IT isn’t the holy grail of GDPR – it’s an enabler

The GDPR saga rumbles on, with a degree of GDPR fatigue becoming apparent. IT departments were thrown the challenge of working out what was needed to meet GDPR guidelines as it was thought to be a security issue. It swiftly became apparent it was a people and process issue and not a technology one. So the IT departments passed the buck on to the legal, HR and finance departments. But as companies gain a handle on the policies and procedures they need in place to meet GDPR guidelines, they are now throwing it back over the fence to IT asking how they can help.

There are many IT vendors making many claims as to what IT can do to help with GDPR, but really it’s quite simple. It isn’t a security play; this should be being done already. It’s an enabler to get your processes right. IT departments have some excellent tools that they can deploy to help ensure business processes meet the GDPR guidelines, but the IT department can’t meet GDPR guidelines by itself. Here is a list of IT tools that can help, and indeed will make life simpler in the new GDPR world.

1. Data Discovery Tools

There are data discovery tools that help you understand what data is flowing through your organisation and where it is. These tools can help identify unstructured personal data, but also offer the analytics, tracking and reporting necessary to deliver accountability for file use and security.

2. Mapping Tools

Data mapping may not be an essential requirement of the GDPR, but meeting the requirements of the regulation would be very hard without a clear picture of the lifecycle of personal data in your organisation. Mapping tools allow companies to identify areas where there is a risk to the rights and freedoms of data subjects in order to specify and implement appropriate technical and organisational measures to mitigate the risk. They also allow for ongoing maintenance of data which is important.

3. Encryption Tools

These can be used in a variety of ways to support the guidelines, including protecting data in transit or at rest, providing verification of data integrity and authenticity, and even offering a means of secure destruction. It’s important to keep in mind though, that the encryption may need to be reversible and those responsible for your data must ensure that the technologies selected are appropriate for the formats needed.

4. Protection of Data in Transmission

The guidelines require that organisations implement adequate technical measures to protect personal data during transmission, over and between networks. This is to further protect confidentiality and integrity. You can do this through a combination of network protection (ensuring attackers are unable to intercept data) and encryption (to render the data unintelligible). Controls could include the use of virtual private network (VPN) solutions, disabling insecure protocols, supporting strong protocols and even private point-to-point connections between data centres.

5. Hosted Solutions

For smaller organisations the use of hosted solutions give access to high level security tools, thereby supporting their efforts to comply with the secure processing requirements of the GDPR. These could include robust firewalls, enterprise quality antivirus and web filtering, encryption of emails and management of all endpoints. By outsourcing the storage, backups, security, and processing of data, and provided they meet the requirements for appointing a data processor, organisations are able to significantly reduce their compliance burden.

6. Data Visualisation Tools

With companies generating more and more data, year on year, effective data management i.e. the use of architectures, policies and procedures to manage the information lifecycle needs of organisations, is becoming increasingly challenging. Data visualisation tools that are simple to use can help organisations uncover what personal data is hidden, identify risks, and accurately classify all personal data, providing the intelligence to demonstrate many obligations for GDPR compliance.

7. Monitoring Tools

No later than 72 hours after having become aware of a data breach your company must notify the supervisory authority (ICO). With the time involved in detecting a breach currently being measured in months, this requirement presents a significant challenge to companies. But there are IT tools that monitor and log activity, and create alerts when anomalous events are detected, and support reporting both for the purpose of breach notification and continuous improvement.

8. Retrieval of Data Tools

Under the new guidelines, organisations should be able to locate and retrieve personal data at the request of the data subject. Tools that support the effective retrieval of data from systems in common machine-readable formats should be used, in order to minimise the overheads that might be incurred as individuals exercise their rights.

9. Disposal of data and IT equipment

Your organisation needs to be able to clean and dispose of data and IT equipment previously used for the processing of personal data to ensure permanent erasure, for example, through the use of electronic file shredding programmes.

