Hiring an information security vendor? Use these best practices.

The exponential rise in security incidents has caused many businesses to look hard at getting their own houses in order before they become the next headline. As part of those efforts, businesses are turning to security consultants to perform audits, penetration testing and other assessments of their systems. These are admirable activities, worthy of consideration by any prudent organization. But these engagements should be entered into with all the care that a business would use in any other transaction in which a third party is granted access to the company’s most sensitive systems and data. Unfortunately, this is seldom the case.

All too often, in their rush to move forward with these assessments, businesses fail to adequately address the most fundamental of contract terms. Cost overruns are common. In some instances, security consultants create more risk than they resolve.

In hiring a potential security consultant, businesses should consider the following best practices:

Use an RFP. If timing permits, the use of a request for proposals (RFP) process will aid the business in receiving the most creative proposals, with the best pricing and contract terms. Vendors that know they are in competition with other respondents will be far more inclined to negotiate than those that believe they already have the business.

Conduct due diligence. Whether or not an RFP is used, take the time to conduct due diligence of any prospective security vendor, including contacting former and existing clients (and not just those clients named on an approved reference list furnished by the vendor).

Negotiate as you would with any critical vendor. It is an ugly truth that most businesses simply do not negotiate their security consulting agreements with the same level of care that they apply to other critical vendor agreements. At best, this may lead to serious cost overruns. At worst, this may result in the very compromise of sensitive business data the company was trying to prevent.

For example, one well-known security vendor includes in its formal agreement an express right for the vendor to remove, without the customer’s consent, data from the customer’s systems and to store that data on the vendor’s systems. This includes cardholder and other highly sensitive personally identifiable information. The vendor’s agreement contains nothing about PCI DSS compliance, only a sentence or two about security, very little liability if the vendor compromises the data, and not even an obligation to securely remove the data after use. This is unacceptable.

Appropriate contractual protections should be negotiated in every security consulting agreement. Key points to address include the following:

• Define the project. The contract should clearly define the scope of the security assessment (e.g., the facilities, systems, servers, networks, etc.) to be conducted. This means a detailed statement of work should be drafted, with the tasks to be performed by each party expressly identified.
• Control costs. The contract should contain a clear budget, with all fees stated. The consultant should be precluded from exceeding that budget without the client’s written authorization. If the vendor is unable to provide a detailed budget because “things will evolve based on the assessment,” consider entering into a more limited initial statement of work to better scope the assignment. The output of that statement of work should be a more detailed budget for the complete security assessment.
• Detail security and confidentiality protections. All too often, security consulting agreements provide little or no detail regarding the security and confidentiality measures to be used. Worse yet, even if those measures are well defined, the consultant has little liability if it breaches those obligations. Since the consultant will have access to the most sensitive data of the client and highly confidential information about the security of its systems, the contract should clearly define the security measures to be used (e.g., controlling removal of data from customer systems, encryption, prohibitions on transmission of customer data outside the U.S., etc.), detailed confidentiality protections, and, generally, exclude breach of those requirements from any limitations or exclusions of liability.
• Control vendor personnel. Given the sensitivity of the work to be performed, the agreement should include controls over the ability of the vendor to subcontract the work to third parties. The agreement should also require the vendor to do background checks on its personnel, including criminal activities, particularly those involving a breach of trust (e.g., theft, larceny, insider trading, etc.).
• Warranties. While no security vendor can guarantee the security of a customer’s systems following an audit, the security vendor should be willing to warranty that it will comply with all applicable laws and regulations and best practices in the security industry for performance of the assessment.
• Liability. Most security vendors strictly limit their liability in the performance of their services. There is nothing wrong with such an approach, but the vendor should not be permitted to so limit its liability that it has no real responsibility for breaches of confidentiality or its own gross negligence or willful misconduct. In most instances, the customer should expect the vendor to assume unlimited or, at least, very significant liability in those areas.
• Consider protecting audit report from discovery. Given the potential sensitivity of the final audit report, it may be prudent to consider involving the business’ attorney to protect the report from discovery using the attorney-client privilege or work product doctrine.

By being more proactive in the hiring of security consultants, businesses can ensure that they will receive the expert advice they desire, while protecting their systems and data and ensuring that costs are controlled. Businesses should expect these basic protections, and reputable vendors should be willing to provide them.

Michael R. Overly is a partner in the Information Technology and Outsourcing Group in the Los Angeles office of Foley & Lardner LLP. His firm has written a white paper to assist in educating directors and officers on cybersecurity issues, titled “Taking Control of CyberSecurity: A Practical Guide for Officers and Directors.” The opinions expressed in this column should not be construed as legal advice.