Offshore Terms and Conditions

KC Enterprises has vendors who perform services offshore from the United States. If the core of your business does not involve offshore work, then having an addendum to deal with these instances is the best option. Ensure they cover these key areas: company data, resources, right to audit, and definitions.

Company Data  The use of an offshore vendor that has access to sensitive data requires very specific instructions on how to protect that data. When it is accessed from outside your home country, that distance makes assessments and validations challenging. During a pandemic event where there are travel restrictions, trusting vendors is more important, which creates legal obligations and boundaries. KC requires that the vendor maintains a certification equivalent to ISO 27001 and provides proof of that certification when requested. Personnel may only connect to the company network from the Offshore Development Center (ODC). This requirement to have the personnel work only from a vendor‐managed location ensures that physical and logical security controls are centrally managed and ensures that it maintains the segregation of data.

Any paper documentation on protected data must be maintained in a locked room or container in the ODC when not being utilized in a continuous, uninterrupted way. When no longer needed for business purposes, these documents must be placed in a locked container designated for being cross‐shredded to a degree they cannot be reassembled. This destruction must take place within the ODC and in the presence of a vendor's employee.

The vendor must agree to adhere to the best practice regarding a Clean Desk Policy to prevent the unintentional disclosure of protected data. Any computer with access to such data must have a logoff and screen saver that locks the computer after 15 minutes of inactivity. Workspaces must be clean of any protected data when the users are not at their desks, and all other data transmission mediums (e.g., interoffice mail, fax machines, printers, etc.) must adhere to the Clean Desk Policy.

There must be physical controlled access to the ODC. The security process for entry must include a search of bags, backpacks, purses, or other storage devices that are not permitted in the production area (where protected data is accessed). Such devices are permitted in areas with Test or Development access, provided that the data at that level has been anonymized sufficiently as prescribed by KC Enterprises. Vendors will not permit any recording devices (e.g., cell phones, smartphones, tablets, cameras, etc.) in the ODC's production area at any time. A physical separation between the non‐production and production work areas must exist at all times. This physical separation must meet the intent of not allowing non‐production staff to in any way view or infer the content of production data.

Continuous Monitoring of all locations at the ODC where work is performed for the company must be done by closed‐circuit cameras that proactively monitor the activities for potential security violations of protected data. Recordings must be kept for no less than 90 days. Vendors may not use any keystroke monitoring or logging tools unless previously agreed to in writing by KC Enterprises. Any hardware used to store protected data may not be reused by the company but must be destroyed.

A designated workspace is required for all work done by the offshore vendor to ensure that the data is protected. All data connections must be done over an encrypted connection first to the offshore vendor's U.S.‐based location, then to KC's network. This connection is only permitted with a virtual desktop that prevents access to the internet, does not allow for the copying of data out of the virtual desktop, and logs all the user's activities, with the logs retained for no less than 90 days. A dedicated network can be used with a separate virtual local area network (VLAN) to isolate any protected data from the other network traffic.

Any access to the internet or company email while on this virtual desktop is limited to the functions needed to perform the job. If there is any communication software running on the vendor's desktop that is used by the staff, a Data Loss Prevention tool must be running as well. Any visitors to the designated workspace must log in at the security desk and be escorted at all times. No competitors of KC Enterprises are allowed into the designated workspace at any time. Emergency personnel (e.g., medical, fire, other emergency staff) may be permitted for the duration of the emergency and must be logged in by the vendor's physical security staff. Any emergency personnel entry logs must be kept for no less than one year in case of review.

Resources  When using dedicated resources for the processing of KC Enterprises' protected data, the vendor resources are required to have a background check performed before work can begin. Personnel must have a photo and copy of their fingerprints on file with the vendor. Employees must go through an annual Security and Awareness Training program, and read and accept the Code of Ethics and all appropriate vendor policies applicable to their job role and functions. All correspondence with the vendor and KC Enterprises must take place using already approved and agreed‐upon communication software (e.g., email, chat, fax, and so on).

Right to Audit  KC Enterprises reserves the right to perform a physical on‐site security assessment of all offshore facilities where work is performed for them. This right to audit can be performed at least once a year or within 90 days of notification of a security breach.

Definitions  Within the vendor's contract, ensure that a section is included that defines and clarifies all terms and conditions within the contract for that the vendor and company as related to offshore terms and conditions. Terms typically defined in this section include protected data, destruction of data specifics, vendor, services, offshore, ODC, and personnel.

