Common use of Offshore Resources Clause in Contracts

Offshore Resources. Will the vendor use Foreign Nationals? This is only an issue, from a data security perspective, when the vendor will have access to information or technology that is subject to export restrictions. If the vendor will have access to such data, identify whether the Foreign Nationals will have access to it either in the United States, or abroad (including access from abroad to data located on a server in the United States). If they will, an export analysis will be required to determine, based on the nationality of the Foreign Nationals, whether such access will constitute an export (deemed or actual) that (a) is allowed, (b) will require authorization from one or more government agencies, or (c) is prohibited. Offshore resources also include data centers or other operations to which the data or technology will be sent. This actual export may, depending on the country where such resources are located, require the same export analysis to determine whether sending such data and technology (a) is allowed, (b) requires authorization from one or more government agencies, or (c) is prohibited. Obtaining a SOC report, IS027001 certification or other audit report will help assess such a location. Data security questionnaire These questions and others can be standardized in a data security questionnaire for vendors that can be used generally for multiple engagements. If a questionnaire is developed, input from IT and IA will be helpful. Subsequent review and advice from vendors who have completed the questionnaire will help hone the questions over time. As vendors may be unaccustomed to filling out such questionnaires, legal counsel, IT and IA should review it and ask questions, particularly if inaccuracies or discrepancies are spotted. If, for example, a vendor claims in the questionnaire that it has 10,000 employees, operates in 30 states, but has no subcontractors, that claim should be challenged. It is likely that the company, at minimum, is engaging a subcontractor to provide storage services, IT assistance or other services, and that should be explored further. The information from the questionnaire will allow legal counsel, IT and IA to develop a comprehensive view of the vendor’s data security practices, and an understanding of the undertaking. It is important to understand the limitations of this assessment. For example, when relying on the responses that a vendor provides or a third party audit report, clarify that the accuracy of the information has not been independently confirmed, unless, in fact, it was. In addition to improving the quality of the decision to proceed with a vendor, this process will also better enable legal counsel to draft provisions in the applicable agreement that will help fill the gaps in data security mitigation. Part two: What to include in an agreement Once the due diligence process concludes and it is time to proceed, consider including the following provisions in the agreement to address data security. Data security standards If a company is serious about protecting data, it may be worth developing a set of security standards that a vendor must implement and maintain. Such standards may include: Encrypting data at rest Encrypting data in transit Employee training Background checks (including fraud convictions) Terminating access immediately upon an employee’s departure Insurance that responds to data security events Service Organization Control Reports (such as a SOC 2, Type II) Annual penetration tests Continuous security monitoring Business continuity plan Disaster recovery plan Data security policies that include discipline for failure to abide by such policies Audit rights and reports If the vendors (or its subcontractors) maintain the audit reports and certifications described above, ensure receipt of a copy of such reports on an annual basis for the term of the agreement. Including a right to audit, particularly in the event that data is compromised, is also helpful.