10. Robotic Process Automation

Finally, companies might also like to consider using robotic process automation if they aren’t already, as this is an effective way of helping to maintain compliance. RPA ensures greater accuracy of processing, and thereby compliance by removing human error. It also ensures greater security of data and information. RPA can be used to improve compliance and security in many areas including, HR, legal, finance and IT.

Technology is a great enabler for the correct use of information within a company’s business processes. IT will help find the information, sort it, store it correctly and put security around it, and then ensure it is deleted correctly when a business no longer requires it, helping you meet your GDPR requirements.

Source: isn’t the holy grail of GDPR – it’s an enabler

5 Best Practices for Outsourcing Cybersecurity

Data breaches are getting more sophisticated, more common, and more expensive; the average cost of a breach has reached $4 million, up 29% in the past three years. No organization, regardless of size or industry, can afford to ignore information security. The shortage of qualified cybersecurity personnel, combined with modern organizations preferring to outsource ancillary functions so they can focus on their core competencies, has resulted in many organizations choosing to outsource part or all of their cybersecurity operations, often to a managed security services provider (MSSP).

There are many benefits to outsourcing information security, including cost savings and access to a deeper knowledge base and a higher level of expertise than is available in-house. However, outsourcing is not without its pitfalls, and there are issues that organizations should be aware of when choosing a cybersecurity vendor. This article will discuss five best practices for outsourcing information security.

1. Never use an offshore cybersecurity provider

The bargain-basement prices offered by offshore cybersecurity providers are tempting to budget-conscious organizations, especially since many other IT functions, such as mobile app and software development, are routinely offshored.

However, mobile app and software development do not necessitate allowing contractors to have access to your organization’s network or sensitive data, and the work can be reviewed by an internal team before deployment. Due to the nature of the work, cybersecurity contractors have full access to your organization’s internal systems and data, in real-time. Meanwhile, there is no way to verify the education, skills, or experience levels of the offshore company’s employees, nor is there any way to ensure they have undergone comprehensive criminal background checks. Finally, if a breach occurs, you may have little or no legal recourse against the offshore provider even if you have proof that the breach was due to negligence or a malicious insider at their company.

Information security is simply too important to entrust to an offshore contractor. There is also a practical matter to consider: Offshore providers are unable to provide on-site security staff at your location, which leads into our second best practice.

2. Steer clear of providers that suggest solutions that are completely remote-based

Some cybersecurity companies provide services that are strictly remote, conducted entirely via telephone and the internet. However, a remote-only solution cannot fully protect your organization, especially since over half of all data breaches can be traced back to negligence, mistakes, or malicious acts on the part of company insiders. An MSSP can protect your organization from the outside and the inside through a hybrid solution that combines remote security operations center (SOC) monitoring with on-site security personnel who can work in tandem with your existing staff or function as a standalone, embedded SOC. These on-site personnel can help your organization establish cybersecurity policies and employee training, as well as immediately respond to security breaches.

3. Beware of providers that claim their solutions provide 100% protection against breaches

When evaluating cybersecurity vendors, you will inevitably come across providers who claim that their solutions are foolproof and will prevent all breaches. This is impossible. Cybersecurity experts are engaged in a never-ending war against hackers. As soon as one vulnerability is fixed, hackers devote themselves to finding the next one, and every new technology that is introduced presents brand-new vulnerabilities.

While a comprehensive cybersecurity solution will protect your organization against most breaches, the cold, hard reality is that there is no such thing as an impenetrable security system. Steer clear of providers who try to tell you otherwise. Not only are they being dishonest, they may also be unable to effectively respond when a breach does occur.

4. Ensure that the provider’s team has real-world experience in cybersecurity

Some cybersecurity providers hire recent college graduates or certificate-holders with plenty of classroom training in information security theory but little or no actual work experience protecting critical infrastructures. Cybersecurity expertise cannot be honed within the confines of a classroom. Entry-level trainees lack the experience to fully grasp the nuances of real-world information security procedures and challenges, which means they are far more likely to make mistakes than enterprise security professionals with years of experience. Make sure that your provider hires only seasoned security experts.

