Client has a sort of side business with Verizon and they are requiring data protection

[Velvis]

I have a client who some of their employees do work for Verizon. I am not even sure what they do for Verizon as I am not really involved in that part of the business. I am told basically that my client is on the hook for any data breach of Verizon's data and they want to do everything they can to protect against that.
I was wondering if anyone here has some recommendations for situations like this.

 

[timeshifter]

I was wondering if anyone here has some recommendations for situations like this.

Run

 

[Metanis]

I have a client who some of their employees do work for Verizon. I am not even sure what they do for Verizon as I am not really involved in that part of the business. I am told basically that my client is on the hook for any data breach of Verizon's data and they want to do everything they can to protect against that.
I was wondering if anyone here has some recommendations for situations like this.

Have your customer get some quotes for Cyber Liability Insurance. That will open their eyes and their checkbook. It *could* start a process whereby they hire you to implement changes required by the underwriter.

 

[Blues]

Both solid pieces of advice here and pretty much your only two options

 

[YeOldeStonecat]

Best to have them choose their insurance..and have the insurance hand them the guide/rules to follow...and you put those in place.
You can take a "guess" all you want and even do a baseline CIS on all computers, but their insurance will spell out what they want to see in place...so they can give them a rate.

 

[britechguy]

If you don't have contractual language that clearly lays out the requirements to avoid liablility should "a disaster" somehow occur (such as what @YeOldeStonecat mentions) then running is the best option.

And it would astound me if Verizon did not have formal language about what it requires as far as security and general practices by its subcontractors. No guessing should be required.

 

[YeOldeStonecat]

And it would astound me if Verizon did not have formal language about what it requires as far as security and general practices by its subcontractors.

I agree there....franchises usually hand out a cookbook of recipes you have to follow
Over 25 years ago, the Computer Land franchise I worked at...we provided the computers and did the networks for...hmmm...pretty sure it was 3x locations that a friend of the business owner opened up 3x Verizon locations at. (and we got our company cell phones through). But that was way back then...when compliance really wasn't a big thing yet....no guidelines or hoops to jump through at all! Can't remember much....think they had a small frame relay pipe and we stuck in a Cisco PIX 501 and some switch...probably a ProCurve or Bay Networks.

 

[Markverhyden]

And it would astound me if Verizon did not have formal language about what it requires as far as security and general practices by its subcontractors. No guessing should be required.

^^^ This. I have a hard time believing that, in this day and age, subcontracting for a major company like Verizon would not already have the T&C's spelled out in detail.

 

[John Kennedy]

And it would astound me if Verizon did not have formal language about what it requires as far as security and general practices by its subcontractors. No guessing should be required.

This. Any company that allows BYOD and is concerned with security will have instructions on what is required. Find the instructions and follow those first. Showing them cyber liability insurance is an excellent idea as well. Not a bad idea to refuse to do any of the work without a waiver absolving you of any problems too. You can follow the instructions and get them cyber insurance and still get sued. Having the waiver will help in such a suit (but wouldn't necessarily prevent it).