Cover Your A**: How to Protect Yourself as an Independent Security Consultant

good afternoon everybody welcome to Visalia acres through the proving ground and this talk cover yes by sushi a few announcements before we begin we'd like to thank our sponsor especially our inner circle sponsor a critical stack and belly meal and our stellar sponsors Amazon blackberry and roaming hood it is their support along with our sponsor donors and volunteers to make this event possible these talks are being streamed live and as a courtesy to our speakers and audience who asked that you check me you check to make sure your cell phones are to set to selling if you have a question or use the audience microphone so YouTube can hear you please you raise your hand and I'll bring it over thank

you alright thanks so much I appreciate it all right guys if you can't tell I'm really excited to talk to you guys today and I'll hopefully be able to advance yes so my name is su Chi I'm a data privacy and cybersecurity attorney you can find me on Twitter I've been practicing for about five and a half years now in a field that's really not super well developed in the legal world and I really like to talk to people like you about how to keep yourself safe from clients who are trying to screw you over and after kind of dispensing that advice on the side to some friends of mine I decided that it was worth it to make the

time to actually do a full-on presentation and hopefully you guys will be able to use some of the resources at the end of the slide to help yourselves if you're an independent security consultant or sudden these forward or download the slide deck or burn it in a dumpster I don't really care but hopefully you get something out of it so first before I start with the actual deep important things I am NOT your lawyer this is not legal advice we are not in an attorney-client relationship this is all informational only I drink and I know things because I am a lawyer so if you guys want to grab a beer later come find me I will still not be your

attorney at that point in time I'm struggling today there we go what's on top all right so we're going to go through the entire process of setting up your attorney-client sorry just kidding setting up your independence charity consultant and client relationship and we're gonna start at the beginning what's included in the contract how do you get the documents that make up the contract what pieces do you really care about what do you need to know about the statement of work and the scope of services what are the sticking points in the contract and then we'll have odds-and-ends a recap and resources all right so what documents do I need your standard set of documents for an assignment should include an NDA

which is hey client you don't talk about my and I won't talk about your your master services agreement which is a high-level umbrella document that at a general kind of high level area says here's what this contract purpose is here are some provisions like indemnification or liability who what when how where why and then you have your scope of services in statement of work and this is going to be an extremely detailed document or set of documents depending on what services you're providing and this is where you talk about the project the timeline the phases the exact compensation who's working on it when we're talking to who every little nitty-gritty detail that you need to get in on a piece of paper

with your client with a signature to make sure you get paid at the end and don't get sued and last but not least authorizations and there's an asterisk here because it's your get-out-of-jail-free card if you're doing physical security so you don't want to show up break into client premises after they told you and then have no way to escape being in prison if you're caught and that's pretty industry specific for you guys so if you have other folks that are practicing physical security stuff like that then you should make sure you have all of the current industry best practice standard all the buzzwords okay how you should think of these documents NDA is number one on

this right-hand side because you guys are information security it's probably going to be the very first thing that you sign with the client and it's the one where you're going confidential information proprietary information you're defining terms we'll get more into that later I'll see you have an NDA you get to the MSA and the master services agreement giant bubble is going to be the thing that governs all of your statements of work which are the S OWS frequently if you're just working on one assignment or a long project you're gonna have one statement of work but if you have a really great relationship with the client you might end up with multiple statements of work and if it involved a

get out of jail free card that's going to be something you describe in that's so W not a standalone document okay the non-disclosure agreement I consultant won't share your information externally and you client won't share my information what you see on the bottom left-hand side or bottom right-hand side of this left is the non-disclosure agreement with the date the client the client address and information and the recipient which is you these are all things that have to be put in there explicitly or expressly to make sure that you know that it's legal document binding these two parties so date identify yourself in the client the address which is your business address and then the purpose what is it that

you're doing with this NDA also in the NDA what you're going to find is people will frequently define confidential information what types of information are actually confidential is that stuff that you tell your client she has to mark confidential or could it be any type of information that is considered business information you have to be very careful in defining those terms similarly proprietary information is all proprietary information also confidential probably but you also want to lay that out so a lot of what we're going to talk about as we continue is explain it like I'm five but in a contract so you are telling your client in these stupidest simplest terms what is covered and what isn't covered and

then you get to the master services agreement now if you remember this is the umbrella document and we've got three parts of the master service agreement that are important or three sort of ways to bucket concepts in your master disagreement so the basics just like the NDA parties purpose definitions what are you doing and then during the agreement what are your responsibilities and what are your clients rights and responsibilities can you assign the contract to someone else so if you're an independent security consultant do you have the right within your contract to say hey you know what I actually have to go on an emergency vacation and need someone else to do this work for you and

