1. How to Prevent IT
Agreements from
Causing Data Security
Breaches
William A. Tanenbaum
Head, IP & Technology Transactions Group

2. Role of IT in Data Security Breaches
• 2013 Trustwave Global Security Report on 450 database breaches found that:
– 63% due to third-party IT providers
– IT providers’ practices caused security deficiencies easily exploited by hackers
• Provider’s subcontractors are a common cause of breaches
• Risks are increasing because the following lead to increased avenues for security
attacks:
– Cloud (which is not longer a disruptive technology)
– Complex and evolving IT infrastructures with BYOD, mobile, etc.
– Multi-vendor IT environment
– Hidden sub-contracting and sub-outsourcing
– Connected devices and Internet of Things
2

3. Consequences of Security Breaches
• Immediate IT remediation costs
• Costs of revising IT infrastructure
• Costs of payments to beneficiaries
• Notification requirements under state law
• Proceedings by State Attorneys General
• Defending class action suits as private remedy for data security
failures
• Reputation harm
• Reduced economic returns
3

4. Common Causes of IT Security
Problems
• Cost of IT emphasized over potential cost of security failure
• Providers are inappropriately forced, by price evaluations, to offer reduced
security
• Security protection is “baked in” to IT vendor’s product and service costs
• IT staff does not have early role in procurement/outsourcing process
• Lack of validation of providers’ RFP security responses
• Provider security team does has not counterpart on customer team
• Summary: Evaluation of proposed provider focus on costs and operational
SLAs > security
4

5. What do to with Existing Contracts
• Conduct review of provisions (including SLAs) in existing IT and
outsourcing agreements -- gap analysis
• Audit business practices against contractual requirements
• Audit old contract provisions against updated security policies
• Identify potential deficiencies
• Remediate through renegotiation (using liability as leverage)
• Determine and implement what is needed from beneficiary
side
5

6. What do to with New Contracts
(Overview)
• Include up-to-date provisions in new agreements
• Provisions that you should audit/review are the same that
should be in agreements going forward
6

7. Addressing Security Protection
through Better Contracts
• Determine appropriate data security standards based on policies, regulatory
environment and obligations to beneficiaries and others
• Determine appropriate objective security standards
• Determine how to embody security compliance in IT/outsourcing
agreements
• Improve RFP and RFP evaluation process (and use leverage of RFP)
– (and use an NDA)
• Use down-select process to drill down into provider’s security capabilities
• Add specific security exhibit to contract
7

8. Contractual Provision Checklist
• What will providers be required to do?
– Enact data security program
• Safeguards, procedures, controls for data, especially PII/customer data
– Comply with existing future regulatory requirements
• Design in future requirements
– Comply with current ISO/IEC and other relevant standards
• PCI/DISS requirements; PCI certification
– Comply with customer policies
• RFP establish and responses commit to adherence
• Customer to establish proper criteria
8

9. Contractual Provisions (2)
• Comply with customer access, use, security tiers, etc.
• Control and approve subcontractors
– “hidden” outsourcing by providers for peak data loads
• Appropriate encryption levels
• Cybersecurity-specific SLAs, SOWs, etc.
• SLA credits should not be exclusive remedies
• “Declared Direct Damages” to prevent unrecoverable consequential damages,
including data restoration
• Combine DR with Force Majeure
• Restrict remote data access
• Control authorized access
9

10. Contractual Provisions (3)
•Allow security audits and ethical hacking
•Data Manager as well as Project Manager?
•Do or will you have a Chief Data Officer?
10

11. New Approach to Security Attacks
• Current approach: have contractual security obligations and provide
penalties for failures
• However, penalties (called service credits) are generally capped
• Further, service credits may be only remedy
• Why this may not solve problem
• Solution: difference approach
– Model on bank/FBI cooperation against persistent attacks
– Switch from fighting over contract obligations to supplementing with
cooperation to gather information and use lessons learned to improve
security
Risk to plan is greater than contract litigation
11

12. Questions and Answers
William A. Tanenbaum
Head, IP & Technology Transactions Group
“Lawyer of the Year” in IT in NY in 2013
wtanenbaum@kayescholer.com
212-836-7661
12

13. William A Tanenbaum, Partner, Kaye Scholer
13
Bill Tanenbaum is the Head of the law firm Kaye Scholer’s multidisciplinary, multi-office IP &
Technology Transactions Group, which is ranked in the First Tier at the National Level by US News
& World Report/Best Lawyers. Bill was named “Lawyer of the Year 2013” in IT in NY by Best
Lawyers in America. He is ranked in Band One in Technology & Outsourcing in NY by Chambers,
America’s Leading Lawyers for Business, which found that he “built one of New York City’s most
outstanding transactional IT practices.” IP Law Experts Guide named Bill as “The Recommended IT
Lawyer in New York.” (Only a single attorney is designated in each state.) He is past President of
the International Technology Law Association and currently a VP of the Society for Information
Management (NY), a CIO industry association where he serves as the only lawyer on the Board.
Clients and peer attorneys say he is “one of the best IP attorneys I have worked with” (LMG
CleanTech Guide); “smart, practical, tactical and highly strategic,” “an effective
negotiator” (Chambers); “intellectual yet pragmatic” and “among the foremost IT licensing
experts and a leading authority on related issues such as data security, privacy and social media”
(World’s 250 Leading Patent and Technology Lawyers). His practice areas include outsourcing, IT,
offensive and defensive IP strategies, vendor management, data security and data flows, IT and IP
aspects of corporate transactions, technology agreements and licensing, Big Data in procurement
and supply chain management, and sustainability. He graduated from Brown University (Phi Beta
Kappa) and Cornell Law School.

14. 14

15. Copyright ©2014 by Kaye Scholer LLP, 425 Park Avenue, New York, NY 10022-3598. All rights reserved. This publication is intended as a general guide only. It does not contain
a general legal analysis or constitute an opinion of Kaye Scholer LLP or any member of the firm on the legal issues described. It is recommended that readers not rely on this
general guide but that professional advice be sought in connection with individual matters. Attorney Advertising: Prior results do not guarantee future outcomes.
Offices Worldwide
15