Vendor contracts are increasingly including provisions that could lead to breaches of security. At first glance, these types of provisions may appear innocuous, but they create the circumstances under which compromises of security may occur. A few examples: Connections for Remote Support and Maintenance: Many vendor agreements include provisions permitting the vendor to connect remotely to the customer’s systems for purposes of rendering support. Unless carefully controlled, these types of remote connections can create an open pipe to the customer’s systems that could compromise their data and operations. In general, remote access rights should be limited to on-demand situations, subject to the customer’s then current information security and access policies (e.g., type of secure connection to be used, coordination with customer information security personnel, etc.). The agreement should be clearly worded to ensure the vendor uses the connection only for purposes of rendering support and is responsible for the security of the connection on the vendor’s side, including any misuse of its passwords or access codes. Phone-Home Features: Many types of software have “phone-home” functionality in which the software periodically transmits data to the vendor. The data transmitted typically relates to support issues and confirming the customer is not misusing the software (e.g., using the software in excess of the licensed number of users). Customers should require the vendor to clearly identify exactly what information will be transmitted from their systems and ensure no sensitive data is included in the transmission. Customers should also understand how and when the transmissions will be made. Disabling Mechanisms: Customers should be wary of language in vendor contracts that affords the vendor the ability to remotely shutdown software and equipment. When systems are critical, the ability of the vendor to intentionally or inadvertently trigger a disabling mechanism can result in the customer’s data being corrupted or rendered unavailable. If possible, these types of provisions should be deleted from the vendor agreement. If deletion cannot be negotiated, the vendor should assume heightened or unlimited liability if it triggers a shutdown without good cause. Audit Rights: Finally, customers should beware of broadly written vendor audit rights that permit the vendor and, frequently, unspecified agents the right to enter the customer’s facilities, review their records, and access their systems to determine compliance with the agreement. These types of audit rights should be narrowly written, ensure any agents are bound by an appropriate NDA, require the vendor to comply with the customer’s then current security and access policies, and make clear the vendor will be responsible for any disruption of the customer’s systems and operations. Customers should be on the lookout for these types of provisions and ensure they are properly revised to protect their systems and data. Failing to do so may make vendor contracts into a significant new security risk. Related content opinion Finding Common Threads in Privacy and Information Security Laws. By Michael Overly Apr 26, 2013 3 mins Compliance opinion Ensure Your Data is Securely Deleted By Michael Overly Mar 11, 2013 2 mins Cloud Security opinion CIA in the Cloud By Michael Overly Dec 18, 2012 2 mins Cloud Security opinion Overreacting to Information Security By Michael Overly Dec 10, 2012 2 mins Privacy Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe