Companies’ increased awareness of the substantial costs and exposure associated with data breaches has motivated them to beef up their data security requirements in vendor contracts. Although this concept has quickly become the market norm, the following issues frequently arise, and companies should consider them when negotiating data security provisions.
What Customers Want
Customers want complete protection from data breaches, and therefore may require a vendor to give representations similar to the following: “Vendor has developed, implemented, and will maintain effective information security controls, policies, and procedures that ensure the security and confidentiality of data and information, protect against anticipated threats to the security or integrity of such information, protect against unauthorized use or access, and ensure the proper disposal of the data and information.”
Because customers want the maximum protection, vendors should carefully consider how broad a requested representation is. It’s a balancing act, because vendors need to be able to be able to provide certain security controls to win business, but they also need to also understand the difference between providing an adequate degree of protection for their customers and an insurance policy.
What Vendors Want
Vendors are willing to guarantee compliance with privacy and security polices but are often unwilling to guarantee security on their platforms. Vendors frequently argue that “we’re not your insurance policy” and “we run a cost-effective, reasonably secure system for the price you’re paying.”
Should Damages Associated with Data Breaches Be Excluded from Limitations of Liability?
Another important consideration is whether or not damages associated with data breaches should be excluded from limitations of liability. As one might expect, vendors often argue for damages associated with data breaches being applied against the overall liability caps, with customers wanting the opposite—to exclude such damages from limits on liability. The resolution may turn on the controls in place, the cause of the data breach, how direct and recoverable damages are categorized, and the overall caps themselves.
Consider Cyber-Liability Insurance
Cyber-liability insurance may be a mechanism for a company (customer or vendor) to mitigate its exposure with respect to damages associated with security breaches. It is important to understand what the insurance actually covers—requiring the covered party to closely check any applicable policies to determine if likely damages associated with the potential types of security breaches at hand are covered under the policy.
When drafting and negotiating data security provisions, It is crucial to have a basic understanding of the type and scope of the data being handled or accessed, as well as the type and scope of access that a vendor has to such data. The type and scope of data and the third-party access to such data will help shape the data breach risk profile and the appropriate allocation of responsibility for damages between the parties.
This post is part of our recurring “Contract Corner” series, which provides analysis of specific contract terms and clauses that may raise particular issues or problems. Check out our previous Contract Corner posts on the Sourcing@MorganLewis blog for more on contracts, and be on the lookout for future posts in the series.