Buying IoT technology: How to contract securely
More and more products are shipping with sensors and network connectivity to capitalize on the currency of data. Data interconnectivity between these devices creates new opportunities to identify and support insights about how use of these products impacts your company. For example, a meeting room may automatically turn on its lights and air conditioning ten minutes before a scheduled meeting by using third-party software; your employees may transmit data about how many steps they've taken, their heart rate and their caloric intake to a third-party vendor as part of a wellness program; and equipment all throughout the enterprise (from the trash can to the HVAC system) might generate alerts to third-party vendors when in need of repair.
What happens when your network-capable trash can becomes the entry point for a hacker?
What do you do when your wellness vendor is compromised and employee data is published on the internet? How do you know your internet of things products are safe? These are not academic questions. The 2013 Target Corp. data breach reportedly stemmed from a compromise of network credentials maintained by a third-party HVAC vendor. Recent research also reveals how old cybersecurity vulnerabilities are present in new network-capable, consumer-facing products, like baby monitors. In the United States, costs associated with data breaches have risen each year over the last three years. When a breach of consumer or proprietary business information occurs, a company will pay costs for audit and consulting services, legal services for defense and legal services for compliance. A company that negotiates information security into its contracts to purchase third-party IoT products may avoid some of these costs, either through risk transfer or by avoiding the incident completely. Of course, identifying and mitigating cybersecurity risks with these vendors requires collaboration among multiple business units and a vendor willing to negotiate.
Product Evaluation
The product evaluation phase in IoT procurement is critical. A lawyer cannot intelligently negotiate a procurement contract without understanding how the network-capable product is going to be utilized in the environment and/or whether a third-party vendor will require access to the product (e.g., for maintenance). Take one example — if your company is purchasing a surveillance camera that is equipped to generate an alert when it detects sound, the risk associated with installation of that camera is much different depending on where it is deployed logically and physically, who has access to the data it generates and what features are enabled or disabled. In this example, if the camera is deployed above the water cooler and is accessible by the third-party vendor to conduct maintenance, you may have concerns over the privacy of employee conversations that could be captured by the camera. If, however, the camera is deployed over an external door at a remote site, that concern is nonexistent. In another example, if the camera is deployed in the United States, the privacy and data security risks are much different than if the camera is deployed in the European Union. Understanding how the product is deployed, what information it will collect and how that information will be used will require conversations with those at your company who will be using and maintaining the product, including information technology, privacy and information security. Although these conversations may naturally happen through your company's vendor management practices, one way to kick-start them is to implement privacy-by-design. Privacy-by-design is an approach to protecting privacy by embedding it into the design specifications of technologies, business practices and physical infrastructures. A key tenet of privacy-by-design is to think about privacy in the design and architecture of systems and processes at the outset. A company that implements privacy-by-design would require that company stakeholders discuss how the implementation of a new IoT product would impact privacy and information security for the organization. Once a company understands how an IoT product will work in its environment, the next step in product evaluation is to understand how that product alters the company's risk profile through a risk assessment. A risk assessment is the process of identifying risk, assessing risk and taking steps to reduce risks to acceptable levels for the organization. How your company conducts a risk assessment may be determined based on your industry, the type of information you collect, how your company is regulated or by industry standard. There are many different risk assessment strategies and guidance available and entire articles could be written on this concept alone. Many risks identified in this process will be mitigated without the involvement of legal, possibly through network design, identity and access management, disabling unnecessary features or implementation of other security safeguards. Some unacceptable risks, however, might be ripe for mitigation through contract.
Contract Negotiation
With an understanding of the risks that need to be mitigated through contract, a lawyer is equipped to enter negotiations. The following list of considerations may be helpful during this process. Of course, as discussed above, not all of these terms may be material — your deployment of the IoT product will dictate which terms you need to spend your negotiation capital on to make sure your contract aligns with your risk mitigation strategy. Establish and Maintain an Information Security Program — Require an IoT vendor to establish, implement and maintain an information security program which requires the vendor to maintain commercially reasonable security safeguards designed to protect against any unauthorized or illegal access, loss, destruction or other exploitation of the purchased IoT product.
Cybersecurity Incident Response — In the unfortunate event that your IoT product directly or the third-party vendor who receives data from it or has access to it is compromised, you do not want to be left holding the bag for losses resulting from that breach. The cost of remediation efforts (e.g., legal defense, forensics, etc.) resulting from a data breach is high, and you may negotiate that your IoT vendor covers these costs. Given the high cost associated with a data breach, also consider that you require your IoT vendor to procure cyberrisk insurance that will apply when a data breach occurs related to the IoT product. Jurisdictional Compliance — Depending on your industry and the location you deploy your IoT product, you may have jurisdictional requirements that you want to ensure are met. Downstream Obligations — Another key risk that is ripe for mitigation in the contracting process is addressing how your IoT vendor utilizes its own third-party service providers. If your IoT vendor engages a subcontractor for any purpose, make sure to require that this subcontractor conform to the same information security requirements that you expect of the IoT vendor itself. Audit Rights — Requiring that your vendor comply with all of these information security requirements via the contract is a great step in mitigating risk. However, a contract is merely an instrument and does not guarantee compliance. To verify that your vendor is adhering to these requirements, consider negotiating an audit provision that gives you or your third-party independent auditor the right to enter the vendor's premises and conduct an assessment.
• Nick Merker is a partner in Ice Miller's Chicago office and co-chairman of the firm's data security and privacy practice.