Integrating Information Security into the Contracting Life Cycle • 273
compromised because the vendor failed to implement appropriate infor-
mation security safeguards. Worse yet, those same organizations are fre-
quently found to have performed little or no due diligence regarding their
vendors and have failed to adequately address information security in
their vendor contracts, in many instances leaving the organizations with-
out a meaningful remedy for the substantial harm they have suered as a
result of a compromise. at harm may take a variety of forms: damage
to business reputation, loss of business, potential liability to the data sub-
jects, and regulatory and compliance issues.
Whether the information at issue is highly regulated data identiable to
individuals (e.g., non-public nancial information, protected health infor-
mation, or the myriad of other information now subject to state, federal,
and international protection relating to individuals) or sensitive business
information, including trade secrets and other proprietary information,
companies must ensure that information is adequately protected by their
vendors. is chapter discusses three tools companies may use to reduce
information security threats posed by their vendor relationships, to ensure
proper due diligence is conducted and documented, and to provide rem-
edies in the event of a compromise. ose tools are: (1) the due diligence
questionnaire; (2) key contractual protections; and (3) the use in appro-
priate circumstances of an information security requirements exhibit.
Whenever a vendor will have access to an organization’s network, facili-
ties, personal data, or other sensitive or valuable data, one or more of these
tools should be used.
By implementing these measures, the company can better integrate
information security into the entire contracting process—as opposed to
simply having it be a “bolt-on” at the time of contract negotiations.
DUE DILIGENCE: THE FIRST TOOL
Companies should conduct some form of due diligence before entrust-
ing vendors with sensitive information or with access to their systems.
Unfortunately, most companies conduct this review on an ad hoc basis,
informally, without clear documentation. In very few instances is the out-
come of that due diligence actually incorporated into the parties’ contract.
is approach to due diligence may no longer be appropriate or reason-
able in the context of today’s business and regulatory environment. To