5. Beware of providers who talk about “magic hardware” and little else

Enterprise security hardware platforms are a hot topic in the information security industry right now, and many exciting new developments are being made in this area. However, security hardware is not a standalone solution, and you should be wary of any provider that tries to sell you on a “magic hardware” platform that will purportedly address all of your security needs. Security hardware is a tool for human security professionals; it does not replace them.

Outsourcing your organization’s information security is serious business. You are handing the keys to your kingdom – your company’s internal systems and sensitive data – to a third-party vendor. Asking critical questions and following best practices during the evaluation and selection process will ensure a successful, long-term relationship between your organization and your cybersecurity provider.

Source: Best Practices for Outsourcing Cybersecurity

How to Boost Your Information Security When Outsourcing

Every time companies outsource their business processes or software development projects, they face the need to grant access to their corporate information. That usually prevents many of them from using outsourcing to its full capacity, unless they are able to choose partners, which can ensure full data security. Here is an overview of the options to choose among the outsourcing service providers, and the possible ways of avoiding the main pitfalls in terms of protecting  sensitive information.

Near-shore technology shops

These are business process outsourcing service providers and software development companies established in your own country. Yes, they charge a higher fee, but that is covered by no need of expensive business trips abroad, and the necessity to deal with a cultural and time zone gap. You have the possibility to communicate with your partners as often as is necessary, and keep your hand on how your information is used and how many of the outsourcer’s staff are authorized to use your data by conducting regular audits.

In case of any disputes, you and your corporate information are protected by the law of your country and an agreement encompassing all the sensitive issues concerning information security.  In other words, there will be less unpleasant surprises while near-shoring due to common mentality and legislature.

Hiring a freelancer

This is the cheapest way to outsource your tasks, but also the trickiest one. First of all – how do you find a real person; through accounts on recruiting sites or through word of mouth? Another danger is how do you make sure the freelancer uses your information safely? No-one can guarantee that your contractor keeps all his or her devices protected enough regarding firewall management, network security, vulnerability scanning, anti-malware or endpoint security.

Unless you hire someone from an agency, in which case the organization you cooperate with ensures all the necessary steps for information security. Thus, opting for a freelancer in order to cut on the costs you may lose control of your business processes and end up paying with your own data security, which is not the price you would like to face.

Outsourcing to a company in a region with lower market price for the service

Such agencies provide you with professional and reliable experts to whom you can grant access to your information. You sign a contract which will take on liability for your information security and will vouch for their staff. This way you may avoid a lot of drawbacks you face when outsourcing to a freelancer.

This option seems to be the happy medium between the two abovementioned and gives you a lot of advantages in terms of qualified staff and funds economy, but you should keep in mind that you are working with a foreign company, which abides by the laws of its country. Is the data protection policy of your outsourcing service provider sufficient? Does the country of your partner have enough legislatures on private information, and how secure is sensitive data there? Do you and your service provider understand data security the same way?

It should be safe to sign a data transfer agreement, eliminating any risks of going to court in a foreign country before you grant access to your information. Such agreement should stipulate whether the corporate and sensitive data may be processed according to the law of your country or according to the outsourcing provider’s countries laws. It should also be kept in mind that according to the legislature of most countries, the confidential information may be disclosed upon the request of an authority.

You may as well resort to the protection of information transmission channels, data encryption, and access management while outsourcing abroad as the means of data protection.

It is a fact that although you may outsource your projects, you cannot outsource the consequences of what happens when your data security is breached. Therefore it is necessary to weigh up all the circumstances before you go for one of the abovementioned variants.

If you need to subcontract some trivial tasks and you are on a tight budget, you may opt for a freelancer, however, if you take the matter of your business security seriously, you would want to cooperate with a reputable legal entity.

