EPISODE 14
Contractual Firewalls

EP 14: Contractual Firewalls

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

January 8, 2019

Kip Boyle, CEO of Cyber Risk Opportunities, talks with Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, about how executives can create strong contractual firewalls between themselves and their vendors and customers to guard against excessive financial loss due to cybersecurity failures.

Tags:

Episode Transcript

Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts, I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, Cyber Security Council at the law firm of Newman DuWors.

Kip Boyle: And this is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by cyber risk opportunities in Newman DuWors LLP. If you have questions about your cyber security related legal responsibilities...

Kip Boyle: And if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business, such as sales accounts receivable and order fulfillment, then you should become a member of our cyber risk managed program, which you can do for a fraction of the cost of hiring a single cybersecurity expert. You could find out more by visiting us at cyberriskopportunities.com and newmanduwors.com. So, Jake, what are we going to talk about today?

Jake Bernstein: Well, Kip today, we're going to talk about contractual fire firewalls.

Kip Boyle: Yeah, that makes a lot of sense because we've recently worked on a contractual firewall template for one of our shared customers. So yeah, that's all fresh in my mind. So everybody knows that the use of outside vendors is increasing and has been increasing for years, probably will you to increase. Sometimes they're called service providers or service organizations. But at the end of the day, what we're doing is relying on an outside party, they're not an employee. So we can't give them step by step instructions on how to do stuff. So as a cyber risk manager, we're using a contract vehicle rather than a set of standard operating procedures in order to manage that cyber risk and a credit card processor is a common example of what we're talking about.

Jake Bernstein: Exactly. So the legal term for these third parties, these vendors is independent contractor. And even the name really includes the two critical components of what it means to have an independent contractor. They are one, independent. So you do not get to control their day to day activities. And two, they're a contractor. So their entire relationship with you is based upon a written contract. And it is those written contracts that we mean that we're talking about today, when we say contractual and a firewall is... Everyone in IT and security knows what a firewall is. And the reason we like to call them a contractual firewall is that it's specific clauses that are intended to limit the risk in the cybersecurity realm within the independent contractors contract.

Kip Boyle: So as a practitioner, I find contractual firewalls to be annoying because I'm typically not involved in their construction, but by the time... I do get involved, it's often a done deal. I'm either pulling a contract from something that was signed years ago, or somebody just hands me a signed contract. It says, "Hey, we just did a deal." And I look in it and I'm trying to find the contractual levers or knobs or switches that allow me to manage risk. And quite often there's very little there. And the other aspect that annoys me as a practitioner is it's a completely different skillset managing cyber risk through a contract compared to managed cyber risk in my internal organization where I can just go meet with people and have them agree to do things one way versus another way. So it's an entirely different skillset is what I see.

Jake Bernstein: Absolutely. They're completely different. There's multiple components to drafting these firewalls and these contracts. And one of them is being able just to figure out what is the minimum that I need in any situation in order to have met the due diligence? And then there's a whole of what are people going to agree to? What are they not going to agree to?

Kip Boyle: How much am I going to have to pay for additional-

Jake Bernstein: How much do I have to pay? Do I need to make it... Does it need to be mutual? What if they ask to make this component mutual? Is that going to cause us an untenable amount of internal angst and inaudible work.

Kip Boyle: And also the other thing that I've noticed about contracts, which is very different from actively managing cyber risk in my own organization is contracts typically come with warranties. So my outside vendor warrants that they're not going to let bad things happen, but that's a very opaque thing. I can't see exactly what they're doing. They may not be doing anything. They're just warranting. So that's a very anxious thing for me to see.

Jake Bernstein: It is. And lawyers to do everything in twos just for redundancy. So you'll see that this is always under the heading of representations and warranties. So people will usually say rep and warrant or reps and warranties, whatever you want to call it. And what those are is they are substantive promises made to the other party to the contract that are being called out as particularly to the benefit of the bargain. In other words, these are things if you're lying about them or if they weren't there, I'm not going to enter into this contract. So they're super important along with indemnification and limitation of liability reps and warranties are really the meat of most contracts. And-

Kip Boyle: Let me say one more thing about warranties and contract, managing separates through tracks that really annoys me is, if you break a warranty to me, there might be some consequences to you, but the damage is already done. So a large cyber failure caused by my vendor is going to really hurt me. It's going to hurt my brand way more than it's going to hurt theirs. Hardly anybody knows the name of the air conditioning contractor that fumbled the security of targets systems that led to the massive data breach.

