Issue link: https://nebusinessmedia.uberflip.com/i/586284
W W W. M A I N E B I Z . B I Z 15 O C T O B E R 1 9 , 2 0 1 5 H OW TO O utsourcing to third-party vendors has become a signifi cant cost control strategy for businesses — one that also comes with signifi cant monetary and reputational risk. e public sector, information sector (e.g., telecommunications, data process- ing and publishing industries) and fi nancial services industry are the top three business sectors most aff ected by information security incidents, according to Verizon's "2015 Data Breach Investigations Report." With the average cost of a data breach reaching $3.79 million last year, according to the Traverse City, Mich.- based Ponemon Institute, it is critical to manage information security risk when outsourcing business operations. Negotiating information security protections and response protocols up front is critical to your fi nancial and reputational well-being. While allo- cating risk and liability for incidents often requires compromise, the fol- lowing outlines some of the key con- siderations and contractual provisions that should be addressed in outsourc- ing arrangements. Before a contract is signed, you should perform appropriate due dili- gence on any vendor that will have access to your most sensitive data. Create a questionnaire that addresses areas of risk, including information security policies, security controls and data destruction procedures. Vendors should contractually commit to maintain a comprehensive written information security pro- gram addressing the administrative, technical and physical safeguards and controls they will use to protect your sensitive data. Who is responsible for the costs associated with procedural or techno- logical changes required of vendors as a result of changes to privacy or data security laws? ese costs can be sig- nifi cant. If possible, allocate responsi- bility in the contract. You should also try to get contrac- tual commitments from vendors to comply with your business' informa- tion security policies and procedures. Vendors may push back, contending that it is either impractical or too costly. Be prepared for this by vetting pro- spective vendors' information security policies and procedures to identify gaps between theirs and yours. ese can be addressed during contract negotiations. Vendors should be restricted to accessing, storing, processing, or transmitting personal information only in jurisdictions authorized by your contract. ey should be required to perform background checks on all employee and non-employee person- nel that will have access to your data, to screen for those who have been convicted of or pled guilty to a crime involving breach of trust. All personal information stored or transmitted by vendors should be encrypted using the highest industry standards. Vendors should be contractually obligated to notify you immediately in the event of an actual or suspected data breach. Even if a breach occurs that does not involve your data, you should be notifi ed, as it can point to defi ciencies in the vendor's information security poli- cies that should be remedied. e con- tract should grant you and, if applicable, your regulators, broad rights to audit the vendor's information security practices and controls; consider also a requirement for vendors to undergo periodic third- party audits. You should have the right to terminate vendor contracts if they are not protecting your data as stipu- lated. Termination rights should not be dependent on an actual data breach. e contract should specify that you have the right to control all customer- facing aspects of any breach involving your personal information, including notifi cations to aff ected individuals, reg- ulatory authorities, and credit bureaus. Vendors should be required to reimburse you for all costs related to a data breach for which they are respon- sible. Most will insist on negotiating a cap or argue for a negligence standard of liability, or no liability if they were in compliance with information security requirements dictated by the contract at the time of the breach. By performing due diligence on prospective vendors and negotiating these and other protective measures and response protocols into your out- sourcing contracts, you'll save yourself signifi cant costs and headaches. J S i s a l a w ye r a t Be r nstein Shur in Por tland. He can be reached at @ . Matthew and Gary Moretti Wild Ocean Aquaculture, LLC We're in business to help your business. Member FDIC Member FDIC We work hard to do things right. We're as passionate about our business as we are about our customers. Ask us about our business solutions that can help your business grow. www.bangor.com | 1.877.Bangor1 B Y J O S H S I L V E R Protect sensitive data used by third-party vendors