Skip to content

Information Security

August 20, 2009

In the overall list of risk management concerns, information security has been a topic for increasing focus. With Internet usage forecast to grow 45% globally over the next four years, the web has become ‘a paradise for cybercriminals’, according to Andrea M. Matwyshyn, professor of legal studies and business ethics at Wharton and the editor of a forthcoming book titled, Harboring Data: Information Security, Law and the Corporation .

In an interview, the authors explain why this is happening and the reasons for concern. In the context of businesses and large organizations, they highlight studies by PriceWaterhouseCoopers which reveal that a large proportion of corporations admit to having no comprehensive information security policy.

According to the authors: “The biggest mistake … is not having a clear handle on where the information lives. The design of large systems calls for a lot of redundancy. Data is copied, duplicated, backed up, sometimes sent to different partners, data warehouses, shipped off site in case some catastrophic event destroys your data center. So data has a tendency to replicate itself. And one of the big challenges is when companies lose track of where the information is. It’s very hard to point to a particular computer or a particular rack and say, “This is where all the credit cards live.” …. The problem is that the more spread out they are, the more points of failure you have to worry about…. The first challenge [arises by] not having an inventory of what you’re collecting, even if you know where you collect it, not knowing where exactly you put it.”

Over and above this challenge of tracking, there is of course also the concern over internal process and practice – for example, employee actions that may compromise data or increase vulnerability to cyber attack.

Many business-to-business contracts now contain provisions related to information security undertakings. They frequently seek indemnities and may demand rights of audit as well as detailed access to the supplier’s information security policies.

However, are such measures adequate? Probably not. In some cases, it seems probable that companies are signing up to commitments with which they cannot in fact comply. They simply hope that a significant exposure does not arise. If you read the book you may feel that a wish and a prayer are no longer sufficient protections from the major exposures that exist.

IACCM will invite experts to comment on recommended contract terms and monitoring procedures. In the meantime, please share your ideas and experiences by recording your comments below.

One Comment
  1. I am grateful to Struan Robertson of law firm Pinsent Masons for this opinion.

    How to describe ‘appropriate’ security in a contract

    OPINION: If you’re signing a contract that involves a transfer of data, you need a project-specific security plan. Too often, detailed plans are overlooked in favour of a simple duty: “you must take appropriate technical and organisational measures.”

    Such brevity is understandable – but it is also unacceptable.

    It is understandable because the words come straight from the UK’s Data Protection Act. They make good sense in a law that has to generalise to apply to myriad circumstances. But such pithiness has no place in a commercial contract, where the parties know what information they have and what will happen to it.

    It’s unacceptable in a commercial contract because it’s ambiguous. In the absence of detail, what is appropriate becomes a subjective test and the only certainty is that each party’s interpretation will differ. That leads to trouble.

    If your supplier presents you with such a vague term, do not accept it. You need to prepare a project-specific security plan and you do that by thinking of all the things that might go wrong and then you address them one by one.

    Don’t be afraid to score a red pen through the Zen-like security platitudes in a supplier’s standard contract and replace them with a schedule that spans several pages. If your contract involves high-risk or high-value data, you have to be specific about security and the measures must be tailored to your project.

    So let’s say your contract puts your data in a third party’s data centre. Here are some things to consider: How will your data be transferred to the data centre? Where is that data centre, and does the supplier have the right to move your data to another location? What happens in the event of a natural disaster? (You can expect more than a force majeure clause). Are there data backup procedures? Is there CCTV throughout the data centre? Is there a plan for penetration testing? Think about what you will need to audit and how often – be specific – and write that down too. Can the third party hire sub-contractors? If so, will you have the right to approve them?

    These are just some of the questions a customer should ask.

    Nobody would sign a contract that defined the price as “quite a lot of money” yet many contracts contain security provisions that range from vague to meaningless.

    Many organisations are alive to this risk today and they will fight for effective security provisions in new contracts. But some will overlook their existing contracts, the contracts that are routinely renewed without amendment. So consider reviewing your existing contracts, too, or at least the high-risk and high-value ones.

    It’s prudent for any organisation to check the security obligations in both new and existing contracts. It may find that they’re simply not appropriate.

    By Struan Robertson, a Legal Director with Pinsent Masons LLP who specialises in technology law. Struan is also editor of Pinsent Masons’ legal information service, http://www.out-law.com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: