Information Security Considerations: Service Provider Agreements
A business retains a vendor to perform data processing services. Malicious hackers access a vulnerable port on one of the vendor’s servers from a foreign IP address. The attack compromises the personal information of thousands of customers. It also triggers consumer and regulatory notification obligations pursuant to state statutes throughout the country. How should the business and the vendor allocate responsibility for responding to the event? The answer may lie in a thoughtfully drafted service provider agreement.
On a daily basis, Lewis Brisbois attorneys assist businesses respond to data privacy incidents. We see events like this hypothetical situation occurring with increasing frequency. The scenario illustrates a current online threat and the difficulty of managing risks associated with third party service providers. Virtually every enterprise handles personal information (PI), the privacy and security of which may be regulated by state or federal law. There are inherent risks associated with information being processed, transmitted or stored by a third party service provider. These risks may increase if the service provider must access PI to perform the service. The nature of the information may create different risks to the affected individuals – who may be employees, clients or customers - and to the business responsible for the security of the information. The increased risks should provide a sense of urgency for businesses to carefully review third party service agreements and more actively manage third party service relationships to mitigate the risk of economic and reputational harm.
The following is a summary of items to be considered in managing risks associated with third party service provider agreements. While there may be additional relevant practices depending on the nature of the business and the service provider, the following summary should provide clarity to the primary risks to be managed.
Define Your Service Provider Relationship
Before engaging a third party service provider, the business may want to answer the following questions:
- Will the service involve the transmission, processing or storage of PI?
- What types of PI will be affected by or involved in the service?
- How are the types of PI regulated?
- Is it PI regulated by data breach notification statutes?
- Is it protected health information (PHI) regulated by HIPAA and the Privacy Rule, the Security Rule, and the Breach Notification Rule?
- Is it payment card industry (PCI) data that is regulated by the PCI Data Security Standard?
- What is the value of the PI that will be transmitted, processed or stored by the service provider?
- Does the service provider have cyber liability insurance that will respond to a data privacy incident affecting the maximum value of the PI involved in the service?
- Will provision of the service require access to PI by the service provider?
If the provision of the service will require access to PI by the service provider, will the provider restrict access to only those who need access for legitimate business purposes – for the provision of the service?
- How will the provider restrict access to only those who need access for legitimate business purposes?
- How will the provider screen employees who may need access to the PI?
- How will the PI be secured by the service provider?
- Does the service provider have written data privacy and security policies?
- Do the service provider data privacy and security policies meet or exceed those of the business?
- Does the service provider audit and enforce compliance with those policies?
- Will the service provider provide a written audit of its compliance with those policies, and the security of its information system, to the business on at least an annual basis?
- Does the service provider have an incident response plan?
- Does the service provider test the incident response plan through “table top” exercises on at least an annual basis?
- Has the service provider had a data privacy incident that affected PI within the previous 24 months?
- If the service provider had a data privacy incident that affected PI within the previous 24 months
- How did it occur?
- What was done to remediate the vulnerabilities that contributed to the incident?
- Is the service provider information system more secure now than when the incident occurred?
- If the service provider had a data privacy incident that affected PI within the previous 24 months
- Will the service provider provide a list of references?
- Does a public online search reveal anything adverse about the provider?
Answers to these questions will assist the business in utilizing a service provider agreement as an additional tool to mitigate risk associated with the transmission, processing and storage of PI.
Due diligence is a critical first step in managing the risk. In addition to evaluating the service provider’s current security posture, it is important to evaluate their involvement in previous data privacy incidents. Merely because the service provider was previously involved in such an incident, however, may not disqualify them from consideration. It is possible that the lessons learned from the prior incident may have resulted in a more secure system. The information must be obtained, though, for the business to make an informed decision about how to manage the risk.
Get It in Writing: Service Provider Agreement Terms and Conditions
Purchase orders are simply not sufficient to properly establish clear privacy and security duties between contracting parties. A business should consider incorporating basic data privacy and information security terms and conditions in service provider agreements. The following are some of the specific clauses that can be addressed.
1. Information Security Practices
The business should consider including a provision in the service provider agreement that requires the service provider to comply with prescribed information security practices. The security practices often mirror those of the business and should include the critical security controls. This is often accomplished by incorporating into the agreement a schedule of policies, procedures and practices setting forth the administrative, physical and technological measures that must be taken to protect PI. These schedules often take the form of an exhibit or an appendix to the agreement.
2. Business Associate Agreements
If the service provider may access PHI as part of the service to the business, the business should consider including a provision in the service provider agreement that incorporates a Business Associate Agreement (BAA). This will ensure that the business addresses the responsibilities of a Business Associate under HIPAA for any provider who may transmit, process or store PHI as a service to the business. The executed BAA can then become an exhibit or an appendix to the agreement.
