Last week, we discussed contract provisions that focused on documenting security requirements and monitoring security commitments. These provisions are designed to require the implementation of proactive measures to protect data and systems and to reduce the risk of security incidents. In this Contract Corner post, we switch focus to contract provisions that address a security incident if one occurs. In an earlier post, we outlined practical steps to take in response to an incident, including communications with authorities and cyber insurance matters. Below we list some key issues to consider when drafting contract provisions regarding these response measures.
Definition. The contract should define the types of circumstances that qualify as a “security incident.” For example, a security incident could be limited to an actual security breach, or it could be more broadly defined to include a breach of security protocols or a new cyber threat that increases the risk of a potential breach.
Vendor obligations. A vendor’s obligations upon discovery or notice of a security incident should be detailed in the contract, including whether, how, and when the vendor will
- notify the customer of the incident and investigate the incident;
- mitigate the effects of the incident and cure all applicable failures; and
- provide the customer with details of the incident, its consequences, the vendor’s response, and how the vendor will adequately prevent reoccurrence of the incident.
Responsibilities for each of these obligations (including any associated costs) should be allocated between the customer and vendor, depending on whether the incident was caused by or within the control of the vendor, the customer, or a third party.
Cooperation. The contract should outline the obligations of each of the parties to cooperate in the event of a security incident, including the following:
- Whether and when the parties will meet to establish a remediation plan for the incident and whether and when the incident will be escalated to the parties’ senior management
- The extent to which the customer has the right to participate in the vendor’s investigation of the incident
- The extent to which the vendor must cooperate with any customer investigation or litigation against third parties
Customers should note that, although an incident response plan is a necessary and important tool to limit the damage caused by a security incident, they may also negotiate for and pursue additional remedies in the event of a security incident. (We will address these rights in our next Contract Corner post.)
This post is part of our recurring “Contract Corner” series, which provides analysis of specific contract terms and clauses that may raise particular issues or problems. Check out our prior Contract Corner posts for more on contracts, and be on the lookout for future posts in the series.