Business customers are increasingly raising questions about the security provisions that suppliers have in place to protect customer data that is supplied to them via the Internet or stored online in the cloud. Customers are increasingly insisting on having onerous rights of audit in agreements with their suppliers to enable the customer to monitor and check the supplier’s compliance with such security provisions.
For example, under the UK’s Data Protection Act (DPA) customers (data controllers) are required to take appropriate technical and organisational measures to prevent the:
- unauthorised or unlawful processing of personal data; and
- accidental loss, destruction or damage to personal data.
In order to comply with these duties and avoid substantial fines, customers need to ensure that their suppliers have adequate security measures in place to prevent data protection breaches from occurring.
Due Diligence and Auditing
When dealing with government departments or customers who process financial data, customers often want to carry out due diligence on a supplier’s security systems at the pre-contractual stage. This will include ensuring that the customer has the right to check the supplier’s security measures and the supplier’s on-going compliance with the security provisions set out in any terms and conditions during the term of the agreement.
Information Security Officer
Both suppliers and customers should consider appointing an information security officer to assess their cyber risks. Once appointed the information security officer will be able to deal with any security issues when they arise, at the pre or post-contractual stage. Without an information security officer many organisations will lack sufficient knowledge or understanding of actual cyber security risks. Customers will be unable to carry out a proper due diligence and suppliers will be unable to respond adequately to customer queries. This will result in the customer and supplier spending unnecessary time on the negotiation of the supply agreement.
Hackers are increasingly accessing online data (in particular online payment details) and using new methods to do so. An information security officer once appointed could monitor and detect such problems, keep up to date on the latest security countermeasures, deal with queries (not just in the contracting process but also from concerned data subjects – customers) and report to management on a regular basis.
Notification and Response to Cyber Breaches
Both suppliers and customers need to have obligations to inform each other of security breaches (such as hacking) in order for both parties to deal with the issue in a timely manner. If there is a slow rate of detection the potential for the scope of the data breach (and fines) increases. Also, once a party has been notified of the breach, the incident needs to be quickly contained to limit any further potential damage.
One of the most common causes of security breaches is the use of inappropriate passwords such as the use of “password”. Both the supplier and the customer should have adequate systems in place to monitor and prevent the use of such passwords. Systems and procedures should also be in place for the regular changing of passwords to minimise the risks of a security breach via misuse/use of unsuitable passwords.
These are just some of the general security issues that customers and suppliers should consider when entering into an agreement which involves the transfer of personal data to a supplier. There are many other issues which also need to be taken into account depending on the business sector in which the customer operates and the types of data that the supplier is processing.
image courtesy of Sam Howzit