I have the right of assignments so client I'm gonna go ahead and assign this away representations and warranties which are basically factual things so your clients gonna say all of these things are facts and I promise you they're facts so you can rely on them when you're doing work for me and then payment how are you getting paid is it in Bitcoin please don't do that is it US dollars hopefully whatever it is that you're doing in terms of payment phasing type of cash when you're getting it you can put that here as well end of agreement very critical is the limitation of Liability how are you getting sued hopefully or not but how much can you get sued for and what can

you get sued for indemnification which is protection from being sued for things where your client should be standing in your shoes severability if a court just throws out parts of the argument agreement then can you separate certain parts of the agreement from others so that you make sure that you're still getting paid are still able to complete other contract work the governing law so if you're both entities based out of California is your governing law in New York is that helpful to you a waiver which is basically saying if you breach a contract do you waive the rest of your rights or if you breach a certain part of your contract do you waive the rest

of the things that you can do and then I pee and I'm barely gonna touch on IP but when you get to the resources section there will be some verbage for you to look at

okay the statement of work protecting yourself this is the most critical thing and we'll get into it again later but here are the pieces of the statement of work that matter because again you're going to be talking about who what where when why and how in extreme nitty-gritty detail and I really can't emphasize that more than am right now like extreme so why are you doing this what exactly is the purpose are you doing some type of like network security assessment what is the project schedule are you having an initial call and then a second call and then another meeting to make sure the scope is correct and then getting started what are the exact targets are

you working for just the big company or are you also working for smaller vendors that rely on this big company well the you're doing upstream flow downstream and does the downstream person know methods a lot of times you're gonna get into an assignment and you won't really know what the methods are gonna be yet perhaps like specific tools but you should have a general idea of what you're doing Lenny have controls everyone's least favorite because it's probably a compliance checklist but your client might need you to do that so you need to say here are the compliance things I'm gonna check for you and here's the type of report of it provide which is where

we get two deliverables the total cost and finally a provision that the S o W is subject to the MSA I will talk more about that later

also am I talking too fast for you guys we're good okay and then the last one is authorizations which we touched on earlier so I'm going to slide right past it but it's that get-out-of-jail-free card please keep in touch with your peers who also do this all right how do you get these documents serious like man I want to be a security consultant or dude I'm a security consultant but all I have is this contract what do I do with it ideally you're going to want to start with phase one which his client reaches out to you or you reach out to client and at this point they might send you an NDA or you might send them an NDA that

you've drafted and you guys say okay we're gonna have preliminary conversation based on what we understand about each other and we're gonna have this initial meeting where we start scoping out what the client needs now clients have a really hard time telling you what they want so the client typically cannot enumerate or express to you exactly what they want you to do so you have to dig this is where you're playing detective like old school Nancy Drew whatever that was you have to ask them exactly what exactly why and what their end goal is and a lot of times you want to start that conversation off and say what is it you need this to do for

you and what do you need at the end of this and then you'll slowly be able to drill down into a conversation that results in a scope of services and a proposal and hopefully also your version of a master services agreement or there's sometimes it's easier to work with client on theirs but you still have to be very careful about some provisions which we'll talk about later then you start the negotiations for your master services agreement so you've got definitions how you're getting paid indemnification liability and how a contract is terminated why can your client just decide that he's gonna walk away because he doesn't like the things that you've provided or she's for yeah

that you've provided to shave her you want to make sure that they're absolute like notice rules for terminations so that one party can't just walk away without paying you which by the way might sound weird but I've seen a lot of that I've seen a lot of people end up just not getting paid or paid much less than what they're owed next is your s o w negotiations and this is where you make sure you clarify the targets both parties responsibilities what happens in terms of if there's a delay and then deliverables for example isn't your clients responsibility to make sure that you're able to access the premises to do the things you need to do

