[BreachExchange] How Employers Can Become Experts at Data Breaches: HR service providers

[Audrey McNeil]

https://www.jdsupra.com/legalnews/how-employers-can-become-experts-at-23881/

A large portion of the data breaches that occur each year involve human
resource related issues. This includes situations in which HR data was
lost, employees were inadvertently responsible for the loss of information
about other people, or, in a small number of cases, a current or former
employee maliciously stole or released information.

Bryan Cave has put together a multi-part series to help human resource
managers understand, prepare for, and react to, a data breach. This part
discusses what employers should look for in their contractual relationships
with service providers.

Almost every employer utilizes service providers. Some service providers
require information about employees in order to provide the employee with
human resource benefits (e.g., health insurance, vision insurance, dental
insurance, disability insurance, life insurance, parking, etc.). For
example, in order for a health provider to send benefits information to a
new employee, they must know the name of the employee, what premium should
be charged, the employee’s health insurance elections, and the employees’
beneficiaries who will also be covered under the policy. Other service
providers require information about employees in order to help employers
manage the employment relationship (e.g., payroll processing, tax
processing, benefits processing, disability processing etc.). For example,
a tax preparer needs access to each employee’s Social Security Number,
salary, and address in order to prepare, and/or submit W-2 forms for an
employer.

As with any company, service providers cannot guarantee that the
information provided to them will remain secure in all situations. While a
guarantee may be impossible, employers have a vested interest in making
sure that their service providers utilize reasonable security measures to
help prevent the loss of data, and in understanding how their service
providers will react in the event of a security incident. Employers should
consider the following factors when reviewing a contract with a service
provider:

- Security standard. A service provider that receives sensitive information
concerning your employees should contractually represent and warrant that
they are not only in compliance with law, but that they take reasonable and
appropriate security measures to protect your employees’ information. If
your organization has specific standards for the security protocols that it
applies, consider integrating those standards into your agreement with the
service provider. You may also wish to negotiate the right to audit the
security practices of the service provider.
- Notification of a suspected data breach. If a data breach occurs that
involves sensitive categories of information, states typically require that
a service provider notify the data owner. State notification laws, however,
often give a service provider flexibility to conduct an investigation of
the security breach to understand its scope before putting you on notice.
Many employers negotiate data breach notification provisions that exceed
statutory requirements by forcing service providers to notify them when the
service provider first suspects a data breach and not wait until after the
service provider has completed an investigation and conclusively determined
that a breach occurred.
- Notification of other suspected data security incidents. As discussed
above, “data breach” is a legally defined term that typically refers to
unauthorized access or acquisition of certain fields of sensitive
information. Service providers often experience security incidents that,
upon investigation are not, in fact, data breaches. For example, service
providers that permit your employees to establish a user name and/or
password in order to log-into an online portal often monitor employee
accounts for indications that an unauthorized person has obtained an
employee’s username and/or password and attempted to log-in. Depending upon
what the attacker views once they have logged in, the incident may not
qualify as a “data breach.” Specifically, the service provider’s network
itself has not been compromised by the unauthorized log-in of authorized
user credentials and, while the attacker may have viewed non-public
information about an employee that information may not trigger a breach
notification statute (e.g., if the information contained only the
employee’s salary, or contained data elements that the attacker possessed
prior to viewing the account). While this type of “unauthorized
authentication” may not be the fault of your service provider, you may have
an interest in having the service provider alert you of the situation so
that you can advise an impacted employee that a third party appears to have
access to their account credentials (e.g., user name and password) and may
have accessed their information.
- The degree to which a vendor can, or should, be held liable for a data
breach varies greatly. If the breach was caused by a third party (e.g., a
criminal attacker), the service provider may not have been able to prevent
the breach and, as a result, justifiably may feel that it should not be
liable. Conversely, even when a breach was caused by a third party, between
the employer and the service provider, the service provider may have had a
greater opportunity to protect the data from attackers. As a result, an
employer may justifiably feel that it should not be liable. The net result
is that there are often reasonable arguments for, and against, assigning
responsibility to a service provider when the service provider’s system was
breached by a third party. In any case, it is important that employers
understand the amount of liability that your vendors share in connection
with a security incident and, if necessary, renegotiate your agreements to
include industry-reasonable terms.
- Remediation of security vulnerabilities. The adage of “it’s not if, but
when” applies to vendors just as it does to employers. As a result when
establishing a vendor relationship, or negotiating a contract with a
vendor, you should anticipate that a security failure will occur and plan
what the parties’ respective obligations will be in such eventuality. Part
of that discussion should include what obligations the vendor will have to
remediate security failures that are identified as part of a breach. While
some security failures are relatively easy to fix on a going-forward basis
(e.g., patching a terminal that had an out-of-date operating system, or
updating the malware signatures to an anti-virus program), other security
failures may be more complex and even a diligent vendor may not be able to
provide an immediate fix (e.g., redesigning a database, applying different
at-rest encryption technologies, etc.). As a result, it may be difficult,
if not impossible, for a vendor to warrant before a breach happens and a
security vulnerability is identified that any and all vulnerabilities will
be fixed – let alone provide a precise timetable for how long remediation
may take. When searching for a middle ground some employers require that a
vendor take “commercially reasonable” steps to remediate significant
security vulnerabilities. Other employers draft their service agreement to
allow them to terminate a relationship with a vendor for-cause if the
vendor will not, or cannot, remediate a security vulnerability.
- Termination rights. Employers should remember to continually reevaluate
throughout the vendor relationship whether the level of security that a
vendor can offer matches the level of security required by the employer.
If, at some point, there is a mismatch between an employer’s needs and a
vendor’s capabilities, the employer may want the ability to terminate the
vendor relationship without incurring penalties and transfer its data to a
new provider.
- If the agreement that you have with a service provider imposes
obligations upon them in the event of a data breach (e.g., to issue
notifications to employees, to provide identity theft related services to
your employees, or to defend and indemnify your organization), it is
important to consider whether the service provider would have the financial
ability to meet these obligations in the event of a breach. When thinking
about a service provider’s financial capacity, remember that if a service
provider experiences a network breach that impacts the information of some
(or all) of their clients they may be liable to dozens, hundreds, or even
thousands of companies – not just your organization. If you have doubts
concerning their financial strength to absorb the impact of a data breach
consider requiring that they maintain cyber-insurance and that your
organization be identified as an insured on their policy.

TIP: A service provider that is willing to “guarantee” that your employees’
information will always be secure, or that represents that they have never
had a data security breach, may be demonstrating a lack of data
security-related maturity. In such cases, while a contractual guarantee is
beneficial if a breach occurs, the service provider may be unwilling (or
unable) to comply with their contractual commitments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171114/0bbf5f96/attachment.html>