Obligations take on one of three forms:

1. An obligation to a particular information security control framework, such as NIST, ISO 27001 or ISO 27002; SOC; or a regulatory framework, such as HIPAA, PCI, NERC CIP, etc. Obligation to a framework can mean an obligation to hundreds of controls and considerable expense.

2. An obligation to a specific security or privacy control. These obligations get to the point of the matter, which is generally a specific risk the customer is concerned about rather than a whole class of activity. This is more acceptable and manageable. For instance, an obligation to implement a security awareness for employees based on NERC CIP is much less onerous than implementing NERC CIP, particularly when it does not apply to the situation.

3. An obligation to certain performance activities such as reporting when certain events occur including security events, incidents or breaches, outages or other IT events. On the surface these are reasonable requests but raise risk dramatically for a firm that does not have the wherewithal to identify, log, manage and report on those types of events.

Personal Information

1. How is personal information defined?

   • Does the definition refer to a specific law/regulation, e.g., GDPR, CCPA, CPRA, etc.?

   • Does the definition refer to special categories of personal information, such as sensitive personal information? If so, how are they defined?

   • Does the definition refer to a specific contract or document?

   • Are examples of personal information and/or personal information identifiers specified?

2. Is there a separate definition for confidential information?

   • How is confidential information defined?

   • Is personal information included in the definition of confidential information?

   • Is personal information to be treated as confidential information?

3. Are there types of information defined separately from personal information and confidential information?

Applicable Law

1. Are specific laws/regulations incorporated into the contract?

   • If not, should they be?

   • If so, in which context?

2. Is specific guidance, or are specific industry practices, standards, or frameworks incorporated into the contract?

   • If not, should they be?

   • If so, how are they included and defined?

   • Are they required or recommended as a “best practice”?

3. Does the contract address potential changes to laws/regulations/guidance, etc.?

Security Incident

1. How is security incident defined?

   • Are unauthorized and/or unlawful uses and/or disclosures addressed? If so, how?

   • Is a suspected security incident included in addition to an actual security incident?

   • Does the definition incorporate language from or refer to the CCPA?

   • Are there specific exceptions to the definition of a security incident?

2. Does the contract address how, when, and to whom a security incident must be reported?

   • Who is required to report the security incident?

   • Is there a specific contact and contact information for providing and receiving such reporting?

   • Is anyone else permitted to provide or receive the report of the security incident?

   • Which specific information must be reported?

   • How must it be reported?

   • Must it be reported within a specific time frame?

   • Are updates required, and if so, with any particular frequency?

   • Which actions must be taken to prevent, contain, and mitigate security incident?

3. Is a prompt or immediate investigation required?

4. Is cooperation regarding the security incident required:

   • between parties?

   • with law enforcement and/or regulators?

   • with incident response personnel (internal and external)?

   • with insurers and insurance brokers?

   • Must a root cause analysis of the security incident be provided?

5. Are there restrictions regarding disclosure of or publicity regarding a security incident?

6. Does the contract specify which party is to have control of the investigation and management (including notification) of the security incident?

7. Does the contract specify which party is responsible for costs relating to the security incident (e.g., legal, forensics, credit monitoring, printing and postage, other remediation, etc.)?

   • Does the contract require mitigation measures and/or actions to prevent recurrence?

   • Does the contract require notification and/or documentation regarding mitigation measures and/or actions to prevent recurrence? If so, to whom and in what format?

Security Practices

1. Does the contract require specific physical, administrative, and technical safeguards?

   • If so, what are these safeguards?

   • Are the safeguards for personal information only?

   • Do they cover confidential information?

   • Do they cover other specified or defined information?

2. Does the contract require implementation and maintenance of a written information security program (WISP) with specific safeguards?

3. Does the contract include security requirements specific to the vendor?

4. Does the contract require policies and procedures to detect and protect against actual or suspected security incidents?

5. Does the vendor have separate policies and procedures addressing security?

   • If so, what do they cover?

6. Does the vendor have separate business continuity policies and procedures?

   • If so, what do they address?

7. Does the contract require due diligence and include other measures regarding the vendor’s employees and/or subcontractors (such as background checks, training, policy and contract requirements, etc.)?

8. Does the contract specify access control measures?

9. Does the contract address and define encryption measures?

10. Does the contract specify restrictions on the use and/or disclosure of personal information, confidential information, and/or other specific or defined information?

11. Does the contract include specifications regarding personal information, confidential information and/or other specified or defined information relating to:

    • secure transmission?

    • secure storage?

    • secure disposal?

12. Does the contract address monitoring, testing, and updating of safeguards, program, policies and procedures?

13. Does the contract permit or require assessments or audits of the security program?

    • What are the assessments or audits?

    • How are they invoked and performed?

    • How frequently?

    • Who performs them?

    • Who pays for them?

14. Does the contract specify that deficiencies found in the security program must be corrected?

    • If so, how must correction of such deficiencies be communicated and to whom?