Information Security Demands More than Privacy Laws Compliance
The California Consumer Privacy Act has made headlines in recent weeks (including in several LB3 podcasts “A Summary CCPA Procurement and Compliance Guide for Your IT and Telecoms Agreements” and “How the California Consumer Privacy Act of 2018 Affects Your Service Provider Agreements“); this week because the California Attorney General released modifications to the draft regulations with which businesses must comply. Protection of personal information is necessary to comply with the CCPA and various state and federal laws, but enterprises’ needs for information security are broader. They must protect the underpinnings of their businesses – their intellectual property, trade secrets and highly sensitive communications such as spin offs or acquisitions – against unauthorized access, use, or disclosure. To help accomplish this, enterprises should require their IT and telecoms providers to include appropriate information security clauses in their IT and telecoms provider contracts.
What To Do
Appropriate information security clauses depend on the size, scope and nature of an enterprise, its operational structure, the sensitivity of its information, its regulatory oversight, and what information could be accessed by the providers or through the providers’ facilities and systems. Regardless, enterprises should seek these types of information security requirements in their IT and telecoms contracts.
In its 2019 data breach investigation, Verizon determined 34% of data breaches could be traced to a company’s internal actors such as its employees and consultants (See, Verizon’s “2019 Data Breach Investigations Report“). Some of these breaches were intentional, seeking personal financial gain or revenge or both. Others were accidental, resulting from successful phishing, smishing, and similar campaigns by external bad actors.
Background checks reduce the risk of internal actor intentional data breaches.
When you were hired or as part of your employment in recent years, did your enterprise run background checks on you? If you work for a medium to large size enterprise and were hired in the last few years, the answer is very likely to be “yes.” Background checks are now the norm. They include social security number traces, criminal background checks (which some states limit to specific time periods or positions), credit/financial checks (particularly for positions with financial institutions or that control or oversee a company’s finances), education, professional license verifications, and drug and alcohol testing (See, for example). These background checks help your employer profile whether a candidate or employee has a tendency to engage in undesirable behavior that places the enterprise at risk.
Your IT and telecoms providers’ employees providing your services may also have tendencies that place your enterprise at risk. You need these providers to run the same types of background checks and to not assign and remove from your account their employees that fail these checks. IT and telecoms providers prefer to avoid contractual obligations, so expect resistance to credit/financial checks and removal from the account (particularly if the provider’s subcontractor has these problems). If they would need to run another criminal background check to meet your requirements (e.g., in the last 2 years), expect negotiations on who bears the cost.
Cyber security training reduces the risk of inside actor accidental data breaches.
With the prevalence of phishing and smishing in the news over the last decade, it’s reasonable to think we now know not to click on links or open pdfs or act on an email or text we were not expecting and call to confirm veracity. That, however, is not the case. Enterprises’ increasing demand for off hours’ employee availability and immediate responses lead to working from mobile devices with small screens where what is visible seems legit. Unsavory actors know this and have improved their techniques on both large and small screens to take advantage of the pressure. That is why strong cyber security training is essential. You likely have been trained and possibly retrained on cyber security at your enterprise. Your providers also need to ensure their employees are trained, tested, and retrained as necessary. Their employees may cause the same accidental data breaches, not just to their information but to your enterprise’s information transiting, cached or hosted on the provider’s systems.
Personnel background checks and security training are important but cannot overcome deficiencies in the security of an enterprise’s systems or facilities and those of its providers. These systems and facilities must be properly configured, protected and monitored in compliance with a respected security framework.
Security Framework Compliance
Dozens of well-respected security standards and frameworks exist, with different suggestions and requirements. Some are relatively simple; others far more complex. Security professionals can help you determine what is right for your enterprise. The most widely recognized include:
- ISO (International Services Organization) establishes a security program framework with ISO 27001 with over 100 recommended security controls, and ISO 27002 establishes requirements for information security. ISO 27002 is generally considered to reflect best information security practices.
- NIST (National Institute of Standards and Technology) Cybersecurity Framework, with references and links to the relationship between the NIST framework and others such as ISO/IEC, CIS CSC, COBIT, ISA. NIST 53-800v4 establishes numerous baseline controls.
- CIS (Center for Internet Security)v7 – Some consider CISv7 to provide best security practices for 3 different types of “implementation groups”, as its recommendations balance risks, costs and benefits.
- COBIT (created by ISACA)
- ISA (International Society of Automation)
- IASME, generally used by small and medium sized businesses. It resembles ISO 270001 but with less cost, overhead and complexity.
- SOC 2 (SSAE Service Organization Control auditing standards for US accountants) – Unlike other frameworks, SOC 2 details how confidential information should be destroyed.