Jake Bernstein: Yeah, exactly. So when we say contractual firewall, what we're really doing is we're minimizing the damage. We're actually using almost as if it was originally used. A firewall was literally meant to slow down or redirect the fire. Only in our modern technical usage is, does it have this filtering traffic cop connotation? We've changed the meeting a bit.

Kip Boyle: Yeah, we did because firewalls used to be actually in apartment buildings between major sections apartment buildings. And there's actually a firewall right down by your gas pedal in your car too, between you and your engine apartment.

Jake Bernstein: Exactly. They were literally walls to stop fire inaudible and that is what we're looking for here. There's already a fire. By the time you're going to the contract to look at what the terms and conditions are and the ups and warranties, there is a fire somewhere. And what you're trying to do is stop that fire. Or at least in some cases the metaphor begin to stretch but we're looking to mitigate the damages from spreading. You're right, you can't necessarily go and blame someone else. Nobody knows who it was but when it comes to the end of the day maybe it takes two years to figure out the full bottom line, but you want a portion the risk and the financial liability where it most belongs.

Kip Boyle: Right. And that's what we're going to talk about today is how do you really do this today? What's the current practices around this. And I remember you telling me that there were two major high level goals for contractual firewall, which I'd to dig into, but just for our listeners, the first goal is telling your vendors and really customers, because customers can get mad at you too, if you drop the ball. So you want to limit any damage that can come at you from angry customers. But you want to tell your vendors and your customers what you expect them to do to keep sensitive data secure. So you've got to set expectations the way I think of it. And then the second is you want to get some indemnity against what I would call excessive financial losses, because you're going to have some losses, but you don't want to go out of business over it. So those are the two goals, I don't know, let's-

Jake Bernstein: Preferably not yes.

Kip Boyle: Yeah. So let's talk about, and let it's first define this word indemnity. That's a very weird word for most people. It was for me, what is indemnity Jake?

Jake Bernstein: So to put it simply indemnity is a risk transfer and it's more specifically, it's a financial risk transfer.

Kip Boyle: Is it like insurance?

Jake Bernstein: So indemnity is a major component of insurance and an insurance contract. But what it really just means is you agree to pay for my damages under certain circumstances. So indemnity is the redistribution of the cost of the harm. That's what it is.

Kip Boyle: Okay. So let's go ahead and keep unpacking that before we talk about setting expectations about data protection. So with respect to vendors, so what would you say are the indemnification requirements that we should have in a contract vehicle, which I assume would be some a master services agreement? Is that right?

Jake Bernstein: Yeah. So it'll be a master services agreement. Sometimes it's a service order with a bunch of terms and conditions tacked on. It just depends. But the indemnification provision should at minimum indemnify... I'm going to have to define terms for a moment. Let's say the vendor is the third party independent contractor and the customer is us. If we're talking from our client's perspective, we're just going to call them the customer. It's easier. So the indemnification provision lays out... At minimum here's what it should say. It should say that if the vendor violates this contract, then it will pay the cost of any related third party lawsuit, losses, damages, harm, et cetera, to the customer.

So what does that look like? Let's say for an example that you have a vendor who is clearly responsible for a simple data breach of basic personal information and the law where you are requires you to send notice. Actually we'll just stop there. It requires you to send notice because this is completely realistic. It's true. You could ask for indemnity or you could request indemnification for cost of sending that notice. Maybe it is literally the postage and the printing, but that is a really simple example but it's a very clear example of what indemnity looks like.

Kip Boyle: And for big organizations, that can be a six figure amount of money. That can be $150,000 or something like that because you-

Jake Bernstein: That can be-

Kip Boyle: ... you have to write it. You've got to... There's so much to do.

Jake Bernstein: I would say that you're fastly underestimating the cost. It can reach into the seven figures easily. Think about this. Let's say that I have a 10 million person data breach and I have to send notification to 10 million people. If I have to do that by mail, let's just say that I can get a bulk rate of 50 cents per envelope. Still 5 million just in postage.

Kip Boyle: Just in postage. Yeah. That's a good point. So we're talking about a big amount of money and we're only talking about one expense among many.

Jake Bernstein: Yeah. I think people tend to forget the cost associated with even just sending mail in as a inaudible.

Kip Boyle: Yeah. So if listeners want to find out about what are common costs in a situation this, we're mentioning postage, but there's so many. So you can go to the IBM Ponemon cost of a data breach report and there'll be some information in their breakdowns. And then also there's a report from NetDiligence that they put out every year, which actually shows you the different insurance claims related to cyber failures. So you can actually see what people are claiming in terms of notifications and all these breach costs.