Source: to Boost Your Information Security When Outsourcing

6 ways to add cybersecurity protections to outsourcing deals

There is growing concern about how third-party IT services providers are protecting corporate data. Here are six ways IT leaders can better negotiate cybersecurity and data privacy issues.

As cybersecurity has become one of the most important strategic imperatives for the enterprise, concerns about how third-party IT services providers are protecting corporate data have grown. As a result, negotiation of cybersecurity and data privacy issues has become one of the most challenging areas in IT outsourcing contract negotiations, says Rebecca Eisner, partner in the Chicago office of law firm Mayer Brown.

“Suppliers are understandably concerned about not paying damages that are disproportionate to the revenue received, and therefore seek to limit or disclaim their liability,” says Eisner. “Customers are equally concerned, particularly where suppliers do not have the same incentives to protect customer data as the customer, and because the negative impacts of a security incident are generally far more significant to the customer than to the supplier.” What’s more, the cybersecurity regulatory environment is rapidly evolving, making it difficult for both sides to access the risks.

The increasingly complex and geographically dispersed IT environment also complicates matters. When company data lived within one or more central data centers, it was much easier for companies or their suppliers to secure the perimeter with, for example, firewalls, physical security and controlled logical access. Today, data is scattered among data centers, clouds, and mobile devices, for a start. “The points of access and potential points of security failure multiply with this ever expanding ecosystem,” says Eisner. “In addition, many of these systems are provided or managed by third party suppliers.”

For those reasons, CIOs must take a risk management approach to selecting, contracting with, and monitoring their company’s IT service providers. There are six steps IT leaders can take to strengthen data privacy and cybersecurity protections in their IT supplier relationships, according to Eisner:

1. Understand which suppliers either process or have access tot the company’s most sensitive personal or regulated data, and data that represents the “crown jewels” of the company.

2. Collaborate with the company’s security, vendor management, and legal teams to determine which supplier relationships create the highest risks for the company in order to focus the appropriate level of attention and resources on that group of outsourcing providers.

3. Take a look at existing IT service provider agreements through the lens of your company’s up-to-date and well-defined cyberscurity and data privacy requirements. Amend those contracts to close any gaps.

4. Make sure that IT’s vendor management, compliance, or security team is monitoring high-risk suppliers, including updating vendor security assessment questionnaires on an annual or bi-annual basis; reviewing audit reports, certifications, and penetration tests; and, where appropriate, conducting site visits and annual security reviews.

5. Review the company’s standard security and privacy contract terms regularly with legal counsel to ensure that those baseline requirements are kept up to date. “This is particularly necessary due to rapidly evolving privacy regulation in the U.S. and around the world,” says Eisner. For example, the new European General Data Protection Regulation set to take effect in 2018, will require operational, policy, and contractual changes regarding the processing and transfer of EU personal data.

6. Take the time to educate the company’s board of directors, officers and employees about security and privacy risks, including those risks associated with third-party relationships, and help them to understand the steps they can take to mitigate them.

Source: ways to add cybersecurity protections to outsourcing deals

Is There any Risk Associated with Outsourcing IT?

As more IT leaders rely on outsourced application development, operational resources, and more, the importance of governing and securing privileged access has grown dramatically, especially in light of recent massive data breaches.

Protecting against the leading attack vector — compromised credentials — is an important consideration when outsourcing IT functionality. Traditional privileged identity management solutions require organizations to create and manage identities for outsourced IT providers within an internal environment, and then grant VPN access.

But this practice increases risk as the gap grows between the number of remote privileged accounts and an authoritative identity provider responsible for securing enterprise access, and as more third-party laptops establish VPN connections to internal networks. The result: An expansion of potential attack points for hackers, disgruntled insiders, and malware.

Federating identity management

But there’s another option. IT can implement privileged access solutions for third parties that minimize identity-related risks using federated authentication. Federated identity management lets outsourcing providers use their existing identification and authorization infrastructure to gain access to the enterprise network. To be effective, the enterprise and its outsourced IT provider must establish mutual trust, and the enterprise must be able to monitor and audit access and protect against rogue attacks from unauthorized parties.