and are you on the hook if they don't make that access happen and you're behind projects schedule all right what provisions do you really care about you can probably figure this out by now but there's five so the big five done right will protect you from trouble the first one is a document it's a statement of work / the scope of services and then two through five are provisions of interest so they're provisions that you're going to find typically within your MSA the limitation of Liability the confidentiality indemnification and contract termination now when I say confidentially the confidentiality requirements here I also am referring to the NDA because you don't want to get stuck in an NDA or a

confidentiality requirement that's never-ending so you don't want to be eternally bound to secrecy for a client and a lot of times clients unsophisticated or sophisticated will ask you to sign an NDA that never ends

okay all right what do you need to know about the statement of work and scope services so we still need the process the purpose process scope and deliverables and if you're not careful about crafting these with your client you're going to end up with situations where let's say you're working with a client and you find a vulnerability that they didn't ask you to actually look for there's nothing in your contract that talks about what you do in that situation and so your client and say you know what guy you went out at the scope of your contract there's nothing in this contract that says what you're supposed to do with that and then you called me

and told me about this I think you're a hacker I'm gonna sue you not a position you want to be in because you're curious and smart and you know your so what you want to do in this scope of work or statement of work is say hey if I happen to find something interesting this is how I'm gonna tell you we've discussed this you can't sue me for this later because I advised you about it and I told you what the risks were and that's it that's all you need to know and we've agreed on that so those are the type of things that you want to cover all right then we get to our odds and ends how do

you get paid one of the most important things I see is that people get to the statement of services and how they're msai and have a great looking contract and then it's like after six months of work you only get paid at the very end of the six months when your client likes the deliverable well what if the client doesn't like the deliverable did you actually put any provisions in about what is acceptable to the client can they ask you to cure it can they say I'm gonna give you two weeks and you give me a better deliverable and you do that until like the end of time and the board is done and they're out of money this is

a big one especially if you work with startups or small companies or small midsize companies you want to make sure that you phase out the payments so you want to say phase one was month one and two phase two is month three and four phase three was whatever and say at the end of each of these phases I'm going give you X or I've done X and you pay me Y and I'm gonna invoice you regularly and that way at least you make sure you're consistently getting paid not waiting for one bulk check at the end of the day six months later that might never come also IP whatever you bring in is yours and whatever they bring in

there bring in is theirs and they don't get to take your stuff that's basically what the contract needs to say at the end of the day but if you need to talk to an intellectual property lawyer if you're bringing a lot more than just your skills and tools you should probably talk to a lawyer to make sure that you have the licensing and the copyright written correctly inside every contract and there will probably be boilerplate language that you can pull and I have some resources at the end the slide deck that you can check out and see if it covers that track changes this is something that Wendy Knox Everett and I were talking about because if you're

on Microsoft Word and you track changes you have to make sure that you turn off the history of track changes otherwise after you send it I get an email a word document and it gives me all of the comments people made to each other about particular provisions that are like uh you know we don't really need to argue about that one and I'm like great we're gonna push really hard on this contract provision and make them agree to a certain liability cap that they originally sounded like they weren't going to so make sure you get rid of that feature before you send over redline word documents which you will be doing if you're working on a contract so

will you get sued third parties will actually let's answer that question will you get sued guys how many of you say yes or no yes you're probably gonna get sued now lots of lawyers like to be bullies and trolls I've already heard about that ones this week so you should make sure you bully them back but please don't roll third parties are a point of interest for being sued as is your client based on your contract and then the CFAA now third parties who are affected by the things you do for your client can sue you based on nothing that exists in the contract which is why you need to make sure that your scope of

services indemnification and limitation of liability with your client cover you if your clients asked you to do something that's going to potentially screw over a downstream vendor downstream company or someone who relies on your client so make sure you limit that first third party bullet point so that you're not leaving yourself open and exposed you're a client your contract back to limitation of Liability and in F ocation you can tell the client that hey you can sue me for like wrongful deeds or extreme negligence but only for $300,000 and that way if you do get sued you're looking at a limited amount of money that's potentially out of your hands and you've said you can

