To what extent do lawyers who draft or review contracts know what their clients need or commit to when it comes to clauses or annexes detailing the parties` information security obligations? Despite the sometimes numbing acronyms and technical content, lawyers and business leaders need to have a basic understanding of what accompanies the most common forms of information security clauses and certifications. It will also help them determine which standards, representations and certifications are most useful and appropriate for a particular service contract. The clause does not intentionally address payment fraud. Although this type of Internet fraud is becoming more common, the subcommittee believes that a contractual clause does not significantly reduce the risk. Fraud is mainly successful due to poor verification and approval procedures in companies and can be avoided by tightening internal procedures. It`s important to remember that contract monitoring is the last step in a cascading progression. The initial identification of the processes and data concerned, as well as the initial security requirements, are used to formulate questions for the call for tenders. The responses to the call for tenders are used to evaluate suppliers and refine security requirements. The finalists` assessment and risk assessment refines the security requirements, which in turn are included as wording in the contract or service description. Finally, it is the final contract and the corresponding level of risk that determine the appropriate approach to contract monitoring.
Data security issues and standard contractual clauses are for informational purposes only and should not be construed as legal advice. The security topics of the data provided are issues to be taken into account by higher education institutions when preparing requests for information (RFDs), calls for proposals (RFPs) or contracts that may contain data on higher education. However, the topics are neither global nor exhaustive, and no topic applies to an RFI, RFP or contract. In addition, federal, state, and local laws and regulations may also affect data security regulations that must be included in a particular RFI, tender, or contract. In addition, contractual conditions dealing with issues other than information security may affect the effectiveness or applicability of the clauses proposed in this document. The examples of requirements and issues contained in this document, as well as the contractual clauses, should be considered as a starting point for discussion and may need to be modified depending on the intended use. Outsourcing business and IT functions often also involves outsourcing compliance and liability risks. If a service contract includes protected categories of personal data, both parties must understand the requirements and security risks.
The contract should assign responsibilities for preventing and responding to security breaches. The contract may also specify expectations by including a written security policy or by referring to a generally accepted information security standard, which is sometimes accompanied by the requirement for a third-party security review or assessment. As a practical approach to addressing the above challenge, this document divides the purchase of IT products and services into three steps and organizes security questions for proposals and contract languages around a decision tree consisting of four questions that a person drafting or reviewing a tender or contract should ask. Universities operate in their own political and regulatory context. While regulatory frameworks such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI DSS), and government breach notification laws are part of our common lexicon, few growing third-party information service providers for FERPA`s higher education, or the rich tapestry of internal policies for data access and distribution. Moreover, the seemingly harmless nature of many contemporary services (such as social media) has allowed businesses to thrive by asserting only strong security practices rather than demonstrating them. Security Breach Notification: A clause that requires the vendor to notify the organization in a timely manner of any security breach that may affect the organization`s operations. Typically, this clause refers to data breach notification laws that affect the organization or the provider, or both. Poor cybersecurity is often due to a lack of risk awareness.
The BIMCO cybersecurity clause fulfils three important functions: the first is to raise awareness of the risk; the second is to provide a mechanism to ensure that the parties have procedures and systems in place to minimise the risk of cyber incidents in the first place; and the third is to ensure that the parties mitigate and remedy the effects of an incident when it occurs, while working together to support each other. In order to ensure that adequate security controls are in place prior to entering into a contractual agreement, institutions - including their respective schools, departments, clinics and centres - that use third-party providers to procure IT services should conduct a third-party risk assessment for all services (applications, hosting, systems, etc.) that require the collection, processing, transmission or storage of confidential or sensitive data in accordance with the Definition of the respective data classification policy of the institutions. Consider the following when hiring third-party vendors to procure IT services: The following explanations are intended to provide general information about the considerations underlying the BIMCO cybersecurity clause. .