With this approach, the outsourcing organization retains management control for its employee identities, while the enterprise retains control over granting access privileges to enterprise systems and applications for third-party partners.

Privileged access to specific resources can be governed through automated request and approval workflows. The enterprise can effectively monitor and audit access by providing granular access rights and by capturing and reporting on privileged user activities. In addition, IT maintains the option to terminate privileged sessions if they receive alerts of potential security violations.

Federated privileged access allows the enterprise to streamline access management for any number of outsourced IT firms while retaining the ability to swiftly disable privileged user access. In this way, IT can ensure that employees, contractors, and partners have secure access to the right resources, at the right time, and for the right reasons.

Establishing an identity provider

To implement federated privileges, outsource providers must have their own identity provider in place. An identity provider creates, maintains, and manages identity information, and uses technologies like the Security Assertion Markup Language (SAML) to authenticate its users into apps in the cloud or in an enterprise data center. For example, the Centrify Identity Service uses SAML to provide simple, cloud-based identity federation.

Outsourcing IT providers can manage their own employee authentication, directories, and identity solutions while the enterprise provides secure access to shared enterprise applications and resources.

Source: There any Risk Associated with Outsourcing IT?

Outsourcing in the age of cybersecurity concerns

It’s only natural that security comes up when talking about software development. There’s no denying that poor software development practices and subsequent security issues can go hand in hand. The risks can be alarming. Access to an enterprise’s database can be embedded into code. There could be unknown backdoors and other vulnerabilities, allowing hackers to access customer information like usernames, passcodes, credit cards numbers or other sensitive data. Unfortunately, we hear about this all too often in the news.

“Seemingly on a weekly or even daily basis we learn about a cyber security breach on a major corporation,” notes Udi Mokady, the founder, president and CEO of CyberArk, an IT security solutions company, in a J.P Morgan Q&A. “It used to be that unless you were a bank, credit card processor or manufacturer of military weaponry, cyber attackers wouldn’t bother to zero in on you. Now, no one is safe: everyone has something of value. Cyber attackers have broadened their targets, attacking companies of all sizes in industries such as retail, media, energy, manufacturing and IT services, among others.”

So, outsourcing software engineering must make security more risky then, right? Well, no. Developers themselves are without a doubt aware of the risks. For example, The Software Integrity Risk Report, a study conducted by Forrester Consulting and commissioned by Coverity (now a part of Synopsys), says more than 74 percent of respondents state developers are held more accountable for quality and security goals than a year ago. The study is a survey of 336 software development influencers in North America and Europe, and it explores current practices and market trends for managing software quality, security and safety.

Also, developers in the EMEA regions (Europe, the Middle East and Africa) note extreme concern with security in their development projects, based on the EMEA Development Survey by Evans Data. In fact, many developers have taken steps to safeguard projects and apply security mechanisms to combat threats. Some of the most commonly used, according to Evans Data research, are:

  • Context-aware access control
  • Endpoint threat detection
  • Real-time security analytics
  • Cloud access security control
  • And VM monitoring for threat detection

Good software development outsourcing companies should be on top of quality assurance (QA) and testing best practices, as well as overall security issues. However, before you decide to outsource to a software developer, know what measures will be taken to keep your software hacker-proof, and request that your provider define these steps (or define them together). Ask them to tell you specifically how they’ll test your software for security issues, and what controls they recommend.

The IoT and cloud computing play a factor

Another discussion to have with your software development outsourcer is the connection between the Internet of Things (IoT), Cloud computing and software outsourcing. Many software developers are already deeply and unavoidably involved with these technologies, as more and more apps move to the cloud and as the Internet of Things grows into the billions of connected devices.