Jake Bernstein: Yeah, exactly. Okay. So that's what indemnity is. And obviously in the situation that we're talking about, we're looking for indemnity for third party suits, costs, damages, harm, et cetera, that are related to either the master services agreement or whatever the contract is. And if it's a broad MSA, you're probably going to see things indemnity for third party IP allegations. But let's just go ahead and focus on the cyber security thing. So the next question is, okay, if I'm indemnifying you for breach of this contract, well, what does that mean? What's a breach? A breach is anytime that you don't fulfill a representation or a warranty, any other material obligation under the contract that could mean that you either you did something that the contract spells out, you can't do. You didn't do something that the contract spells out you must do, or you, we call it substantial, substantial compliance. You didn't substantially complete the contractual obligation. That's the squishiest.

Kip Boyle: And in my world, that's just called broken promises.

Jake Bernstein: Well, yes. And that's what a contract is. A contract is nothing more than a set of promises in exchange for something of value.

Kip Boyle: Right. Okay, great. Okay. Let's see. So I have a question for you about this. So if you are asking your service provider, your vendor to indemnify you, should I, as an executive be willing to indemnify the service provider in any aspect of data breaches?

Jake Bernstein: So that's very case by case. The answer is of course maybe. There are situations where it could make sense. Let's say that it's a two way street. Let's say there's a data network connection that's very two way between the vendor and the customer. And it's possible such that if the customer can be a root cause or contributory cause of a data breach that the vendor experiences, if it's that relationship, then yes, it might be appropriate to indemnify them. That is unusual though because usually the vendor is the vendor and the customer is getting something from the vendor, not vice versa.

Kip Boyle: Right. Yeah, absolutely. Okay. So we also want to talk about, remember there's two goals. So one goal is to indemnify against excessive financial loss. And then there's the other goal about setting expectations for data security. So what do you think are the main points? If you're contracting with a service organization, what are the main points that you want to get into the master services agreement about data protection? What should they be doing?

Jake Bernstein: The number one point is you want them to represent and warrant or agree to have reasonable data security and-

Kip Boyle: That's reasonable the way we've been talking about it on this podcast?

Jake Bernstein: It is. It's a moving target. That's why we use that word. It's very flexible. You could if you wanted literally stop there. That would be the world's simplest, shortest data privacy or data protection component in a contract. That would get you somewhere. That actually would.

Kip Boyle: I imagine the vendor would read that and then give you the deer and the headlight look.

Jake Bernstein: So the danger of that language is that the vendor's going to read it, pass over it, not think twice and sign it. And then they're only going to seriously regret their decision later on if it becomes an issue. On the other hand there's defenses. A defense to a contractual claim, which by the way, is a defense to a law too, is that it was too vague. I don't know what this means. I can't comply with it. You just said be reasonable. Well, I don't know what that means.

Kip Boyle: Or I was being reasonable.

Jake Bernstein: Or I was being reasonable. So the reason that is... So it's functional but it's-

Kip Boyle: Insufficient.

Jake Bernstein: Well, it's probably not unenforceable vague. The problem is that it's going to result in litigation over what was reasonable and were reasonable.

Kip Boyle: And as an executive, I don't want a data breach. I don't want to ever pull the trigger on an indemnification clause. I just want you to do what you said you were going to do.

Jake Bernstein: And from that perspective, it's also a very weak request, truly it's the minimum. Think about what the opposite would mean? If you've got something that has data security issues, are you ever going to have a contract that says, "You don't have to be reasonable with cyber security." You're just not going to do that which means that just saying be reasonable is basically meaninglessly the minimum.

Kip Boyle: Right. So let's look at the other extreme. So the other extreme is I have my own set of security policies, procedures, standards, and everything. Why don't I just take how I protect data and just make that an appendix to the MSA. Just give them everything and say, "Just do this?"

Jake Bernstein: So that would become unreasonably burdensome, likely on the contractor. It also raises issues about if you're controlling them that much, there's a question of whether or not they actually can be an independent contractor. But more importantly, most vendors just aren't going to agree to that because they just can't, it's a practical issue.

Kip Boyle: Okay. So what's the middle ground here?

Jake Bernstein: The middle ground is setting forth a set of data security expectations that talk about definitions in terms of who's authorized, who isn't, what information are we protecting? Setting out for the contract, what is the security breach? What does it mean?

Kip Boyle: Yeah. When should you to report one.

Jake Bernstein: Exactly. And those are the definitions. And then in terms of the substantive things, you should lay out the standard of care. You should lay out what type of information security you want them to. You should include security breach procedures. When something happened, do this. Contact me. How long do you have to contact me. And then the last component is some form of audit right. In other words, if you tell me you're doing this, I want the right to come in, prove to myself that you're doing it, verify. Trust but verify.

