Follow the Feds When it Comes to Supply Chain Cybersecurity
We've said it before and we'll say it again: cybersecurity should be on the top of any GC's agenda. Not only is cybersecurity one of the main areas C-suite executives want their legal department to master, the costs of losing sensitive data can be massive, resulting in expensive litigation, loss of proprietary information, and reputation damage.
But how do you protect the data that's in the hand of suppliers, contractors, and the like? Don't worry, the federal government has been figuring that out for you.
Take it From the Feds
Security risks aren't just an in-house concern. When a company's data walks out the door, or potentially corrupted products come into the office, there's plenty of opportunities for expansive and damaging breaches. Three lawyers for Covington's privacy, data security and government contracts practice groups highlighted these risks in a recent piece for Inside Counsel. Luckily, while supply-chain risks abound, there's plenty of developed (and public) policies available to address them, in the form of government data security regulations.
Corporate counsel can learn a thing or two from these federal regulations. For example, companies contracting with the Department of Homeland Security are required to implement specific security controls for their IT system, allow audit access and meet monitoring and reporting requirements. The National Institute of Standards and Technology released this April a draft report laying out the "fourteen families of security requirements" that should be instituted to protect confidential and classified information.
Crafting Agreements With Cyber Security in Mind
In-house counsel should make sure their agreements with contractors and suppliers include requirements to mitigate cybersecurity risks. These agreements should not only include contractual obligations to safeguard sensitive data, but ways to monitor compliance. Similarly, contractors should be required to vet and monitor all their suppliers and contractors, making sure that data security is in place throughout the supply chain.
Finally, in-house counsel should make sure that they have in place a system for identifying and reporting incidents as they occur. Under DHS contract requirements, a contractor must report a breach within an hour of its discovery. Coupled with regular, effective monitoring, quick reporting can help companies discover and respond to breaches before too much damage is done.
Related Resources:
- Business RX: A Cybersecurity Formula for Your Supply Chain (The Washington Post)
- 5 Ways In-House Counsel Can Improve Vendor Cybersecurity (FindLaw's In House)
- What President Obama's Cybersecurity Executive Order Means to You (FindLaw's In House)
- The Greatest Threat to Your Data Security May Be Yourself (FindLaw's In House)