper significance when you consider the
following: in the US, there isn’t a specific federal law watchdogging third-party collection and
use of personal data. A short list of regulations address parts of the issue. Note the word
‘parts’. The Consumer Privacy Protection Act of 2015 (Federal Privacy Bill S.1158) is a more
focused attempt at the problem, but at the time of this article the Act is in committee…its status
uncertain. In the meantime we struggle through the miasma of state and federal regulations
that make up today’s environment.
Needless to say, in a perfect regulatory environment a well-written service level agreement is
important. In the less-certain atmosphere we live in today, a strong SLA is even more critical.
Step Two: Establish a strong Service Level Agreement Of course, you will address the
boiler-plate SLA issues: service availability, monitoring and reporting, etc. But consider
the data perspective as well! A rule of thumb as you track through this process: while
financial responsibility may be assigned, the regulatory liability remains with you. Your
organization shoulders some responsibility for the actions of the vendor you’ve chosen.
Here’s some steps to consider while drafting your SLA.
o Define the timeline in which you will be notified in the event your vendor is
breached. This goal here can be summed up with a few simple words….the
sooner the better. Worst case scenario: you learn about the breach through a
news source. Your phones are ringing…calls from angry clients asking you about
suspicious charges on their accounts, threats of lawsuits, and your manager’s
outside your office with HR and a packing box. Make sure your vendor is
notifying you well before the event’s gone this far.
o Agree in writing on financial responsibilities. Indemnify who pays for incident
investigation, legal fees, fines, claims…
Consider requiring whether your vendor should have cyber-liability
insurance and if some of that coverage may be extended to your
organization?
o Handling your data. The data’s left the building, but your responsibility for it
hasn’t!
Ask your vendor for a copy of their Security Policy. This may be
proprietary. If so, they may be reluctant to furnish the document. If
available though, this should help answer many questions that deal with
the safety of your information.
Try to establish whether your data is co-mingled with that of other
organizations? It probably will be. This may not be a risk in itself. On the
other hand, it could be. At the very least this implies that more third-party
employees will be accessing your information (do you really want a long
list of people pulling up your data?). Worse…it implies that there could be
more potential chinks in the armor….more opportunities for a breach-
inducing event to take place.
50 Cyber Warnings E-Magazine – February 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
