Protecting University Data
Through Agreements or Contracts with Third-Party Vendors:

Issues to Consider

March 2008

All agreements or contracts that provide for the handling, manipulation, reading, storage, or transmittal by a third-party vendor of University information assets should contain language that ensures the vendor puts in place appropriate safeguards and processes to protect the data and to respond to incidents.

Rationale: As a general rule, the University should explicitly require third-party vendors to safeguard all University data when in their possession and during transmission. First, the public increasingly is demanding greater protection and security of personal information held by institutions. Second, security of critical data is essential to University operations. Third, state and federal laws impose specific requirements on institutions to ensure that their third-party vendors implement and maintain safeguards when handling personal information. A significant step UC must take to meet these expectations and to enhance information security is to define by contract the security standards its third-party vendors are required to uphold.

Issues To Be Addressed by Contract
General Confidentiality

• Business associate in general agrees to hold all data and information received from or created on behalf of the University in strict confidence
• Contract specifies business associate’s permitted uses, if any, of University information

Indemnification

• Third-party vendor will defend, indemnify and hold the University harmless from losses, claims, suits and damages resulting from any third party claim based on negligent acts or omissions of third-party vendor.

Protection of Information Assets

• UC selects and retains third-party vendors capable of maintaining appropriate safeguards for University information (in an RFP response, the third-party vendor demonstrates the ability to do this)
• Third-party vendor implements and maintains appropriate security measures. For example, an excerpt from UC’s current G-L-B (Gramm Leach Bliley Act) contract language states:“protect data to commercially acceptable standards and no less rigorously than it protects its own confidential information. Service provider shall develop, implement, maintain, and use appropriate administrative, technical, and physical security measures to preserve the confidentiality, integrity, and availability of the data”.
• Third-party vendor trains own personnel to protect University information

Insurance

• Third-party vendor shall insure its activities in connection with this agreement and obtain, keep in force, and maintain General Liability Insurance (contractual liability included) with minimum limits as follows:
  • Each Occurrence $1,000,000
  • Products/Completed Operations Aggregate $2,000,000
  • Personal and Advertising Injury $1,000,000
  • General Aggregate $2,000,000
• Business Automobile Liability Insurance for owned, scheduled, non-owned, or hired automobiles with a combined single of not less than one million dollars ($1,000,000) per occurrence.
• Workers' Compensation as required under California State law.
• Such other insurance in such amounts which from time to time may be reasonably required by the mutual consent of third-party vendor and the University against other insurable risks relating to performance

General Security Provisions

• Third-party vendor agrees to comply with University policy that articulates IT security requirements (IS-3, Electronic Information Security).
• Third-party vendor upgrades and maintains at the current release level any middleware, operating systems, and other software used by the service provider for UC applications
• Third-party vendor implements measures to detect, prevent, and respond to attacks, intrusions, or other systems failures
• Third-party vendor conducts risk assessment and determines appropriate security measures as part of all systems design and operations
• Third-party vendor that develops software and applications develops, reviews, tests, installs and operates software and applications consistent with UC standards
• Third-party vendor will not provide any University information/data to any subcontractor or agent without the prior express written permission of the University or as otherwise provided under the agreement.

HIPAA (Protected Health) Information

• There are specific requirements for contracts involving HIPAA information. Contact Executive Director of Medical Services Rory Jaffe at the UC Office of the President for details.

Security Incidents

• Third-party vendor develops a plan and implements procedures to ensure the ability to respond expeditiously to (1) known information security breaches, (2) disruptions caused by the failure of a security mechanism, or (3) suspected or known security threats
• Third-party vendor
• provides a copy of the plan to the University
• tests the plan
• designates an incident response team and escalation thresholds in advance
• conducts routine review of logs
• develops notification text to be approved by UC, as per California Civil Code regarding security breach notification
• assumes notification expenses
• makes initial report of an incident to the University within 24 hours of discovery, and makes a final report within 1 month of closure
• quickly institutes preventive measures to safeguard against another breach

Electronic Communications Policy (ECP)

• Third-party vendor abides by UC policy for privacy, confidentiality, and security in electronic communications and does not routinely monitor for content
• Third-party vendor notifies the University in the event the service provider needs to inspect electronic communications
• Third-party vendor complies with policy on unavoidable inspection. Excerpt from ECP: During the performance of their duties, personnel who operate and support [UC] electronic communications resources regularly monitor transmissions to ensure the proper functioning and security of University electronic communications resources and services, and in that process might observe certain transactional information or the contents of electronic communications. Except as provided elsewhere in UC policy or by law, they are not permitted to seek out transactional information or the contents where not germane to the foregoing purposes, or disclose or otherwise use what they have observed.

Return or Destruction of Data

• Third-party vendor returns University data, and does not retain a copy, to the University upon termination, cancellation, expiration, or other conclusion of the Agreement, unless the University requests that the data be destroyed
• Third-party vendor provides evidence of destruction of data

Specific Regulatory Requirements

• Specific laws may have specific requirements, i.e., HIPAA for electronic patient health information, reporting and/or encryption for personally identifiable information and the G-L-B for customer and financial information.