- PCI-DSS (for security of credit card data)
Your enterprise needs assurances that its IT and telecoms providers have implemented appropriate security frameworks to protect your information. The framework may or may not be the same as that your enterprise adopted but should be one of the above. These assurances can be by independent third-party audits of the IT or telecoms provider assessing its compliance with that framework or by allowing your enterprise to inspect the providers’ systems and facilities, or both.
Provider Assessments – If the provider’s practice is to run these audits, you should be able to obtain a summary of the third-party assessment or a certificate of compliance. You will, however, need to verify that the third-party assessment covers the systems and facilities relevant to the products and services you are purchasing. It will be more difficult to obtain a copy of the specific findings and shortcomings identified by the third-party auditor and/or a provider commitment to correct them in a timely fashion. You also need to consider how often you need the assurances – annually, bi-annually, other. If your requirements differ from the provider’s practice, expect discussions about the cost of the additional audits.
Enterprise Assessments – If your enterprise is highly regulated, relying on your IT or telecoms provider’s third-party assessment may not be enough. Your regulators may want and need to see the systems and facilities or demand an independent assessment. Providers resist customers or their agents reviewing the providers’ systems and facilities and seek to significantly limit any such review. Be prepared to negotiate limits on the frequency of any such reviews, the required prior notice of the review, who the customer’s agents can be, and what can be seen, assessed and documented by you or your agent.
Specific Systems and Facilities Assurances
Since many cybersecurity frameworks recommend, but do not require, specific designs, your enterprise may want to specify minimal security obligations your provider must meet. These are often found in a “security exhibit” to the contract and may include how the IT or telecoms provider does or should:
- Segregate data of each of its customers
- Encrypt data in transit and at rest
- Distribute data throughout the world
- Prevent and detect intrusions
- Anti-virus and malware protections
- Respond to and manage security incidents
- Control access to machines and infrastructure
- Role-based access on least privilege
- Logical access reviews
- Log monitoring
- Password policies
- Remote access
- Physical security of facilities and systems
- Decommission devices
- Update and patches software
- 3rd party penetration testing
- Provide business continuity and disaster recovery
Contractual provisions on background checks, on security training providers employees, and on provider systems and facilities assurances are critical, but so is requiring appropriate insurance, including cyber liability insurance. And whether these clauses will effectively mitigate your information security risks depends on your provider’s incentive to comply. Your contract should be structured to given them that incentive. The relationship between your likely loss from disclosure of your intellectual property, trade secrets or other highly sensitive information and your provider’s responsibility for your loss is addressed through various liability provisions (e.g., damages cap, disclaimer of damages, types of recoverable damages). Consider these carefully.
Special considerations apply and additional clauses or modified clauses depend on the specific service implementation for your enterprise. Trying to cover all of them would go far beyond this article. However here are two you should prioritize:
Managed Security – If your enterprise relies on an IT or telecoms provider for managed security solutions, the importance of these information security protections is heightened. Do not, however, expect the providers to offer more robust provisions. You will need to demand and fight for them.
Hosted, Dedicated and Managed CPE – If your enterprise purchases hosted, dedicated and managed CPE, your provider should be more accommodating in meeting your specific information security requirements. If you purchase commodity shared CPE, you may find it difficult to get more than the provider’s standard practices.
Why Do It
Negotiating the above contract provisions will not be easy. They are often among the most difficult and last issues to close. So why do it?
Information security breaches related to a company’s intellectual property, trade secrets and other highly sensitive information have been problems for more than a decade and continue to capture headlines. This year, four individuals were arrested in Hyderabad, India for stealing confidential information and intellectual property to produce pharmaceuticals. In a breach that occurred in 2019 but was disclosed this year, Mitsubishi Electric’s customers’ confidential technical and sales information was taken. In July 2018, a security breach at Level One Robotics disclosed assembly line schematics, factory floor plans and layouts, robotic configurations etc. for major automakers (See, TechCrunch, Digital Journal, and SC Media’s coverage). And breaches at Boeing since 2010 have given China access to its aerospace secrets (See, The Verge and ZDNet‘s coverage).
Your enterprise’s competitive position can be severely impacted by loss of these pieces of information. And, an information security breach of a trade secret may deprive your enterprise of protection if appropriate efforts to maintain the trade secret’s secrecy are not followed. Investors may also add risk to their analysis of your enterprise. A breach of secrecy is also likely to include exposure of PI. Where PI is exposed, your enterprise’s direct and indirect harms and costs (e.g., regulatory fines, credit monitoring, help desks, security breach analytics, improved security requirements) can be enormous. Seeking appropriate protections from your IT and telecoms providers to take these measures is imperative.
Information security is complex and critical, and the breaches create enormous risks. With this handful of clauses in your IT and telecoms providers contracts, you can sleep better. Good luck!