A Tale of Two Viewpoints
When I was responsible for information security and privacy at a large financial and healthcare organization throughout the 1990’s I had literally hundreds of business partner organizations to which we outsourced various types of activities that required some type of access to our client and customer information. Add to that several hundred agents and, scarier still because they were not exclusively selling our products, brokers, and you can probably imagine the angst I felt when thinking about the ways in which all those other organizations were putting our information at risk. The contracts with them had a very brief requirement to “provide appropriate security controls” for the information, but that did not alleviate my worries. But, since at that time there were no data protection regulations in effect, the lawyers said this simple clause was enough. And then one of the outsourced entities had an incident resulting from lack of controls which allowed a hacker to enter our network.
Ultimately, after the breach response concluded, I did an audit of the offending business partner to ensure he had made, and kept, changes to keep the same type of security incident from happening again. And then I once again asked the lawyers to beef up the contracts with our various types of business partners, including, among other specifics, a right to audit clause. I wanted to audit not just after a breach, but at any time when I thought necessary to protect our information assets. This time the viewpoint of the legal office had changed. They agreed that it was a good idea, and from that point forward we included a right to audit clause within all contracts with business partners that accessed or possessed our information assets in any way. Such a clause is a good idea for all types of organizations, of all sizes, not only as a way to demonstrate due care, about also to to be proactive in preventing privacy breaches and security incidents. Here are three compelling reasons why you should have right to audit clauses within business partner contracts.
#1 A right to audit allows for identification of risky business partners
Several years ago I performed over 100 business associate (BA) information security and privacy program audits for a large healthcare insurer. They actually had identified over 450 BAs, but they had identified the 100 that I audited as their highest risk BAs. Throughout the delivery of my audit reports four of the business unit VPs, and numerous other managers, told me of their concerns about some of the specific BAs, and that their concerns were validated by my audit results. As a result of the audits they were able to get many of the BAs to strengthen their safeguards, and they also terminated their relationships with around half a dozen of the BAs.
By reserving the right to audit all their BAs, they were able to perform audits within those that they determined to be of highest risk, and they were able to then eliminate those who refused to alter their business actions, and they were able to improve their security, and mitigate associated liability, by having other BAs to improve their security programs. I then performed other audits for them in BAs that they had not identified as high risk, but that some of the managers had concerns with.
#2 A right to audit supports compliance
When information processing or storage is outsourced to another entity, the organization that gives their BA, or any other type of business partner, access to their information does *not* also outsource their liability for the protection of that information (even though some try really hard to do so through all sorts of complicated liability absolution contract language). The recently released HIPAA Omnibus Final “Mega” Rule makes this clear by stating:
“(c) Violation attributed to a covered entity or business associate. (1) A covered entity is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member or business associate, acting within the scope of the agency.”
The healthcare industry is not the only one where this type of BA liability will be shared with the CE. And, when considering organizations that accept credit card payments, an organization that must comply with PCI DSS will still likely bear some liability in the event one of their outsourced business partners experiences a breach involving credit card information.
The HIPAA Omnibus Final Rule also makes clear that CEs must take actions to help ensure their BAs will have appropriate safeguards in place, as it states:
“§ 164.502 (e)(1) Standard: Disclosures to business associates. (i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.”
An audit is one good way to obtain such satisfactory assurance. (More are listed below.)
#3 A right to audit strengthens security and privacy controls
When organizations know they could be audited at any time it will provide the motivation for them to then ensure their information security and privacy controls are as effective as possible, and that they meet all their compliance requirements. I’ve seen this firsthand, in dozens of organizations.
When you are thinking about the areas where you want to audit your business partners, you will also ultimately realize areas within your own organization where you should also check on security and privacy controls. I’ve also seen this firsthand. In each of my clients where I performed third party audits on their behalf, as I was going over the findings with them they all became more aware of similar issues within their own business practices and then worked to address them.
Including the right to audit clause also keeps options open for you if you ever suspect, or hear of, any information security or privacy concerns within any of your BAs or other types of business partners.
Other options for business partner oversight
There are other good, effective ways in which you can provide additional satisfactory assurance that your business partners are not putting your information at unnecessary risk. I will probably elaborate upon some of these in upcoming blog posts based upon feedback and/or requests readers provide, but for now here is a list of additional actions for you to consider. You can require your business partners to:
- Complete monthly information security and privacy attestations. I include a short information security and privacy quiz, which is different every month, in the ones I create for my clients.
- Provide a copy of their most recent independent information security and/or privacy audit.
- Maintain a third party security or privacy seal on their site. This is of particular value for cloud service providers.
- Allow your organization to occasionally review business partner information security and privacy policies.
- Understand that your organization will regularly check online reports to discover when business partners have been involved in incidents, breaches, or frauds for which they did not provide any notification.
And, you should always include detailed safeguard requirements within the business partner agreement/contract, not just a simple, vague statement indicating the need for information security controls.
Right to audit myths
I’ve heard some interesting reasons and myths for why an organization shouldn’t provide a right to audit clause. Let me dispel a couple of them:
1) If you include a right to audit clause then you are obligated to actually perform an audit. False!
A right to audit clause is just that; you are reserving your right to audit if you should ever determine there is a need to do so. When worded properly it does not establish any obligation on your part to actually perform an audit. A right to audit clause is a fail-safe to reserve that option if the need should arise.
2) You should only include a right to audit clause within the contracts for BAs and other business associates that are considered to be high risk. False!
Relationships with business partners often quickly change. A very low risk relationship with a business partner can quickly become high risk when they start doing different types of services for you, when they start using new technologies such as smartphones, social media, and cloud services, and so on. Also, organizations often are not aware of risks within their business partners that would have made them a high-risk proposition.
Bottom line for all organizations, from the largest to the smallest: “Trust but verify” is an old Russian proverb that Ronald Reagan quoted often during his presidency. And with good reason; in a wide range of life situations you need to validate something is as promised. When it comes to information security and privacy, you need to be able to validate the third parties you’ve entrusted with your organization’s information have appropriate controls in place. If you don’t have a right to audit clause within your business partner contracts you could be shutting off your ability to have such an audit performed whenever the need arises.
Psst, hey outsourced entities, make sure you are prepared to meet such requests.
Additional information about using a right to audit clause
Here are some additional sources of information related to the need to include a right to audit clause within business partner contracts:
- FFIEC examination procedures handbook with includes directives to check for right to audit clauses
- IIA presentation includes recommendations to use right to audit clauses, “Identifying and Managing Risk in Outsourcing/Off-shoring Arrangements”
- FFIEC outsourcing booklet recommends the use of right to audit clauses
- Annex A of ISO/IEC 27001: A12.5.5 Outsourced software development recommends using right to audit clauses
- Cloud computing security concerns: How to audit cloud computing includes recommendations for right to audit clauses
- 20 steps to an iron-clad SaaS contract recommends using right to audit clauses
- I provide a sample right-to-audit clause as part of my Compliance Helper library of customizable forms, policies and procedures.
This post was written as part of the IBM for Midsize Business (http://goo.gl/S6P7m) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.
Tags: audit, awareness, BA, BA Agreement, BA contract, breach, business associate, compliance, customers, data protection, due diligence, e-mail, electronic mail, email, employees, employment, Final Rule, HIPAA, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, Mega Rule, messaging, midmarket, non-compliance, Obmnibus, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, right to audit, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, walk through