Do Your Contracts Open You Up To Business Busting 网络安全 Liability Issues
如果你最近没看合同的话, you may unknowingly be taking on responsibility for a不her party’s cybersecurity risk. 更糟的是, you may 不 know they haven’t accepted the responsibility to protect your data while in their hands. Unfortunately, this is 不 a new thing and it does have a name. It’s often called third-party risk and the prevention, is a robust third-party due diligence process.
如果你在没有法律审查的情况下签署合同, 或者没有审查长期合同, you are likely carrying a lot more liability than you are aware of. 网络安全 laws are quickly changing, and it’s incredibly important to know your industry. You need to have a clear understanding of your contracts and the risks they may be subjecting you to. Unfortunately, we see this gap in understanding in a significant percentage of clients.
了解你的条款
签订合同是日常的商业活动, 他们的条款定义了你的职责, 你将交付什么?, 以及你的伴侣会为你的服务付多少钱. 它们还定义了你的伴侣对你的互惠义务. 在大多数合同中, you accept or assume that your partners are accepting liability for statutorily or regulatory control for the data they will take possession of, and over the period of time they maintain that possession. 例如,想想你与银行的关系. You have money (data) that needs to be deposited (shared) with them (a third-party) and you expect them to keep control over it (third-party risk). They accept that role in your deposit agreement (contract).
If the language in the contract pushes all the responsibility onto you and the health care provider violates HIPAA, 你可能会发现自己有责任, even though you didn’t necessarily do anything directly to the data to put it at risk.
为您提供一个信息安全示例, 在医疗保健方面, a third-party vendor (business associate) is held to similar HIPAA privacy standards over patient data in their care as the health care provider (the covered entity) who is sharing the data. 在这种情况下, you need to ensure your business isn’t taking on all of the liability and releasing the third-party. If the language in the contract pushes all the responsibility onto you and the health care provider violates HIPAA, 你可能会发现自己有责任, even though you didn’t necessarily do anything directly to the data to put it at risk. However, you certainly missed the step of performing due diligence over the contract in advance.
在另一个例子中, 如果你要买一家公司, you are often acquiring all of that company’s regulatory liability. 它不能被“卖掉”.“不幸的是, too many people fail to assess that through the lens of cybersecurity liability exposure in that company’s contracts. 网络卫生不佳的公司售价较低.
It is critical that you are able to clearly delineate who is responsible for what.
商界日益关注的问题
Most industries haven’t transitioned to the speed and velocity of cyber regulations, 几乎所有类型的交易都涉及到它们. 模板化的契约没有跟上变化的步伐. Every industry has data and liability has shifted without people realizing it. Every contract needs to be reviewed for cybersecurity liability every year if that partner is holding or accessing regulated information.
除了, business owners — especially owners of small businesses — are focused on turning out a product or offering a service, 不 他们的网络安全风险. Companies are signing agreements that aren’t being vetted and, 因此, are 不 aware that they’ve taken on all of the liability of a不her business if there is a breach. With an average out-of-pocket cost of $119k, this simple oversight can be a business killer.
想知道数据泄露会让你付出多少代价? 看看我们的网络破坏计算器就知道了.
保护你自己 & 你的数据
为了保护你自己, 你的数据, 以及你的整个业务, you need to understand the laws and regulations around the space in which you are operating. Laws are constantly changing, and the law in Ohio isn’t the same as the law in Indiana. It is absolutely vital that you reach out to a specialist in your space, often a cybersecurity consultant found at a law firm or an accounting firm. 然后, be sure to look for the proper evidence of their skillsets in terms of certifications and experience levels. You want your CPA to perform your accounting and a state licensed attorney to provide your counsel. You should also reach out to a certified cybersecurity risk professional who is committed to looking out for your business. 在一起, your team should be focused on the objective of keeping your door open tomorrow and into the future.
然后做一个风险评估. A specialist can uncover risks that aren’t on your radar when signing operating agreements and isolate where the gaps are in cybersecurity liability. Ideally, this should be done even before signing a contract, or at least before a problem arises. Too often, businesses fail to review their contracts until an issue arises.
You may be carrying far more liability than you are aware of, and it may be time to renegotiate or to start preparing for changes when the time comes to renew your contract.
It’s critical to immediately review all of your contracts for indemnification and liability clauses. 今天就做. You may be carrying far more liability than you are aware of, and it may be time to renegotiate or to start preparing for changes when the time comes to renew your contract. 和, 当然, have all future agreements reviewed by someone with knowledge of contracts and liabilities moving forward.
正如一位律师朋友过去常说的:“墨水很便宜. 法律辩护费用昂贵.”
If you would like to know more about third-party due diligence or cybersecurity risk assessments, 直接打330和我联系.651.7040 or 保罗.hugenberg@cristinaserrano.net. 或者,点击这里填写我们的 “安全的赌博软件” form and request to speak to a member of 意图’s cybersecurity and data protection services team.
By 特拉维斯·斯特朗,CISA (伍斯特哦)
寻找加法网络安全洞察? 看看这些资源:
[ARTICLE] Protect Your Business From COVID-19 Cyber Attacks In 3 Steps