January 19, 2021

Volume XI, Number 19


January 19, 2021

Subscribe to Latest Legal News and Analysis

January 18, 2021

Subscribe to Latest Legal News and Analysis

Protecting Data: Vendors May Be Your Weakest Link

Just last week, a Verizon Communications vendor misconfigured a cloud server that caused the information of 6 million Verizon customers to be exposed on-line. When a cyber incident or data breach occurs on your vendor’s watch, regardless of fault, you own the resulting legal obligations and costs. The best tools for managing the risk of using vendors are due diligence and adequate contract provisions.

Before engaging a vendor, you should consider the vendor’s ability to protect your information. One way to accomplish this is to create a vendor security checklist or questionnaire that all potential vendors must complete. For example, you could ask for:
(1) a description of security measures in place to protect the information; (2) proof of a third-party risk assessment of its systems; (3) confirmation of adequate training of employees on the protection of data; (4) a history of security incidents over the past three years; and (5) proof of cyber risk coverage. Of course, the depth and detail of the inquiry will depend on the work that the potential vendor would perform. It is important to engage your IT professionals in this process to ensure that you are asking the appropriate questions with respect to technical issues.

Notably, vendor due diligence measures are required by New York’s Cybersecurity regulations and will be required by the EU’s General Data Protection Regulation when it takes effect in May 2018. And while not required by law in many other settings, vendor due diligence is quickly becoming a standard and expected business practice.

After the due diligence phase, you should ensure that the service contract contains important provisions. The following are examples of such provisions.

Required Security Measures: The contract should detail the security measures that you will require the vendor to implement. Be specific, while leaving open the option that new requirements may emerge, and reserve the right to periodically confirm that the vendor is in compliance. Again, engage your IT professionals.

Immediate Notice: This provision will require the vendor to provide you with notice within a very short time frame in the event of a security incident. Be sure to define "immediate." Twenty-four hours is ideal but three to five business days may also be acceptable.

Indemnification: The contract must have a strong indemnification provision that requires the vendor to cover all costs and expenses that flow from any security incident or breach of information it maintained, accessed or promised to secure on your behalf, including notification and reporting costs, legal fees, governmental fines and the cost of any litigation or claim brought against you relating to the security incident or breach.

For health care providers, vendors with access to protected health information must also enter into a business associate agreement ("BAA") under HIPAA. Your standard BAA should address the above provisions. If possible, avoid signing a vendor’s standard BAA because it likely will not protect your best interests.

© Copyright 2020 Murtha CullinaNational Law Review, Volume VII, Number 199



About this Author

Dena Castricone, Murtha Cullina Law Firm, Privacy and Cybersecurity Attorney

Dena M. Castricone is a member of the Long Term Care and Health Care practice groups.  She is the Chair of the Privacy and Cybersecurity practice group and the Chair of the firm’s Pro Bono Committee.  Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams.

Dena’s long term care and health care clients compete in a constantly evolving industry, facing both rising administrative and regulatory burdens and shrinking reimbursement rates. She helps skilled nursing centers, physician groups, home health and...

Daniel Kagan, Murtha Cullina, health care attorney, regulatory compliance lawyer, reimbursement issue legal counsel

Mr. Kagan is an associate in the Health Care Group of Murtha Cullina.  He represents hospitals, physicians and other health care clients with a wide range of regulatory, compliance, risk management and reimbursement issues.

Prior to joining Murtha Cullina, Mr. Kagan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court. 

Mr. Kagan received his J.D. with honors from the University of Connecticut Law School where he was a Notes and Comments Editor ...