If you listen very carefully, the age of information security as we know it ended recently, not with a bang, but with a whimper. While that may be something of an overstatement, a recent event put us on the track to that very end.
Consider the “old-way”: Your company decides to engage a vendor to provide services or products in which the vendor will have possession of, hosting of, access to, or other use of your sensitive data or interaction with your production systems. In those cases, a prudent company would do three things to address information security. First, they would conduct due diligence of the vendor’s security practices, including past security incidents, compliance with recognized security standards, security policy review, etc. Second, they would include specific, strong protections in their contract with the vendor addressing the vendor’s obligations with regard to security, including service level obligations to ensure the availability of critical data. Finally, a prudent company would conduct post-contract execution audits and inspections to ensure the security requirements in the agreement are being followed.
These three approaches to mitigating security risks in vendor agreements form an integrated whole and reflect best industry practices: diligence, contract requirements, and post-contract policing.
These three approaches to mitigating risk form the cornerstone for businesses to show they have been diligent and acted reasonably in addressing security risks in vendor contracts.
These three approaches to mitigating risk are the primary means by which a business can respond to and defend itself against a regulatory investigation in the event of a security breach.
Now, imagine the new emerging paradigm – a paradigm in which you are not able to implement any of the foregoing approaches to mitigating risk. You cannot conduct diligence, you have no means of achieving required contractual protections, and you are denied post-contract policing. Consider, further, that these are not small engagements, but engagements involving hundreds of thousands, if not millions of dollars in fees.
Let me be more specific about the disturbing trend I am describing. In particular, consider the case of one well known cloud provider. Let’s call them “ABC”. Their new approach to contracting involves the following: ABC reserves the right, without customer approval or notice, to subcontract performance to any number of third-party hosts or other providers to perform some or all of the key data hosting, security, and other operations comprising ABC’s services. Let’s call the third-party hosts and other providers, the “Subcontractors.” ABC can change the Subcontractors at will. Now if we were still operating under the “old way,” ABC would readily agree, at minimum, that it is responsible for the actions of its Subcontractors and any failure by a Subcontractor would constitute a failure by ABC.
But this isn’t the old way. Instead, ABC takes the unprecedented approach of stating that, in fact, it assumes no liability or responsibility for the Subcontractors it has chosen. Moreover, it states to the extent there are any protections at all, it refers the customer to the online form agreements available from the Subcontractors. The flaw in this approach is that ABC’s customer is not a party to those online agreements. So, while those agreements may be interesting, the customer has no means of enforcing them against the Subcontractors. Only ABC has that right. Only ABC is actually in contract with the Subcontractors.
What Is the End Result of the Foregoing?
First, ABC’s customer has very limited ability to conduct diligence of ABC’s Subcontractors. The customer is limited to perusing generic online information made available generally by the Subcontractors to those visiting their web sites. Even if the customer could conduct meaningful diligence, it would be of little real use because ABC can change the Subcontractors at-will and the Subcontractors can change all or any part of the online information at any time.
Second, if the Subcontractor fails to perform (e.g., it is a host and the service for which the customer is paying ABC fees is never available for access due to SLA failures at the Subcontractor) or suffers a major data breach, ABC assumes no responsibility and ABC’s customer has no remedy. In both cases, the customer is left without the ability to hold either ABC or the Subcontractor accountable for the failure. Worse yet, the customer will likely have no means of declaring a breach of its agreement with ABC and unable to terminate the agreement. The customer is left continuing to pay for a service that is, at best, non-conforming or, at worst, creating liability due to a data breach or other mishandling of information.
Finally, because the customer has no contractual rights against the Subcontractors, it has no audit or other rights to ensure the Subcontractor is adequately protecting its information and systems. Even if it had those rights, it has no means of forcing the Subcontractor to correct any identified non-conformances or deficiencies.
To review:
- The customer has little or no ability to conduct meaningful diligence of the Subcontractors;
- The customer has no contract with the subcontractor, so it cannot enforce its rights against the Subcontractor;
- ABC is refusing any responsibility for its choice of Subcontractors;
- ABC can change the Subcontractors at will;
- ABC can use this approach to outsource the entirety of its operations and avoid any material responsibility for its services;
- Even if ABC retains certain performance obligations, in the event of a failure or breach, ABC is likely to point a finger at the Subcontractor and vice versa as the source of the issue; and
- The customer has no means of conducting post-contract assessments and audits of the Subcontractors.
The result: the end of information security as we know it.
What is truly remarkable is that ABC insists its approach is entirely reasonable and entirely consistent with industry practice. Thankfully, they are incorrect. The overwhelming majority of vendors continue the “old way,” rightfully assuming responsibility for the subcontractors they select. Let’s hope that continues.
In the meantime, beware of vendors who attempt to abdicate their responsibility to unnamed third-party contractors. Proceeding with an engagement of that kind means you are, at best, assuming an unqualified obligation to pay for a service that need never be provided and, at worst, a compliance nightmare. Consider having to explain to a regulator or plaintiff in a class action that you entrusted highly sensitive data to a vendor only to have that vendor hand off the data to a third party for whom the vendor assumed no real responsibility and with whom you have no contract. That will be a difficult conversation.
This article was originally published at CSOOnline.com.