Hosted/Cloud Terms and Conditions

At KC Enterprises, when a vendor goes through the IRQ and is flagged as having a cloud‐based solution, then the Legal and Cybersecurity teams also include a Cloud Terms and Conditions addendum to address those specific security risks. It may overlap with other addendums, but the desire is to ensure that the vendor understands and commits to them.

Data Ownership, Use, and Retention  Within the vendor contract, it's important that you specify that the use of data by the vendor is limited non‐transferable for use within the data centers. At KC Enterprises, the contract also states that the data must never leave the United States, to avoid any entanglements with foreign data security or privacy laws. Directions should be given that the data must be used solely for the purposes of the service/product provided to the company, and that it must be encrypted at‐rest, in‐transit, and in‐use. Data is owned by the company, not the vendor or CSP. Vendors must also return the data upon completion of the contract.

Vendors must have sufficient data backup and retention methods to meet the service‐level agreement (SLA) commitments to the company. Upon the termination notification of the contract, the vendor has 90 days to provide copies of the data. Within 90 days of contract termination, the vendor must provide a digital certificate of destruction (COD) of the data. Hardware may be reused, but it must go through an overwrite process no less than five times.

Data Center Security  Specific directions and requirements for the physical security at the data center are for security 24 hours a day, 7 days a week, 365 days a year. Stipulate in the contract that there is no public access to the facility, in addition to having only minimal or no signage posted as to the facility's purpose. A monument sign that gives the company name, but nothing that indicates it is a data center, is allowed. Personnel must be company employees, or if outsourced, they must meet or exceed the background checks and training for the vendor's personnel.

Data centers used by KC Enterprises or its vendors must meet at least a Tier 3 rating. Tier 3 data centers have multiple avenues for electrical, HVAC, and other systems in place to update and maintain them without taking them offline. They should have an expected uptime of 99.982 percent (or 1.6 hours of downtime annually).

Application Security  Similar to the requirements surrounding secure coding and software delivery, application security should be spelled out in the contract, given the risk of cloud applications. A warranty in the contract addendum for ensuring that no viruses, trojans, time bombs, backdoors, or other malware are included in software must be provided. A contingency plan must be included in the language in case any illicit code is found: If malware or other security risks are found in the code, the vendor must notify the company within 24 hours. They must take remedial action and provide a patch at the earliest possible moment along with any steps that can be taken by KC Enterprises to mitigate the risk until the updated code is ready. The contract should specify that any damages resulting from the illicit code, intentional or unintentional, are the responsibility of the vendor and not the company.

Support  If the vendor uses another provider for the data center (a co‐location or CSP), then support can be multi‐tiered, depending what actions need to be taken. Within the contract, define support terms (e.g., support is available 5 or 7 days a week) and who performs it during this period. Include which time zones are expected for support hours. Specify how fast the calls must be answered and the percentage of calls expected to be answered within a certain number of rings or elapsed time.

Incident Notification  The contract should also include specific language that defines what constitutes an actual or suspected breach or compromise of security. This breach should not be confined to the services/products provided to the company, but to any other customer or the vendor as a whole. The notice of a suspected breach can be challenging to get agreement on, but it can be added to the contract's Definitions section if it is unclear. Breach notification includes both physical and logical security, and the vendor must notify within 24 hours of the breach occurring. You can negotiate up to 48 hours, but target it at 24 hours if possible. Tie the notification and breach to the contract's termination if the company determines that the scope of the incident warrants severing the relationship.

Definitions  In the context of hosted/cloud terms and conditions, the contract should define terms that are likely to produce conflict or risk. Such terms include best practices, destruction of data, personnel, contractors, breaches, suspected breaches, and notification methods.

Privacy Terms and Conditions

As stated earlier, data security is not the same as data privacy. Data privacy is the proper use, collection, retention, storage, and deletion of data. Data security is the process, policies, methods, and means to secure sensitive protected data. These details can be found in your Master Services Agreement (MSA) or in a separate exhibit, but they should cover the vendor's privacy program, data ownership, data use, data collection, compliance, and fourth parties.

The Privacy Program  Stipulate in the privacy addendum that the vendor will maintain a privacy program of its own that manages handling personal identifiable information (PII) and documents how it will respond in the event of a breach. Any work needed as a result of a breach, such as privacy impact analysis, consultations, and reporting to any supervisory organizations, must be done with the assistance of the vendor.

