If you’re a security wonk (like me), you find legal cases related to information security interesting. And the one described by Shawn Tuma, a cybersecurity lawyer, in the DarkMatters security blog is an excellent example why.

In the article, Tuma describes the current legal case between an insurance company and a website design company (Travelers Casualty and Surety Co. of America v. Ignition Studio, Inc.). Ignition Studio, the website design company, suffered a security breach for a website they designed and hosted for Alpine Bank, a financial institution. Alpine Bank had some form of cybersecurity insurance and their insurance company, Travelers Casualty, paid their claim then turned around and sued Ignition Studio.

However, the original contract between Alpine Bank and Ignition Studio wasn’t very specific about who was responsible for what, so the whole thing ended up in court.

Tuma does a good job of breaking down what should have been specified in the original contract, and it’s a good reminder to any business thinking about purchasing services that involve protection of sensitive information.

He calls out four areas to include in particular:

Specify any regulatory or industry security standards you expect the vendor to follow.

Specify who is responsible to make sure the project is protected with the right security controls.

Specify how the controls will be validated and any remedies if they are not.

Specify what happens in the event of a security breach.

When these items aren’t clearly defined in writing, the chances of confusion over who is responsible for what increase dramatically. As Tuma says:

“This kind of ambiguity leads to litigation. In today’s business environment, anytime parties do business together, they should discuss the cybersecurity issues that are involved.”

So before you work with another vendor who will be handling your sensitive information, review this article and make sure your security bases are covered!