When a data breach occurs, the immediate hours after are both chaotic and critical to an effective response. Preparation is therefore essential. One component of executing an effective breach response is a solid understanding of the contractual contours between contributing or impacted third parties. Scouring a contract management system, or worse, a file cabinet of paper contracts to understand relevant third party relationships and obligations in the heat of a breach could therefore result in the organization spinning its wheels when it should be implementing its data breach response plan. Auditing, extracting key provisions, and organizing those provisions before a breach occurs can therefore be a valuable tool in responding to an incident or full-scale data security crisis. But, how can inside counsel be secure in her belief that she’s cataloged the most relevant provisions to a breach response? Collecting and understanding the following provisions in third party agreements is a good starting point for preparedness when a breach occurs.
Security-Related Service Responsibilities: Understanding who is responsible for what related to data security is essential to effectively coordinating a breach response. But in a world of multi-sourcing agreements covering discrete parts of an organization’s operations, untangling who was responsible for particular services—both before the breach and following a breach—can be complicated. Extracting and organizing security-specific services from third party service agreements (which may include hundreds or thousands of non-security related obligations) may vastly improve response efficiency if a breach occurs.
Governance: Few areas are more important to outsourcing relationships than a governance regime. Without adequate oversight, corporations are exposed to business disruption, legal liability, and a loss of customer goodwill. Sustainable governance stretches beyond merely defining visibility within each outsourcing contract; it requires constantly engaging the stakeholders on the importance of implementing and enforcing existing governance tools. Not surprisingly, the governance structure, transparency obligations, and key contacts defined in the relevant contractual agreements will become essential during a breach response and subsequent investigation. Further, such provisions often define how data communication should flow between impacted organizations. Having these provisions at the ready will be essential to identifying key stakeholders that need to be mobilized following a breach, especially when the organization’s data breach response plan lacks a similar level of detail.
Breach Notification Obligations: Breach notification provisions are designed to ensure all parties impacted by a breach can control the damage, avoid the embarrassment of having a third-party source disclose the breach, and allow the organization to start the ball rolling on meeting its regulatory obligations. For an organization impacted by a breach, notification provisions can work in both directions. When a vendor is responsible, the breach notification language may provide leverage to demand a more thorough and rapid disclosure of information. Further, regardless of the culprit, breach notification provisions may define contractual obligations for your own organization to notify customers or partners whose data may have been impacted by the breach. Having these obligations quickly accessible provides the organization a checklist to ensure each of its contractual obligations are met without allowing the fog of a breach to cause costly missteps. These provisions may also define who has the responsibility for handling mandatory state or federal notifications to customers or governmental agencies—steps that may become an essential and potentially costly component of a breach response.
Data Encryption Provisions: Whether or not breached data is adequately encrypted may dramatically alter the organization’s response—including what, if any, state and federal notification requirements are applicable. Often, governing contracts define the types of data that must be encrypted by third party service providers. Although not necessarily a guarantee that the provider followed those obligations, having the controlling contract language handy and accessible will help the breach response team quickly understand the scope and impact of the breach.
Audit Provisions: As a breach unfolds, information related to the breach is a critical commodity. When third parties are involved, knowing the types of information you must be provided and the mechanisms to access it may be the difference between a successful response or exacerbating the problem. Such provisions will also be essential as the organization attempts to construct a root cause for the breach so that it can rectify any system deficiencies.
Insurance Coverage: Cybersecurity insurance policies are becoming more common. Few, however, are alike. Simply having a policy does not mean the organization should rest assured it will be fine should a breach occur. Careful attention should be given to understanding coverage caps and loopholes in coverage. Having these terms available and consulting them during a response is important as taking (or not taking) specific actions could have significant consequences for potential coverage.
Expense Reimbursement: Insurance may not be the only vehicle for reimbursement following a breach. When a third party is involved, the governing contracts will almost certainly outline what reimbursement each party is entitled to following a breach or an outage. There may be available Service Level Agreement (SLA) or Key Performance Indictor (KPI) credits, reimbursements for breach response activities such as customer notifications, cost allocation provisions related to auditing and root cause analysis investigations, indemnification provisions related to litigation or regulatory enforcement, or service credits related to failures to meet contractual obligations. Alternatively, there may be express caps and/or exclusions related to data breaches or maliciously caused outages. Either way, although the immediate reaction following a breach will be to fix it without regard to cost, having quick access to whom is responsible for what expense may provide important guidance to the breach response team or alternatively may provide significant leverage over a third party assisting in the response.
Termination Rights: Any breach involving third parties is going to fray relationships. Although both sides need to work together to effectively contain and understand a breach, any organization is going to assess whether the relationship makes sense going forward. Often, it will. But, knowing the contours of termination is important. Does the breach constitute an event warranting termination for cause? If so, what prerequisite steps should the organization put in place in order to preserve the option? If termination for cause is not an option, what are the options and consequences of terminating for convenience? Having this information handy will not only allow inside counsel to answer the tough questions from internal management, it will provide leverage as the organization negotiates expense reimbursement, response obligations, and the future of the business relationship with the third party including service adjustments, future audit rights, governance changes, SLA/KPI adjustments, and future service fees.
Controlling the chaos of a breach response is more than half the battle. By taking the time to audit, consolidate, and organize the key contractual provisions with third parties related to data security management before a breach, inside counsel will take a significant step toward a successful data breach response.