To avoid becoming the next breaking news story, many businesses are getting their houses in order before they become the target of a security breach. As part of those efforts, many enterprises are turning to security consultants to perform assessments of their systems. These are admirable activities. However, it does not mean that these engagements should be entered into with any less care than a business would use in any other transaction in which a third party is being granted access to the company's most sensitive data. Unfortunately, this is seldom the case.
All too often, businesses fail to adequately address the most fundamental of contract terms. In some instances, security consultants create more risk than they resolve. The contract engaging the security consultant should avoid these four common pitfalls:
Failure to define the project. The contract should clearly define the scope of the security assessment (e.g., the facilities, systems, servers, networks, etc.) to be reviewed.
Failure to control costs. The contract should contain a clear budget, with all fees stated. The consultant should be precluded from exceeding that budget without the client's written authorization.
Lack of security and confidentiality protections. All too often, security consulting agreements provide little or no detail regarding the security and confidentiality measures to be used. Worse yet, the consultant has little liability if it breaches those obligations. Contracts should clearly define the security measures to be used, detailed confidentiality protections, and, generally, exclude breach of those requirements from any limitations or exclusions of liability.
Failing to protect the audit report from discovery. Given the potential sensitivity of the final audit report, it may be prudent to consider involving the business's attorney to protect the report from discovery using the attorney-client privilege or work product doctrine.