The business should consider including an audit provision in the service provider agreement. This would provide the business the right to periodically audit the service provider data privacy and security practices to ensure compliance with its represented policies and procedures. This can be done through the provision of an audit done by a third party firm on the administrative, physical and technological measures reflected in the service provider policies and practices. The audit should be done on at least an annual basis. It is important that if the service provider agreement includes an audit provision, the business should exercise the audit option. This can be done by simply requiring an annual third party audit and a written audit report upon completion.
4. Addressing A Data Privacy Event
The business should consider including language in the service provider agreement that establishes expectations regarding when, how and under what circumstances a service provider will report a potential or suspected data privacy incident. This may also include the right to investigate any incident involving suspected unauthorized access to PI, including the right to obtain third party confirmation of the scope of the possible compromise. The business should consider requiring a service provider to do the following:
- Notify the business immediately (within 24 hours) upon discovery of a suspected unauthorized access to PI;
- Provide specific known details of the event;
- How was the incident discovered?
- Who discovered the incident?
- Where did the incident appear to occur?
- When did the incident appear to occur?
- What data sets appear to be affected?
- How many individual consumers appear to be affected?
- Provide information about what is being done to prevent further unauthorized access;
- Preserve all evidence of the incident.
As investigations into data privacy events unfold, new details will emerge. The business should therefore consider language in a service provider agreement requiring the service provider to provide regular updates about such details. The agreement can also provide language requiring the following:
- Provide access that enables the business to independently evaluate the facts;
- Cooperate fully with any third-party forensics investigation;
- Cooperate fully with any law enforcement investigation;
- Grant the business the right to control the breach response, including selection of response vendors;
- Immediately remedy the cause of the compromise at service provider’s sole expense; and
- Preserve all paper and electronic records related to the event.
5. Contractual Indemnification
Indemnification clauses allow a contracting party to shift liability and defense exposure to another. It is important for the business to thoroughly analyze indemnification provisions in a service provider agreement to ensure that it is not inadvertently agreeing to bear the costs of a data privacy incident that emanated from its service provider, or otherwise agreeing to defend and indemnify its service provider against third party claims. On the other hand, the business should consider contractually securing affirmative protection against third party lawsuits and first party costs by inserting an indemnification provision that requires the service provider to absorb the contracting party’s liability exposure, defense, and crisis management costs.
Indemnification language may include the following:
- Service provider will indemnify, defend, and hold harmless the business from all claims, allegations, causes of action, or demands that are presented to service provider by a third party (including any contractor);
- After a suspected data compromise, service provider will indemnify the business’s losses, liabilities, damages, fines, penalties, assessments and related costs and expenses including crisis management costs (such as legal, forensics, public relations, notifications, call center, and identity protection services), reasonable costs of litigation, court costs, attorney’s fees and interest.
6. Limitations of Liability
Limitation of liability clauses set forth terms limiting legal liability, such as shortening the amount of time within which one party may pursue a claim against the other, setting a monetary limit on damages, or limiting the types of recoverable damages. Limitation of liability clauses have historically limited liability of a service provider to the amount of fees received on an annual basis for the service provided. A business should consider avoiding any limitation on liability that prevents it from recovering the first and/or third party costs of a data privacy incident if vulnerability within the control of the service provider is a contributing factor to the data privacy event. If the service provider transmits, processes or stores PI, the business should consider a provision that establishes liability to be at least equal to the value of the PI handled by the service provider. This can incorporate the estimated costs of notifying and remediating to all affected consumers in the event of a catastrophic compromise to the business system.
In negotiating the service provider agreement, the business should anticipate that the service provider will take the opposing position concerning limitations of liability. The business should consider resisting limitations of liability clauses that render the service provider liable only if the service provider’s gross negligence or willful action causes the event, or if the clause shortens the statutory time the business otherwise would have to make a claim. As the impact may differ from business to business based upon the nature of the relationship with the service provider, the contracting business must ultimately determine the value of limiting its liability should a data privacy event occur. Factors may include the extent to which the service provider has access to PI, the strength of the provider’s own security as revealed in a due diligence investigation, and the importance of the service provider to the business’s core functions.
7. Leverage a Service Provider’s Insurance Coverage
A business should consider requiring its service provider to carry cyber liability insurance to cover the first and third party costs of a data privacy event. A service provider may not realize that its Commercial General Liability policy does not provide coverage for many (or any) of the costs, particularly the first party costs, associated with a data privacy event. The service provider agreement may require that the business be named as an additional insured on the service provider’s cyber liability policy, and that the service provider’s insurance policy be designated as the primary policy in the event of a data privacy event. If the business is listed as an additional insured, it will alleviate the need to address subrogation waivers. The anti-subrogation doctrine prevents an insurer from suing its insured or additional insured for subrogation. The business should obtain yearly confirmation by a current declarations page showing the business as an additional insured on the policy. The service provider’s carrier, not the broker, should issue this proof or certification. The recommended approach is to obtain a certified copy of the entire policy for the business’s records.
