Has anyone updated their Information Security Contract language for 3rd parties to reflect specific language addressing response program issues? If yes, would you be willing to share?

I added the following to our existing info security agreement that requires appropriate security measures, etc...
Contractor shall take appropriate actions to address incidents of unauthorized access to the Bank’s customer information, including notification to the Bank as soon as possible of any such incident, to enable the Bank to implement its response program. Contractor will report to the Bank when incident of unauthorized access occurs, estimate the intrusion’s effect on the Bank or its customers, and specify the corrective action taken.

If a 3rd party you are contracting can do something that requires your institution to trigger Incident Response and/or Customer Notifications, boilerplate language in your 3rd party contract is certainly not enough. Will the 3rd party interpret the significance of a data-loss event the same way you would? You need to be sure!

We don’t have specific language for you, but consider the following in your due diligence work and when providing direction to legal counsel who writes your contracts.

• Is your 3rd party required by law to report lost information to the impacted customers? If yes, try to define your customers as your customers only. Failing that how will you follow up?
• Will your 3rd party handle basic data, or the really sensitive stuff? And will the data be actively in use, or simply archived somewhere safe?
• Do you want to specify a deadline (# of hours or days) within which the 3rd party must notify you of problems?
• Should you include a liquidated damages clause so you will be compensated for incidents that impact your business and reputation?
• If the 3rd party does lose your customer information due to an incident, does a SAR need to be completed? Will the 3rd party cooperate, etc.?

Obviously, the list of considerations can be long which is why we wouldn’t recommend boilerplate language without a well thought-out 3rd party Service Provider Due Diligence [or Vendor Management] Program in place.