How to Combat Data Breaches Using Vendor Contracts

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govtech.com/security/How-to-Combat-Data-Breaches-Using-Vendor-Contracts.html

News that Chinese hackers may have accessed the personnel records of some
14 million federal workers has sent shivers down the spine of the HR
industry. It's a nightmare scenario that could affect almost any workplace.

The data in your employee files -- Social Security numbers, addresses,
names of dependents, health records and bank account routing numbers --
have real value to identity thieves.

Identity theft happens more often than anyone would like to admit. The
Federal Trade Commission estimates that 9 million Americans have their
identities stolen each year, causing monetary losses of more than $37
billion.

Many security breaches happen when third-party vendors benefits providers,
for example handle employee information. If you outsource any of your HR
functions, your employees' data could be at risk. It's your responsibility
to ensure your vendors guard against the threat of identity theft.

A good contract with your vendor is your best protection against liability.
It should require vendors to:

Limit the number of people who have access to your data
Ensure data is encrypted and securely maintained
Transmit data only in a controlled, protected manner.

Include notification requirements if a security breach occurs. Cite the
specific state and federal notification laws the vendor must follow.

Involve your attorney in drafting and reviewing the contract. It should
stipulate that the vendor is legally responsible for any data breach that
occurs, and that it will indemnify you and your employees for any actions
arising from such a breach.

Not surprisingly, vendors are often reluctant to include that type of
language in their contracts, but it's critical. Ideally, the contract
should obligate the vendor to pay any damages resulting from the data loss,
no matter when it occurs.

Note: More vendors are outsourcing services to other countries, where lax
law enforcement makes controlling risk more difficult. Negotiate contract
language that requires vendors to obtain your approval before moving work
offshore.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!