Hopefully you have read our first blog on this topic titled “Contract Tips for Avoiding Data Breaches – Part 1.” Below are more contractual provisions you should consider implementing into your vendor agreements to help ensure your confidential data is protected.
If there is a breach in security or any impermissible uses of the information, the vendor should be required to provide you with immediate notification. You may want to have the ability to investigate the breach with your own resources either on-site or remotely. Also, you will want to include a provision requiring the vendor to notify you of any governmental or other third-party requests for disclosure of information.
If subcontractors are used by the vendor, you may want to be notified of or have the right to approve the use of third-parties. You may want to have access to the third-party’s security protocols and certifications.
Data Center Location
The contract should specify the geographical location of the data center. You should consult with your attorney regarding whether this could subject you to the jurisdiction of that location.
Service Level Agreements
If you have negotiated certain guarantees for access or scheduled maintenance during times that will result in minimal disruption, your contract should provide for specified monetary credits for the failure to meet such service level requirements.
Your contract should set forth liability limitations and the vendor’s obligation to indemnify your business for harm caused to third-parties by the vendor’s breach of confidentiality obligations, noncompliance with the law, or other similar types of conduct.
Data Breach Insurance
The contract should require the vendor to obtain adequate cyber-insurance that covers both the loss of data and the costs of responding to a data breach, which should include reasonable attorney’s fees.
There are several other contractual provisions that may be necessary for your industry or unique needs. If you are interested in learning more about protecting your business with your vendor contracts or how we can assist you with other business-related matters, contact Leslie S. Marell today.
There has been widespread concern throughout every industry about how to safeguard and protect confidential information from data breaches. Cybercrime is becoming one of the top concerns for the Federal Bureau of Investigation (FBI). Robert Mueller, FBI director, has stated that “[t]here are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.”
The damage that can result from a data breach can range from business interruption and damage to your company’s reputation to lawsuits and regulatory fines. As a result, your business should mitigate its exposure by implementing formal policies and procedures, incorporating security technologies, training employees and buying cyber insurance. It is also important to consider steps you can take in negotiating, drafting and renewing your company’s contracts to prevent and avoid data breaches.
Pre-Contract Due Diligence
When you are considering using a third-party vendor that may house or otherwise have access to protected data, you should conduct due diligence in determining any security issues that should be resolved through the contracting process. It is effective to address this issue while you have maximum leverage before the contract is signed. You may want to require limited access to your systems or network, or even have a specific person with the vendor assigned to safeguard confidentiality and integrity.
It is imperative that the contract clearly states who owns the information. Depending on your industry, the vendor may have full control over the data and have notification obligations under the law if it leaves its control, but you want to maintain ownership of the information. You may also want to include contractual language that:
- limits how the data may be used
- requires the vendor to return or destroy all of the data in the vendor’s possession upon termination of the contract
- allows you to request confirmation that certain certifications or third-party reviews of the vendor’s system has occurred
- provides for the encryption of data when it is being transferred or when not being used
- requires background checks on employees with access to your protected information
- provides that security updates and patches will be applied as necessary
- sets forth any additional security measures that may be necessary (such as security code or card required for access to the data center)
The above are the initial considerations for protecting your digital data in vendor contracts. Our next blog will continue discussing this topic and cover more in-depth contractual provisions to include in your vendor agreements, so please check back.
To ensure that your vendor contracts provide you with the most protection from liability available, contact Leslie S. Marell to schedule an appointment. Our office is located in Torrance, California, but we proudly serve businesses of all sizes from all over the country.