Do Your Contracts Open You Up To Business Busting Cybersecurity Liability Issues
If you haven’t reviewed your contracts lately, you may unknowingly be taking on responsibility for another party’s cybersecurity risk. Worse yet, you may not know they haven’t accepted the responsibility to protect your data while in their hands. Unfortunately, this is not a new thing and it does have a name. It’s often called third-party risk and the prevention, is a robust third-party due diligence process.
If you are signing contracts without legal review, or haven’t reviewed long-standing contracts, you are likely carrying a lot more liability than you are aware of. Cybersecurity laws are quickly changing, and it’s incredibly important to know your industry. You need to have a clear understanding of your contracts and the risks they may be subjecting you to. Unfortunately, we see this gap in understanding in a significant percentage of clients.
Know Your Clauses
Entering into contracts is an everyday business activity, and their terms define what your duties are, what you will deliver, and what your partner will pay for your services. They also define your partner’s reciprocal duties to you. In most of those contracts, you accept or assume that your partners are accepting liability for statutorily or regulatory control for the data they will take possession of, and over the period of time they maintain that possession. For example, think of your relationship with your bank. You have money (data) that needs to be deposited (shared) with them (a third-party) and you expect them to keep control over it (third-party risk). They accept that role in your deposit agreement (contract).
To provide you with an information security example, in health care, a third-party vendor (business associate) is held to similar HIPAA privacy standards over patient data in their care as the health care provider (the covered entity) who is sharing the data. In that case, you need to ensure your business isn’t taking on all of the liability and releasing the third-party. If the language in the contract pushes all the responsibility onto you and the health care provider violates HIPAA, you may find yourself liable, even though you didn’t necessarily do anything directly to the data to put it at risk. However, you certainly missed the step of performing due diligence over the contract in advance.
In another example, if you are buying a business, you are often acquiring all of that company’s regulatory liability. It can’t be “sold away.” Unfortunately, too many people fail to assess that through the lens of cybersecurity liability exposure in that company’s contracts. Companies with poor cyber hygiene sell for less.
It is critical that you are able to clearly delineate who is responsible for what.
A Growing Concern In Business
Most industries haven’t transitioned to the speed and velocity of cyber regulations, which are involved in almost every type of transaction. Templated contracts haven’t kept up with the changes. Every industry has data and liability has shifted without people realizing it. Every contract needs to be reviewed for cybersecurity liability every year if that partner is holding or accessing regulated information.
In addition, business owners — especially owners of small businesses — are focused on turning out a product or offering a service, not on their cybersecurity risk. Companies are signing agreements that aren’t being vetted and, therefore, are not aware that they’ve taken on all of the liability of another business if there is a breach. With an average out-of-pocket cost of $119k, this simple oversight can be a business killer.
Wondering how much a data breach could cost you? Check out our Cyber Disruption Calculator to find out.
Protect Yourself & Your Data
In order to protect yourself, you data, and your business as a whole, you need to understand the laws and regulations around the space in which you are operating. Laws are constantly changing, and the law in Ohio isn’t the same as the law in Indiana. It is absolutely vital that you reach out to a specialist in your space, often a cybersecurity consultant found at a law firm or an accounting firm. Then, be sure to look for the proper evidence of their skillsets in terms of certifications and experience levels. You want your CPA to perform your accounting and a state licensed attorney to provide your counsel. You should also reach out to a certified cybersecurity risk professional who is committed to looking out for your business. Together, your team should be focused on the objective of keeping your door open tomorrow and into the future.
Then do a risk assessment. A specialist can uncover risks that aren’t on your radar when signing operating agreements and isolate where the gaps are in cybersecurity liability. Ideally, this should be done even before signing a contract, or at least before a problem arises. Too often, businesses fail to review their contracts until an issue arises.
It’s critical to immediately review all of your contracts for indemnification and liability clauses. Do this today. You may be carrying far more liability than you are aware of, and it may be time to renegotiate or to start preparing for changes when the time comes to renew your contract. And, of course, have all future agreements reviewed by someone with knowledge of contracts and liabilities moving forward.
As an attorney friend used to say: “Ink is cheap. Legal defense is expensive.”
If you would like to know more about third-party due diligence or cybersecurity risk assessments, contact me directly at 330.651.7040 or firstname.lastname@example.org. Or, click here to fill out our “Contact Us” form and request to speak to a member of Rea’s cybersecurity and data protection services team.
By Paul Hugenberg, III, CISA, CISSP, CRISC (Wooster office)