Is the “Industry Standard” an Appropriate Security Standard?

Oct 24, 2016

Companies that deal with proprietary and personal data have an obligation to ensure the security of information.  The major function of security standards is to provide a framework to mitigate the risks of cyber attacks. When companies outsource services to third parties and grant access to sensitive business and customer information, businesses should review the vendor’s security information program before engaging in an agreement. Many agreements state that the vendor will follow the "industry standard." Reviewing the Vendor’s Information Security Program can help to identify the security standard that the vendor follows, but the company should determine which standards matter for protecting the company’s information.

There is a common saying in the cybersecurity industry that “compliance is not security.” Consequently, companies should engage legal counsel to work as a team with the information security department in order to critically review the vendor’s security program and to help ensure that appropriate language is in the vendor agreement that defines the “industry standard.” 

Because there are substantial efficiencies and cost savings when using vendors for software-as-a-service (SaaS), cloud storage, and data hosting,  an agreement should be clear and specific in describing the applicable industry standards and security programs. Engaging an attorney experienced in these matters can further assure that a vendor agreement includes the appropriate terms and conditions to describe the industry standard and the appropriate security standards in the vendor’s information security program.

Heliane Fabian