Kip Boyle: Now it also turns out that service organizations use vendors.

Jake Bernstein: They do.

Kip Boyle: So if I hand off something important to a vendor, and then they turn around and subcontract that. As an executive, how do I deal with that? Is there anything that I have to do differently or am I fine?

Jake Bernstein: So there's two answers to that. One is contractually you're fine. You don't need to go further because all good MSAs are applied to a vendor and the vendor is vendors. And the vendor is vendors vendors, and the vendor is vendors, vendors, vendors.

Kip Boyle: So that's a general term in an MSA?

Jake Bernstein: It's a general term, it's going to generally happen but it's often included, but it's not assumed. So it has to be explicit but most MSAs will say that. The second thing is actually something that we haven't talked about yet which is step zero. Step zero is do your due diligence on your vendors? Just don't get into a contract with someone with whom you are not comfortable. This is why I recommend that you start with a vendor assessment questionnaire, or vendor assessment form before you sign the contract.

Kip Boyle: Okay. So see, previous podcast episode because that's what we talked about last time.

Jake Bernstein: It is, we have talked about that. And the interesting thing about doing before the contract is signed, what we talked about really was an ongoing contractual relationship when suddenly these vendor assessment forms are inserted. And you've already been doing things a certain way. Maybe you've had a long relationship with the vendor but you're still going to send it to them now. What I'm saying is that if you have the ability to start fresh, it gives both you and the vendor, the opportunity to decide if they want to be in this relationship. If the vendor decides this is overly burdensome, I'm not going to fill this out. The vendor can come back and say, "I'm not going to fill this out." And the customer can either modify it or not, but there's no risk really, because there's been no work yet. The relationship hasn't started.

Kip Boyle: So I've heard this term before. It says the contract is only good as the people standing behind it. And I think that's what we're getting at here.

Jake Bernstein: It is. So the answer to your question is twofold. Contractually you're covered but find out if they're going to use subcontractors.

Kip Boyle: Right. Okay. That makes sense. Okay. So let's shift the topic now and let's talk about how should we set expectations with customers. So I'm an executive again, and I've just put an MSA together and I've had my vendor sign it. So I'm feeling good about my contractual firewall with my vendor. All right. Now I'm going to swivel around to my chair. Now I'm going to say, "Okay. Now I've got my customers." So I don't have an MSA with them. So how do I set expectations with customers? And then what indemnification could I get from them?

Jake Bernstein: Wait, so now we're the vendor. Just so I'm clear.

Kip Boyle: Well, so no. Again, I'm an executive at an organization. I've just done an MSA with my vendor but now I'm thinking about my customer. So I've got a vendor on one side, I got a customer on the other side. I got to deal with both. I need a contractual firewall between both of those.

Jake Bernstein: Okay. So to use the language that we'd use, we're talking about the customers customer?

Kip Boyle: Yeah. Our customers customer.

Jake Bernstein: Yes. Our customers customer. So the way that you do that is one, you may have an MSA with your customer. It depends on what you do. But really in that situation, you just become the vendors vendor. Or you just become one of their vendors who has a vendor. It's this flow-

Kip Boyle: If it's B2B.

Jake Bernstein: If it's B2B, yeah.

Kip Boyle: If it's B2C then let I'm imagining I'm... Let's say I'm a mobile phone provider. So my customers are coming into my store and they're bring handsets and-

Jake Bernstein: Perhaps Telefónica, which just suffered a complete 100% data breach.

Kip Boyle: Right. Okay. So now, if I'm a mobile phone carrier and there's a data breach, let's say my service provider or blew it. So I've got my contractual firewall to help control financial losses with my service organization, my outside service organization. But it's my customers, the people who pay for mobile phone service, it was their data that got breached. They're mad. Should I have set up a contractual firewall between me and them and what does that look like?

Jake Bernstein: So there's a couple of issues here. One is the concept of contractual privity. This is an older legal term. And it means to have contractual privity with a party, it means that I have a direct, actual right or responsibility to them. Your customers and your vendors do not have privity. There's a broken chain. They don't have a direct relationship.

Kip Boyle: They go through me.

Jake Bernstein: They go through you. So your customers can't sue the vendor. They don't have a-

Kip Boyle: They sue me.

Jake Bernstein: But they sue you. Now your contract with your, if we're assuming that we're talking about individual consumers, customers, then there's different forms of contractual firewalls that people don't normally think of as contractual firewalls, but they are class action waivers, arbitration, provisions.

