Avoid Security Pitfalls with Subcontractors
You're a not-so-big company, and you simply must outsource some sensitive tasks -- perhaps payroll or the 401(k) plan.
But news headlines about laptops carelessly unencrypted by subcontractors and then stolen are everywhere. How can you protect your company from the errant security breaches of a subcontractor?
In March 2008, Santa Clara, Calif.-based Agilent Technologies became the latest victim of this scenario -- a subcontractor hired to handle the company's employee stock plan left the information on an unencrypted laptop. The laptop was later stolen.
In Agilent's case, Agilent had a clearly stated policy that all such data must be encrypted, and that subcontractors must do it, too. But the subcontractor did not honor this policy, according to Amy Flores, an Agilent spokeswoman.
While some risk always exists, experts say, you need to make sure the service-level agreement (SLA) you have with your subcontractor is as airtight and specific as possible, and that you constantly keep tabs on whether they are complying. They offer the following advice:
Call your lawyer. 'Knowing your exposure is specific to your industry,' notes Scott Almas, associate attorney with the Albany, N.Y.-based law firm Lemery Greisler. Almas, who has drafted many an SLA and litigated ones that have gone awry, says that your company lawyer should know what's needed in terms of data protection to comply with such federal laws as the Sarbanes-Oxley Act and the Health Insurance Portability and Accounting Act (HIPAA).
Spell it out. Explain the purpose of the application you are requesting that the subcontractor use and why. 'Take the time to explain it -- which data is private, what needs to be encrypted, the rules of who has access,' says Jack Danahy, founder and CTO of Ounce Labs, a Waltham, Mass.-based software risk management firm.
Require specific protections. Insist on fingerprint sensors on all laptops the subcontractor uses, WPA encryption on their wireless systems, secure networks and careful protections on all remote access, says Almas.
Look into NAC. Network access control (NAC) programs can allow you to scan any computer, PDA, or thumbdrive and keep tabs on any remote worker, subcontractor or not, notes Paul Roberts, senior analyst for enterprise security at the 451 Group, a technical analysis form in Boston. 'If it's not okay, you can quarantine the computer until the subcontractor cleans up their act.' NAC tools, offered by Cisco, Mirage Networks, Nevis Networks and others, are expressly designed to address the unique security breach issues raised by laptops and other mobile devices. But some note that the technology remains very new -- and perhaps too pricey for the smaller business. A less expensive option is a hosted option, such as those offered by AT&T and other ISPs, says Roberts.
Encrypt first. 'Encrypting the laptop is one approach, but encrypting the data before ever transmitting it is the better approach,' says Ounce's Danahy. Reviewing the source code to make sure that the subcontractors' systems are in order is another approach that Ounce offers its enterprise customers, Danahy says.
Include enforcement -- and consequences. Reserve the right to enforce the agreement and check up on workers, says Ounce's Danahy. 'Put something in like, if we discover you've done this, you'll be fined 5 percent per month, or we won't pay you,' he says. Adds Almas: 'They need to agree to indemnify and defend you against any losses.'
Include destruction policy. When the project is over, make sure you've spelled out to the subcontractor how you'd like the sensitive information wiped or destroyed, says Almas. Otherwise, that laptop or PDA could be discarded someday with all that sensitive data still on it. If it's your company that's the subcontractor, showing a willingness to take security steps can help you seal the deal, notes Ounce's Danahy. 'Small contractors who ask the right questions and tell their potential client how they'll encrypt the data, that can be a real differentiator for bigger companies,' he says.
SIDEBAR: What to Do if Disaster Strikes
Let's say the worst has happened: your company's sensitive data has been breached, despite your diligence. What can you do to contain your risk?
The first step is to notify your clients or employees -- those whose data is at risk -- of the breach. Under California's SB 1386 breach notification law, companies that tell their employees or clients of the breach as soon as possible, and can show that they did everything possible to protect sensitive data, are given a safe harbor. Experts say it's also wise to offer employees or customers a credit-monitoring service for a time to help them track any possible identity theft. Agilent's Flores reports offering this service to their employees.
Even outside California, companies that don't inform their customers/employees right away do so at risk. In March 2008, two separate lawsuits were brought against the New England-based Hannaford Bros. grocery chain for failing to notify customers until late March of a credit-card security breach that occurred Feb. 27, according to published reports.
A breach can happen to anyone, but companies that show they did what they could will fare better -- in the public eye, and in the courts.