"As it currently stands the focus of risk mitigation with respect to security are technical controls and other security measures, and the importance of the contract as a risk mitigating tool is overlooked," says David Navetta, founding partner of the Information Law Group. "As litigation increases in this area, for risk-conscious organization, the protections in the service provider contracts are going to become very important."
Litigation in these cases of third-party breaches is a common occurrence, frequently with the third-party organization ducking under the radar as their customer gets hammered by class action suits. For example, when a breach that exposed data for 4.9 million active and retired U.S. military personnel was caused by the theft of backup tapes from the car of an employee at Science Applications International (SAIC) Corp. working on behalf of TRICARE in September, the $4.9 billion lawsuit lobbied by effected individuals just last week was lodged against TRICARE and the Department of Defense, not SAIC.
Similarly, Stanford Hospital had a $20 million lawsuit filed against it after an employee at its billing contractor, Multi Specialties Collection Services (MSCS) inadvertently posted patient information on a homework help site online. Stanford has been on a publicity blitz claiming its outsourcer was totally to blame for the breach.
In most cases like those, the details of the actual contract between the organization and the supplier never really become public. Typically they're buried in closed settlement deals and kept locked down with non-disclosures. But John Nicholson, counsel for the global sourcing practice at the Washington, D.C.-based law firm of Pillsbury Winthrop Shaw Pittman LLP., says that suppliers frequently evade the bulk of liability due to poorly drafted service contracts.
In many cases when a third party vendor enters a contract with a client, the supplier will provide a limitation of liability clause that covers just about anything under the sun. He says he warns his clients all the time not to accept those limitations so quickly.
"They might include a provision that says with regard to data breaches, they will do what's required by law, but what's required by law is actually very limited," Nicholson says. "Then you're in a situation where you have to pay the rest and that may be the bulk of the costs. The problem with 'the rest' is that your mitigation, setting up your help desk to deal with calls from the affected individuals, the cost of credit monitoring, those are not required by law but are standard practices that are expected if you lose financial details."
He says that organizations need to ensure up that contracts detail that those consequential costs are considered as part of the supplier's responsibility should they be responsible for a breach. Navetta usually advises organizations to go one step further than to scrutinize the fine print in contracts after a vendor has been picked. Instead, organizations should be including liability requirements as early as the request for proposal (RFP) stage.
"The key here is to create competition between potential service providers not only on price and scope of services, but also acceptance of risk and contract terms--those willing to accept more risk being potentially better candidates than those not so willing," he says. "Organizations that wait to request protective contract terms until after they have selected a vendor may find those terms watered down during negotiations, and may be stuck holding all the risk of a service provider mistake."
According to Nicholson, organizations need to be careful not to go too far in the other direction. He believes that a customer shouldn't be aiming to make their supplier an insurer.
"If you've got risks you're subject to right now the way you operate, then just because you've outsourced should not make your supplier liable for doing the exact same thing your own people could have screwed up," he says. "So there's a balance in drafting those provisions. Because companies look at that and say I'm outsourcing so you should be completely responsible for what happens. But when you look at it from the supplier's perspective, they say 'Wait a minute, this is a risk you're subject to right now and you're already getting coverage you don't have right now because I'm going to compensate you for certain things that if your own people screwed up you wouldn't have any compensation for.'"
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.