Kip Boyle: Disclaimers?

Jake Bernstein: Disclaimers, limits of liability, et cetera. So those are going to be in place. And then most of the time, you're going to have a contract. Particularly, if you're a cell phone... We're a cell phone provider, then have you read the contract you have with your cell phone provider? It's really long. In fact, the US Supreme Court case about arbitration clauses is from AT&T. So it's the AT&T, the conceptual case.

Kip Boyle: Okay. So those are examples of contractual firewalls that I, as an executive could have with my retail customers in a B2C situation.

Jake Bernstein: Correct.

Kip Boyle: And there's probably something comparable if I'm a business selling to another business?

Jake Bernstein: Yeah, absolutely. It's just in these cases, we tend to call them MSAs or service orders or just contracts.

Kip Boyle: Yeah. I was out looking at the AWS, Amazon Web Services terms and conditions and I found lots of disclaimers and all kinds of language. And I said, "Oh, I recognize that. That's a contractual firewall."

Jake Bernstein: Yeah. It's is. Yeah. It absolutely is. And this stuff is everywhere. Contracts have gotten very long because there's a lot of... People say the word boiler plate. There's a lot of boiler plate because it's blocking a port 443. You just do that. You block or blocking unused ports. There's certain base level internet firewall configuration.

Kip Boyle: It's the best practice everybody does because it makes sense.

Jake Bernstein: Well, it's probably legal malpractice to not include some of those. So it goes beyond best practice but that's how that works.

Kip Boyle: Okay. Well, we're almost out of time. Is there any other final thoughts for our listeners about contractual firewalls?

Jake Bernstein: Yeah. I think I'd to just quickly go through the level of detail that you can put in the actual substantive provisions of your MSA. So working backwards from the categories that I described, an audit oversight right can be anywhere from we have the right to at any time, any point without notice to come in and look at your stuff. That's extremely heavy handed and difficult to get. And it can range from that to once per year, you should give us some reports, basic reports about the vendor's security posture.

Kip Boyle: Yeah. Like if you do an annual penetration test, we want to copy.

Jake Bernstein: So there's that. In the security breach procedures, that's actually where you want to be more specific, because you need to have phone numbers to call. It should be a micro incident response plan that fits into your overall incident response policy. And that's always specific to every customer.

Kip Boyle: Yeah. By the way, we've got some customers that are contracting with the federal government and the requirements and there for data breach notification are really interesting. So they require 72 hour breach notification. But to make that report, you have to go to a special website and to get to that website, you have to have a digital certificate, but all that has to be pre-configured. In other words, you can't wait until you need to make the report because you'll never be able to get to the webpage. That's really funny.

Jake Bernstein: That is really funny. That's very interesting. So to finish off the thought here. For information security, there's all kinds of things you can do. You can say, you're going to take necessary steps to protect the confidentiality, integrity, availability, and resiliency of data. You can define it in different ways. You can pull in references from ISO 27001 or the NIST cybersecurity framework. You can-

Kip Boyle: Our favorite.

Jake Bernstein: Our favorite. You can go to the COVID standards. If there's anything, that you can do all these things. You can reference PCI DSS. You can even incorporate PCI, the full PCI DSS just by referencing it, if you want to. There's all kinds of things that you can do. One of the reasons I think I like contracts is it reminds me of Legos. Put pieces together, whatever, you can make something big and beautiful or you can make something tiny and compact.

Kip Boyle: Yeah. So that makes sense.

Jake Bernstein: And the last part is the standard of care and that's about preventing gun authorized use, not creating or collecting more data than you need to. But as they say, the devil is in the details of that is never more true than when you're talking about a contract. In fact, that phrase really just refers to the contracts. And if you think about, it's funny. You make a deal with the devil, the devils in the details. Contracts, this idea just permeates society.

Kip Boyle: Well, that's why you need a wizard lawyer to help you with this stuff.

Jake Bernstein: It's true. And in fact, I just had a client reference or say that this legal formatting is witchcraft. He was actually just talking about styles in word. But lawyers probably make more use of that than others.

Kip Boyle: Well, I can imagine what it was back when it was word perfect. Much harder.

Jake Bernstein: Much harder.

Kip Boyle: Okay. Well we're not going to go there. Well, that wraps up the episode on the Cyber Risk Management Podcast. So today we talked about contractual firewalls. We'll see you next time.

Jake Bernstein: Thanks. We'll see you next time.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR, and IT for full effectiveness.

Kip Boyle: And management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and newmanduwors.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.