SitusAMC was hacked recently, potentially exposing nonpublic personal information of residential and commercial borrowers as well as bank-level portfolio data. Although nothing currently suggests any security failures by SitusAMC, this breach highlights the extent to which bank and consumer data is targeted by hackers – in this case through a nationally recognized bank vendor. In response to this data security incident, Godfrey & Kahn advises financial institutions to keep the following best practices in mind when reviewing vendor agreements:

1. Conduct appropriate due diligence on third-party data processing partners to appropriately assess the level of risk associated with the relationship, the data privacy and security procedures that the partner employs, and its commitment to compliance with applicable data security regulations;
2. Ensure that appropriate procedures are in place for responding to data security events, and that the agreements broadly define what constitutes a data security incident to permit prompt response and remediation;
3. Ensure the agreement obligates the partner to inform you of any incidents in a timely manner and provide regular updates on the investigation and remediation;
4. Ensure the agreement prohibits the partner from sharing or accessing any of your customer or employee non-public personal information outside of the United States;
5. Ensure the agreement shifts the costs of incident response to the partner and obligates your partners to broadly defend, indemnify and hold you harmless against any losses that may result from a data security incident that occurs on the partner’s system;
6. Clearly delineate permitted and non-permitted uses of any confidential information.

Godfrey & Kahn’s banking team routinely advises financial institutions across the country with their vendor agreements. For more information, please contact Patrick Murphy.

If your bank has suffered a data breach, Godfrey & Kahn’s data privacy and incident response team is ready to assist at a moment’s notice.  For more information, please contact Sarah Sargent.