Spilman Thomas & Battle, PLLC
April 25, 2023 - Charleston, West Virginia
Tech Vendors and Cybersecurity – Are They Responsible?
by Alexander L. Turner, CIPP/US
It has long been recommended that when you contract with a technology vendor that you include an indemnity clause in the contract wherein the vendor will indemnify you if its product is compromised and results in a data breach of your computer network. This recommendation was recently validated by both cyber authorities in the U.S. and in the U.K., Germany, Canada, Australia, New Zealand, and the Netherlands. The basis for the governmental recommendation was to use the market to ensure that technology products are secure by design and default. Currently, the way technology products are designed is vulnerability-by-design, which results in the end user bearing the brunt of cybersecurity with constant monitoring, routine updates, and damage control to prevent cyberattacks.
Instead of the current practice of vulnerability-by-design, government cyber authorities want technology manufacturers and developers to adopt secure-by-design. This includes moving to programing languages that eliminate widespread vulnerabilities. While secure-by-design is more costly upfront, it could lower maintenance and patching costs in the long-term. Secure-by-design protocols include:
- Memory safe programming languages, such as Rust, Ruby, Java, Go, C# and Swift;
- A secure hardware foundation that enables fine-grained memory protection;
- Secure software components, including libraries, modules, middleware and frameworks by commercial, open source and third party developers;
- Web template frameworks that automatically escape user input to avoid cross-site scripting attacks;
- Parameterized queries to avoid SQL injection attacks;
- Static and dynamic applications security testing to detect error-prone practices;
- Peer code reviews;
- Software bill of materials;
- Vulnerability disclosure programs that allow security researchers to report vulnerabilities without fear of legal jeopardy;
- Complete CVE details, including root cause or common weakness enumeration;
- Infrastructure that is designed to adhere to defense-in-depth principles so the compromise of a single control doesn’t result in full system compromise; and
- Measures and practices that meet CISA’s cybersecurity performance goals.
By utilizing these suggested secure-by-design principals, technology manufacturers and developers can effectively address the root causes of current technology vulnerabilities.
In addition to secure-by-design, the government cyber authorities also recommend secure-by-default, which means that secure configurations are the default baseline. If customers want to deviate from the default secure baseline, they are informed that changing the base default secure settings will increase the likelihood of their systems being compromised. The governmental cyber authorities advocate for secure-by-design because “[t]he complexity of security configuration should not be a customer problem.” Secure-by-default protocols include:
- The elimination of default, universally shared passwords;
- A multifactor authentication mandate for privileged users;
- Single sign-on for IT applications;
- The provision of high-quality audit logs to customers at no extra charge;
- Recommendations on authorized profile roles and their designated use case;
- The prioritization of security over backwards compatibility;
- A consistent reduction in the size of hardening guides; and
- An assessment of user experience burdens introduced by security settings.
By adopting these recommendations, government cyber authorities want to empower organizations to hold technology manufacturers and developers accountable for the cybersecurity of their products.
The recommendation that companies should include cyberattack indemnification clauses in their contracts should not be just limited to contracts with technology vendors. Increasingly, service vendors are being asked to utilize specific programs or applications on their computer networks or company cell phones in order to more efficiently supply the contracted services. This should be a negotiable term in any contract negotiation. If the specified program or application could be used as an avenue of attack into the vendor’s computer network or company cell phones by bad actors in the future, then the vendor should include an indemnity clause in the contract. The indemnity clause would provide that if the required program or application results in a breach of the vendor’s computer system or company cell phones, then the party requiring the use of that technology will indemnity the vendor. This indemnification should include restoring the vendor’s network to its pre-attack status, and defending and indemnifying the vendor against any lawsuits that may arise from the cyberattack perpetrated through the required program or application. These types of indemnity clauses should be included at the beginning of the contractual relationship even if the other party is not currently requiring the vendor to utilize a specific program or application to assist in supplying the contractual services because that may change during the term of the contract. If it is not contracted for at the beginning of the relationship, and a vendor is later asked to utilize a specific program or application during the contract term, that constitutes a material change to the contract, and indemnity can then be negotiated at that time. However, it is easier to have that negotiation at the onset of the contractual relationship than in the middle of it.
There may be times that a company requests that employees place an application on their personal phones that is to be utilized to assist them with their job duties. It is permissible to require employees to put work-related applications on their personal devices if the company does not provide company devices. However, the employer should still protect itself from the possibility that the required application may be an avenue of attack onto an employee’s personal device that results in the breach of the employee’s personal data. The company that is requiring the installation of the application on employees’ personal devices should consider subsidizing a portion of each employee’s monthly cell phone bill for the data that application is using in exchange for the employees executing an Indemnification Agreement holding the company harmless in the event that the installation of the required application results in a data breach. This Indemnification Agreement should also inform the employees of what data the application is collecting, what the collected data is being used for, how long that data will be retained, and who is collecting it. All of that information can be found in the privacy notice for the application.
If you need assistance with your technology related contracts, please reach out to one of Spilman’s Technology Practice Group members for assistance.
Read full article at: https://www.spilmanlaw.com/dataentry/resources/attorney-articles/technology/tech-vendors-and-cybersecurity-–-are-they-responsi?feed=Attorney-Articles