There has been widespread concern throughout every industry about how to safeguard and protect confidential information from data breaches. Cybercrime is becoming one of the top concerns for the Federal Bureau of Investigation (FBI). Robert Mueller, FBI director, has stated that “[t]here are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.”
The damage that can result from a data breach can range from business interruption and damage to your company’s reputation to lawsuits and regulatory fines. As a result, your business should mitigate its exposure by implementing formal policies and procedures, incorporating security technologies, training employees and buying cyber insurance. It is also important to consider steps you can take in negotiating, drafting and renewing your company’s contracts to prevent and avoid data breaches.
Pre-Contract Due Diligence
When you are considering using a third-party vendor that may house or otherwise have access to protected data, you should conduct due diligence in determining any security issues that should be resolved through the contracting process. It is effective to address this issue while you have maximum leverage before the contract is signed. You may want to require limited access to your systems or network, or even have a specific person with the vendor assigned to safeguard confidentiality and integrity.
It is imperative that the contract clearly states who owns the information. Depending on your industry, the vendor may have full control over the data and have notification obligations under the law if it leaves its control, but you want to maintain ownership of the information. You may also want to include contractual language that:
- limits how the data may be used
- requires the vendor to return or destroy all of the data in the vendor’s possession upon termination of the contract
- allows you to request confirmation that certain certifications or third-party reviews of the vendor’s system has occurred
- provides for the encryption of data when it is being transferred or when not being used
- requires background checks on employees with access to your protected information
- provides that security updates and patches will be applied as necessary
- sets forth any additional security measures that may be necessary (such as security code or card required for access to the data center)
The above are the initial considerations for protecting your digital data in vendor contracts. Our next blog will continue discussing this topic and cover more in-depth contractual provisions to include in your vendor agreements, so please check back.
To ensure that your vendor contracts provide you with the most protection from liability available, contact Leslie S. Marell to schedule an appointment. Our office is located in Torrance, California, but we proudly serve businesses of all sizes from all over the country.