Tech & Sourcing @ Morgan Lewis


In Part 1 and Part 2 of this Contract Corner, we discussed the importance of assessing and defining the types of data involved in a services agreement, and highlighted issues to consider with respect to the ownership and control of company and personal data.

In this Part 3, we discuss key drafting points regarding the operational security requirements typically addressed in services agreements.

Document the Security Requirements

  • Setting the Standard. When structuring the security requirements section of the contract, consider starting with a general standard. What are the objectives of the data safeguards? For example, consider requiring the service provider to implement and maintain rigorous security measures that protect the security of company data and that protect against the unauthorized access or use of such data. In addition, consider whether the safeguards should be designed to comply with particular industry standards, such as ISO 27001 or the standards, practices, and guidelines issued by the National Institute for Standards and Technology (NIST).
  • Defining the Details. After setting the general objectives and standards of the security measures, the contract should further define and describe the key requirements of the data safeguards. To accomplish this, consider attaching the company’s security policy for third parties or starting with a description of the service provider’s security offering, which is becoming a more common practice. If the contract uses the service provider’s policy, the company should analyze it for gaps and ensure that its own security team is comfortable with the practices described by the provider. Major gaps should be separately addressed in the contract. Key issues to consider when developing or reviewing contractual security requirements include encryption technologies and standards, password policies, multifactor authentication, employee and contractor training (which should include phishing awareness training), network monitoring, vulnerability scanning, intrusion detection systems, and penetration testing. In addition, consider including geographic limitations, such as requiring all access, processing, hosting, and storage of company data to be solely in and from the United States.
  • Audit Rights. The contract should include obligations for the service provider to regularly audit, review, test, or otherwise monitor its information security policies and procedures and its safeguards’ controls, systems, and procedures to ensure their continued effectiveness and determine whether adjustments are necessary, including with respect to changes in law, regulation, technology, or threats or hazards to company data. The service provider should periodically identify reasonably foreseeable internal and external security risks and ensure that there are safeguards in place to control those risks. In addition, the service provider should be required to provide a copy of its written privacy and information security policies and procedures to the company at appropriate intervals and should provide a report, carried out by an independent third party, regarding its security controls. Finally, be sure to reserve the right to carry out or have carried out a security audit of the services, with cooperation and assistance from the service provider.
  • Data/Security Breach Obligations. Aside from liability considerations in the event of a security or data breach (which will be discussed in Part 4 of this series), the contract should delineate the service provider’s obligations in response to any such breach. Consider adding specific response, remediation, and mitigation responsibilities, including assembling and preserving pertinent information relating to the breach, providing detailed reports and root-cause analyses, advising on the status of remedial efforts, and cooperating with investigations performed by company and governmental authorities. For breaches involving personal data, the service provider should be required to assist the company in providing notices as required by law (including to individuals and governmental authorities), as determined by the company. Make sure the contract reserves the company’s right to approve the content and format of all such notices prior to publication or communication.

This post is part of our recurring Contract Corner series. Part 4, coming next week, will discuss key liability issues with respect to data protection obligations.