only sue me on these two things that's the whole point of limitation of liability and you want to make sure again you're limiting your exposure last but not least of the CFAA you're open to civil and criminal liability under the CFAA or civil yeah civil action and criminal action so on the civil side which is like your client basically they can say you had unauthorized access or exceeded authorized access how do you protect yourself from getting that type of an accusation by making sure that you've really scoped out in your contracts what you're able to touch what you're going to touch why you're touching it because that way you'll have the grounds you've laid the groundwork

to say you know what this was all work it was not unauthorized I didn't exceed that access this is also where a lawyer will be really helpful if you do end up in litigation because there are things like circuit splits and stuff and it gets really complicated really quickly if you're being prosecuted under the CFAA you've done something else stop up and probably call the e FF so all right recap that was a lot what are the takeaways carefully define your scope of services and your statement of work don't leave liability indemnification how you get paid or termination provisions ambiguous draft your own NDA and MSA so you have a form ask appears for their suggestions and resources and

share the knowledge this one's really important I think across industries if you've got someone who's doing sophisticated work for a client build your own library and start merging documents and make sure they make sense and that way you'll have something that's up-to-date recent tested and tried and you won't be just struggling to make up on your own alright many thanks to you guys besides is awesome and especially Clint for being my awesome mentor and these are the folks who helped me with the slide deck free all and gave a lot of feedback so I really appreciate them here's the link to get the slide deck on SlideShare you can download it there are provisions later there are sample

documents and provisions I obviously didn't fill in the xx's and a simple two slides of charts like what are legal terms and what do they mean and then examples of different provisions where I've said where you can put in your company name and your client company name so we go through SSO w's assignment choice of law compensation and damnif ocation limitation of Liability termination project phases rights IP rights and who the hell do you hire if you're having problem with legal stuff because that can be hard to figure out all right any questions yes I know I know sure go for it wait wait so in addition to the s Oh W do you recommend a rules of engagement

form as well I absolutely think that's a great idea I would add it as an exhibit and then make sure that your MSA and si W refer to that exhibit so all of the terms within are also inclusive of and subject to this exhibit yeah sure over here

you said not to sign an indefinite NDA why and why would someone try and and make that a thing so I actually just call it lazy drafting which if any other lawyers are hearing this are gonna get really mad at me but it's just lazy like they just want the rights to keep the secrets forever unless it's extremely sensitive I wouldn't sign an eternal in da you have a right to brag about the work that you've done after a certain point in time where it's no longer super sensitive and confidential and as people who are building your brand you should make it a point to make sure you have the ability to do that so two years

after an engagement you should be able to say hey man I work for this crazy awesome company or crazy shitty company but here are the cool things I learned and now I know how to do XYZ for you so is it even possible to rate your liabilities section in such a way that you are not going to be sued upstream no you will still be sued but it's a way to make it defensible so if you have that piece of paper with certain things that you can't be sued for you'll be able to write off most of the things that you'll potentially be sued for and cap them out you can be fined but lawsuits are always

possible and that's why I'm making sure these are aired as close to airtight as you can get is important so you said to attach the rules of engagement as an exhibit to NSO W how do you do that practically you would just it would just be a say do you sign it at the same time as the s.a.w or can you sign it later yes sign it at the same time unless you're working with a client that's friendly in which case you can say hey let's incorporate this at a later date so let's say I have an S aw that I've already signed and then my client I've talked to my client some more and my

clients like this is actually what I need and I need to go back and kind of amend that siw well then he can say instead of amending the S aw I'm just going to attach the second page please put it all into one PDF have it signed and we'll execute it again and you can have the date and read it back yep last question do you recommend that independent contractors generate these documents themselves or go to a lawyer and have them cover all this crap for you I if you have access to a nonprofit organization or a cheaper lawyer who can help you with this I highly recommend you do that because it gets complicated

quickly so having a lawyer to do it from the front end is great and just to let you know I'm not looking for clients I work for a company so this isn't my pitch to try to get business but if you can get a lawyer to build it please have a lawyer do it and if you can't use this slide deck and the resources that I've provided and things that your friends give to you and then when you read it here's the rule don't be a dick and people won't be a dick to you cool all right thank you everybody