8. Warranty Clauses
Warranty clauses provide assurances that goods will be provided or services will be performed or be conducted in a certain way, and/or in compliance with applicable laws and regulations. Service providers will often attempt to include language limiting express warranties for their goods or services, and/or implied warranties provided by law, such as the implied warranties of fitness for a particular purpose, merchantability, or performance of services in a competent manner. While these clauses are common, businesses should analyze these warranties to determine how these clauses may affect data privacy concerns. Such language may purport to apply not only to the service provider, but also to any subcontractors that the service provider hired who may be completely unknown to the business.
Unless precluded from doing so by the service agreement, service providers may outsource a portion of their services to subcontractors who may then have access to PI owned by the business. A business should consider requiring the service provider to warrant that any hired subcontractor who may have access to PI will not only be qualified (and appropriately insured) to perform services, but also that the subcontractor will abide by the service provider’s privacy and information security policies and the other terms in the service provider agreement related to data privacy events. Warranty clauses may require the service provider to obtain a signed agreement from the subcontractor to comply with all privacy and information security policies and protocols set forth in the service provider agreement.
A service provider may attempt to incorporate language into the service provider agreement that allows it to freely amend the service provider agreement’s terms at any time to accommodate technological updates that may affect service. A business should pay special attention to provisions providing for amendments, and carefully review the amendments themselves, to prevent the service provider from unilaterally changing its substantive privacy practices and duties. If possible, the business should consider avoiding language permitting unilateral changes in the service provider agreement.
10. Waivers of Subrogation
A waiver of subrogation clause prevents a contracting party’s insurance carrier from seeking compensation from another contracting party (and usually its subcontractors). Waivers of subrogation usually apply even if the party benefiting from the waiver was negligent in the performance of its contractual duties. Courts frequently uphold waivers of subrogation even when insurance carriers are unaware of their inclusion in contracts. As referenced above, by adding the business as an additional insured to the service provider’s cyber liability policy, it alleviates the need to address waivers of subrogation.
Responsibility for data privacy events are often traceable to the service provider or its subcontractor. Examples include when the service provider discovers deficiencies in its network security or its subcontractor negligently screens or trains its employees. If a business executes a service provider agreement that contains a waiver of subrogation clause, the business may have waived its recovery rights (or its carrier’s rights) against a responsible party. Therefore, businesses should make every effort to eliminate these waivers.
11. Choice of Law Provisions
Service provider agreements often include choice of law provisions that dictate the state law that will govern a dispute related to or arising under the service provider agreement, and the venue in which such dispute will be litigated or arbitrated. The business should perform a preemptive analysis of the jurisprudence surrounding contractual issues that might arise under a service agreement to determine the most favorable jurisdiction should a data privacy incident occur. This can be especially important if the service provider is not located within the United States. A recommended approach for a choice of law provision is that the parties agree to be governed by the law of a specific state within the U.S. and designate the courts of that state to be the proper venue for lawsuits.
12. Special Considerations When Using Cloud Service Providers
Use of a cloud provider allows a business to avoid the bulk of the cost of infrastructure and information technology services necessary to manage data. Use of the cloud presents its own set of challenges. Recognizing the inherent unequal bargaining power of the business when dealing with some cloud providers, a business should ensure that data in the cloud is properly protected and stored, and that access to the information is limited to appropriate personnel with a legitimate business purpose for accessing the data. The nature of the cloud means that data will almost certainly travel across state lines, if not internationally, so the business should pay special attention to choice of law issues. At a minimum, businesses should consider service provider agreements with cloud providers that include the following:
- The infrastructure housing the business’s data will remain in the U.S.;
- The cloud service provider will maintain commercially reasonable data privacy and security practices;
- The cloud service provider will provide annual written audits of its privacy and security policies and practices;
- The cloud service provider will immediately report potential or suspected data events as discussed above; and
- The cloud service provider will agree to promptly allow access to its infrastructure for forensic investigations of data events or will engage a forensics firm approved by the business, and share findings of the forensics investigation with the business.
Service agreements with cloud service providers should also include clear terms describing how data will be properly transitioned out of the cloud should service be terminated with the cloud service provider.
The negotiation of terms in a service provider agreement will be dictated by the nature of the business relationship between the business and the service provider. Businesses should consider reviewing service provider agreements through a lens that identifies and protects against potential liabilities arising from a data privacy event. Service providers should be prepared to provide reasonable measures to reduce liability through appropriate privacy and security practices. They should also expect to cover, within reasonable limits, the first and third party costs of a data privacy event that are attributable to them.
Each relationship between a business and a service provider will have its own unique circumstances and challenges. These may depend upon a number of variables, including the bargaining power of the parties, the nature and length of the business relationship, and the potential liability arising from the engagement. Ultimately, businesses should recognize that carefully reviewing and implementing service provider agreements is an important aspect of enterprise risk management and integral to managing the fiduciary responsibilities of the business.
Managing liabilities associated with service providers has never been more important. It will only increase in importance as technology evolves and online threats become more sophisticated and dangerous. The risks and liabilities can be mitigated, however, with due diligence and good service provider contract management.