• United States



The Importance of Evolving Standards for Information Security in Vendor Agreements

Apr 07, 20092 mins
Data and Information Security

The April issue of Technology Review magazine ran a fascinating story about the work of Marc Stevens, a PhD student at a school in the Netherlands. Using nothing more than a laptop and his PlayStation 3, Marc was able to force the MD5 (Message-Digest algorithm 5) digital fingerprint for an unrelated file to match that of a target file. He did this by appending junk data to the unrelated file. While this kind of “collision” is theoretically possible using almost any hash function, the possibility of intentionally forcing collision by such modest computing means is disturbing. Other flaws have been identified since MD5 was first released in 1991 by Ron Rivest, including the potential to fake SSL certificate validity. This points out the continuing (and expected) trend that as our knowledge of cryptography increases and computing power becomes less expensive, previously secure algorithms and technologies are being compromised at an ever more rapid rate.

In light of the foregoing, it is important to highlight the need for language in vendor and business partner contracts that includes a “floating standard” for security measures. Specifically, agreements in which sensitive data will be shared with a vendor or business partner should include two categories of information security protections. The first category relates to “fixed” security standards and should include specific details about the baseline security requirements for the vendor or business partner (e.g., SSL in transmitting data over the Internet, a defined level of encryption for databases, no use of removable media, data scrubbing procedures, etc.). The second category relates to “floating” security requirements or standards. This language is typically worded along the lines of “physical and logical security measures consistent with then current industry best practices” or similar language. The idea is to supplement the fixed standards with any evolving standards during the term of the agreement. In the case cited above, if MD5 was being used, the evolving standard may be to transition to a more secure hash function. The point is to ensure information security is not a static, but a dynamic, requirement in your vendor and business partner agreements.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author