Because of the risks associated with these new technologies and connectivity, security has become one of the most serious concerns for IoT software developers. Likewise, in its Internet Of Things Development survey, Evans Data found that more than 46 percent of developers surveyed, who are actively developing for IoT, cited security as the primary challenge facing development and adoption.

“Security is important in every discipline, but no more so than in the Internet of Things development arena,” says Janel Garvin, CEO of Evans Data. “Security breaches in IoT can have very real and devastating consequences, and developers feel that the Cloud is both the glue that holds Internet of Things together and also the weakest link.”

Cybersecure software development

In response to significant hacks and security breaches reported in all the major media outlets, cybersecure software development has become even more critical, and enhancing cybersecurity at an enterprise oftentimes requires hiring and/or training an internal workforce. However, is that an expense your company is ready to take on? A proven and widely used alternative is outsourcing to a certified software outsourcing company.

In effect, organizations expect to outsource even more cybersecurity work — all with risk assessment and mitigation, network monitoring and access management, and repair of compromised systems frequently involved — notes an Intel Security study, For the study, a total of 775 information technology decision-makers involved in cybersecurity within their organization, all from numerous countries were surveyed in May 2016. The respondents were from organizations with at least 500 employees and came from both public and private sectors. More than 60 percent of respondents noted they outsource at least some of their cybersecurity work, says the study, which was conducted in partnership with the Center for Strategic and International Studies.

As you plan your company’s software development roadmap, consider cybersecurity and be aware of these factors that could impact its ROI, according to the Intel Security study: acquisition and implementation costs; management efficiency; effectiveness at reducing cyberattacks; and compatibility with existing technology.

If you’re embarking on a software development journey, use the ideas presented here to have serious conversations with your outsourcing partner about the security qualifications of their developers. With the right team, your software will be developed with security top of mind.

Source: in the age of cybersecurity concerns

How to build cybersecurity into outsourcing contracts

IT outsourcing customers must take greater care in building cyber-risk protection into their IT services and cloud computing deals.

Any time a company shares data or provides access to third-parties, it increases its vulnerability to unauthorized access or breach. So in today’s IT environment in which enterprises partner with multiple IT service providers, who in turn may have multiple subcontracters, cyber risks increase exponentially.

“Customer data and systems are only as secure as the weakest link in the vendor ecosystem,” says Paul Roy, a partner in the business and technology sourcing practice of Mayer Brown. “The risks for customers are twofold: not only does the customer increase its risk of a data breach, it also increases the risk that it will be in breach of its regulatory or contractual obligations if its vendors fail to comply with such obligations.”

PUBLICIDAD talked to Roy and Lei Shen, senior associate in the cybersecurity and data privacy practice at Mayer Brown about the potential impact of security incidents arising from IT outsourcing or cloud computing engagements, the shortcoming of cloud computing contracts with regards to customer cyber risk protection, the key contractual provisions for mitigating these risks in an evolving regulatory landscape, and the importance of ongoing review in this rapidly changing area. What are the potential consequences of cyber security failures with third parties, like IT service providers and cloud computing vendors?

Paul Roy, partner, Mayer Brown: The consequences of a cybersecurity failure can be substantial. They include the expense of remediation and notification, damage to the brand, loss of sales, management disruption, regulatory sanctions, shareholder derivative suits and other lawsuits, and other collateral damages. The customer remains ultimately responsible for these risks, even if its vendor was the source of the security failure. Is cyber risk adequately covered in standard outsourcing or cloud contracts?

Lei Shen, senior associate, Mayer Brown: To adequately cover cybersecurity risks, the standard outsourcing contract has to include clear technical and legal compliance requirements and the right for the customer to monitor and otherwise verify the vendor’s compliance with such requirements.

To align incentives, the contract should make the vendor liable for the costs of breaches that it or its subcontractors cause, including the costs of notification, remediation, fines and similar costs. Well-crafted standard outsourcing agreements should contain these types of protections. However, the contractual protections are only adequate when combined with effective oversight and enforcement by the customer.