Data Ownership  All data is the property of the company, irrespective of which party has custody of it. Ownership is important for several reasons: Ownership equals access, and specification of the ownership ensures that the company will retain that access. Managing data integrity is dependent upon the data's ownership resting with the company. The ability to inspect and examine the data first‐hand on demand rests on who has ownership of the data.

Data Use  As one of the core tenets of data privacy, be specific in your contract about how the vendor is allowed to use the data. Verbiage may need to be generic in approach, such as “vendor will only use data and information provided as directed by the company” or it may need to be specified at an application level. Ensure that the vendor knows your data's limitations (i.e., how any data collected from your customers or employees is used as intended).

Data Collection  Terms and conditions limits must be placed on the vendor's collection of personal data gathered on the company's behalf. A vendor should only be allowed to collect the PII necessary to perform the services required. Specify in the contract that there will be no data collection done anyone under 16 years old or provide this information knowingly to the company performing the collection of data. The age limit is driven by the General Data Protection Regulation (GDPR) that sets the age of consent at 16; anyone 15 and younger requires the permission from a parent or guardian. The law is different in the United States, but GDPR is one of the most stringent so adhering to it is always a good baseline. The language for compliance is using “reasonable efforts” to verify that the age of the minor is the age of consent or below.

Vendors must notify the company about the methods used and operation of the data collection for cookies, pixel, beacon, JavaScript, UDID, or any other mechanisms used for tracking users. Any tracking technology must be previously approved by the company; it may not use local shared objects, be deployed on behalf of fourth parties, circumvent user preferences contained in browser settings, or fail to provide users with an opt‐out option.

Data Location  Much like the other parts of an agreement about data, the data should be confined to areas where it is only needed and used. At KC Enterprises, the contract stipulates that the data must not reside or be transmitted at any time outside the United States. This limits the risk that it might become subject to another privacy or security regulatory body or organization, such as GDPR.

Compliance  Depending upon the location of your business, there may be specific laws and regulations stipulated to ensure that the vendor does not present a risk to your company, such as the California Consumer Privacy Act (CCPA) or GDPR. If the data is Personal Health Information (PHI), then the contract should list any applicable regulations they must adhere to as well.

Fourth Parties  Often called piggy‐back or fourth‐party tracking parties, fourth parties are parties who leverage your data for their own use. Piggybacking tags are dangerous because another party, not your third party, can potentially obtain access to the data, slow the loading times at websites resulting in customer issues, and create non‐compliance with regulations like GDPR or CCPA.

Inside Look: Heritage Valley Health vs. Nuance

We begin this Inside Look with the admission that in 2020, a judge dismissed the case by Heritage Valley Health vs. Nuance. However, the damage was, in many ways, done to further the punishment of Nuance for their breach. The case was around the damages Heritage Valley Health was seeking due to having a network connection to Nuance. The case was filed in 2019, after Nuance was breached by the NotPetya malware in 2017. This was year upon year of bad press, reminding readers of the hack three years ago, the wasted energy having to fight it, and all the court fees and attorney's fees.

The case against Nuance by Heritage Valley Health held that it was responsible for Nuance's systems getting Heritage Valley Health's systems also infected. Nuance had a VPN connection to Heritage Valley Health. Heritage Valley had to cancel patient visits for a week, and the damage to its systems ran in the millions. Heritage Valley stated:

Nuance is liable for any contractual obligations and tort liability arising from the plaintiff's use of the products acquired from Dictaphone, and Nuance should be held liable for poor security practices and governance oversight as it had a broader duty to prevent the cyberattack.

More importantly, to the legal risks raised in this chapter, this is why the case was dismissed. The judge accepted Heritage Valley Health's arguments and stated that the facts were not in dispute. However, the contract that was for the service was with Dictaphone, which was acquired by Nuance in 2006. That meant Heritage Valley Health's legal and third‐party management team had not updated any contract in over 10 years. Because the contract was with Dictaphone, the judge held that there was no product liability for Nuance.

As hard as that might be for them to hear and placing the legal logic aside for a second: When Nuance bought Dictaphone, there should have been a new contract created and set into place immediately. Secondly, parts of the information security language should not be more than 3 years old or the risk of it being outdated grows. The industry and threats move too fast, and if contracts automatically renew with no review or brand‐new contract, then it is a ticking time bomb.