The adequacy of cloud contracts to protect against cyber risk is more complicated. On the one hand, a cloud service can inspire customer confidence in a cloud vendor’s well-established and hardened security. On the other hand, cloud contracts often fall short of a customer’s compliance requirements for sensitive data, particularly if the customer is in a regulated industry.

Customers must perform a gap analysis between the vendor’s offering and the customer’s requirements to identify gaps and determine whether they can be covered by either party. In addition, narrow limitations of liability—frequent in cloud contracts—can warp the incentives for protection against cyber risk. While there has been a significant growth among sophisticated cloud vendors who are able to address their customers’ data protection and compliance requirements, there is still substantial variation among cloud vendors’ ability to adequately address such requirements. What are the key contractual provisions for mitigating these risks?

Roy: The key contractual provisions to mitigate cyber risk are: (1) the security standards required of the vendor; (2) restrictions on subcontracting; (3) employee related protections, such as background checks and training; (4) security testing; (5) security audits; (6) security incident reporting and investigation; (7) data retention and use restrictions; (8) customer data access rights; and (9) vendor liability for cyber incidents.

Many of these contractual protections come with limitations. Since vendors must maintain consistent internal security standards, especially in a cloud setting, they may have limited ability to customize such standards to meet a customer’s unique requirements. However, the key for customers should be the adequacy of the protection, not the specific means for achieving that protection.

Cloud contracts typically include additional limitations on these types of provisions. For example, in a standard outsourcing agreement, the customer typically has the right to approve subcontractors, whereas cloud vendors have pre-existing subcontractors that are subject to change without customer approval. The key protections for customers in that circumstance are the assurances that security provisions are flowed down to subcontractors and that the customer has the right to periodically obtain a list of those subcontractors, especially if such a list is required by applicable privacy laws. Similarly, a standard outsourcing agreement often contains the right for the customer to conduct security audits, but cloud vendors typically do not permit physical audits of their facilities. The absence of this right can typically be satisfied by third party compliance audit and certifications.

One aspect of cloud contracts that is sometimes overlooked is the restriction on secondary uses of the data by the vendor, including aggregated or anonymized data. From a purely commercial standpoint, this secondary use right can mean substantial value to the vendor and corresponding loss of value to the customer. From a cybersecurity standpoint, any retention of data by the vendor risks re-identification of the data, thereby increasing the risk of security failures. In addition, a vendor’s retention of inadequately de-identified data may also run the risk of violating certain privacy laws. What existing regulations around third-party cybersecurity risk should IT outsourcing customers understand?

Shen: There is a patchwork of regulations in the U.S. across industries and states. At the federal level, they include Gramm-Leach Bliley, HIPAA, SEC requirements for public companies, and FTC requirements. In addition, some states, such as Massachusetts, have their own data protection requirements. The common thread of all of these laws is the requirement that companies take “reasonable and appropriate measures” to protect their data, including care in the selection and oversight of third party vendors.

The European Union has more consolidated and stricter privacy legislation that generally imposes higher standards of data protection than in the U.S. In addition, the new EU privacy regulations that were recently introduced impose additional limitations and much higher penalties for companies that fail to comply. Companies would be well advised to become informed of the upcoming changes in the EU data protection regulations. Many other countries outside of the EU, such as South Korea, also have strict requirements for data protections. How can customers build flexibility into their contracts so that they remain protected in an evolving regulatory and cyber risk landscape?

Shen: The regulatory landscape has evolved and will continue to evolve for the foreseeable future. Outsourcing agreements should include a requirement that the vendor implement changes as needed to adapt to regulatory changes. Where these regulatory changes are specific to the customer, it is reasonable for the customer to be responsible for the incremental costs incurred by the vendor to adapt to those changes. If a cloud vendor refuses to commit to adapt to changes in a customer’s regulations, the customer should at least retain the option of exiting the arrangement.

Source: CIO-How to build cybersecurity into outsourcing contracts