Key Contractual Protections: The Second Tool

In the overwhelming majority of engagements, the underlying contract entered into between a company and its vendor will have little or no specific language relating to information security. At most, there is a passing reference to undefined security requirements set forth in the vendor’s “then-current security policy” and the inclusion of a basic confidentiality clause. Today’s best practices in vendor contracting suggest far more specific language is required, particularly when regulated personally identifiable information is at risk. The following protections should be considered for inclusion in relevant vendor contracts:

■ Confidentiality. A fully fleshed-out confidentiality clause should be the cornerstone for information security protections in every agreement. The confidentiality clause should be broadly drafted to include all information the company desires to be held in confidence. Specific examples of protected information should be included (e.g., source code, marketing plans, new product information, trade secrets, financial information, and personally identifiable information). While the term of confidentiality protection may be fixed (for, say, five years), ongoing, perpetual protection should be expressly provided for consumer information and trade secrets of the business. Requirements that the company mark relevant information as “confidential” or “proprietary” should be strictly avoided. These types of requirements are unrealistic in the context of most vendor relationships. The parties frequently neglect to comply with these requirements, resulting in proprietary, confidential information being placed at risk.

■ Personal information. Personally identifiable information is increasingly the subject of various international, federal, state, and local laws. While these laws each define such information differently, many of them define this information broadly to include any information that identifies or can be used to identify an individual, such as name, address, and even IP addresses, and other device identifiers. Therefore, the collection and use of personally identifiable information are increasingly handled in clauses separately from confidential information. These clauses not only include an obligation to keep personally identifiable information confidential, but also to limit its use to solely what is necessary to perform the services for the customer and to assist the customer in meeting its obligations related to requests from individuals to exercise their rights to the personally identifiable information under applicable laws.

■ Warranties. In addition to any standard warranties relating to how the services are to be performed, freedom from viruses and other harmful code, noninfringement, and authority to enter into the agreement, the following specific warranties relating to information security should be considered:

- A warranty requiring the vendor to comply with “best industry practices relating to information security.” Such a “floating” standard will ensure that the vendor must continually evolve its information security measures to keep pace with industry best practices. In many instances, it is appropriate to specify the industry relevant to the data (e.g., healthcare, financial services).

Compliance with applicable consumer protection laws, such as Gramm-Leach—Bliley Act (GLB), Health Insurance Portability and Accountability Act (HIPAA), and relevant state statutes.

If relevant, compliance with third-party standards such as the payment card industry (PCI) data security standard (available at www.pcisecurit-ystandards.org) or the payment application data security standard.

Compliance with the customer’s (not the vendor’s policy) privacy policy in handling and using consumer information.

A warranty against sending the customer’s data and confidential information to offshore subcontractors or affiliates, unless specifically authorized to do so by the customer. The world is complex and dangerous place when it comes to data. While some countries have their own laws governing data privacy and information security, many do not. When they exist, local laws frequently conflict and do not provide the level of protection found in the United States. When data flows across international borders, many questions arise: what privacy laws apply, what happens if the data becomes the subject of a subpoena and must be produced, or do some of the countries have laws that would permit offshore suppliers to retain data after contract termination to satisfy various retention obligations imposed by law. In some cases, there are no clear answers. In others, the gray areas are very broad. Given the complexity, uncertainty, and associate risk, companies must apprise themselves of where their data will be located and make every effort to limit those locations in their contract with the vendor.

A warranty stating that the vendor’s responses to the vendor due diligence questionnaire, which should be attached as an exhibit to the contract, are true and correct.

General security obligations. Consider including generalized language in the contract relating to the vendor’s obligations to adopt a minimum set of security controls and to additionally take all reasonable measures to secure and defend its systems and facilities from unauthorized access or intrusion, to periodically test its systems and facilities for vulnerabilities, to immediately report all breaches or potential breaches of security to the business, to participate in joint security audits, and to cooperate with the business’s regulators in reviewing the vendor’s information security practices.

Indemnity. In situations in which a breach of the vendor’s security or inappropriate use of personally identifiable information may expose the company to potential claims by third parties (e.g., a breach of consumer information may result in claims by the business’s customers), the agreement should include an indemnity provision requiring the vendor to defend the company from those claims and to hold the company harmless from all claims, damages, and expenses incurred by the company resulting from a breach of the vendor’s security or obligations regarding its processing of personally identifiable information. That is, the vendor should protect the company from lawsuits and other claims that result from the vendor’s failure to adequately secure its systems or fail to live up to its obligations regarding the processing of personally identifiable information.

• - Responsibility for costs associated with security breach notification. Breaches of security with regard to personally identifiable information may trigger obligations under a variety of state and federal laws requiring the company to send notices to affected individuals advising them of the breach. Tire cost of those notices may be significant, including costs related to making the required notification, providing affected individuals with identity theft monitoring and protection when appropriate, as well as costs associated with negative publicity and governmental investigation and enforcement actions. Consider inserting provisions into the vendor agreement requiring the vendor to pay for all costs incurred by the company in complying with security breach notification laws or providing such identity theft monitoring and protection. The contract should also make clear that the company has sole control over the content and timing of those notices and whether to provide such monitoring and protection.
• - Forensic assistance. In the event of a breach, the contract should require the vendor to preserve all relevant evidence and log files and furnish that information to the company. The vendor should also provide the company with all information relating to any forensic examinations it conducts of the vendor’s systems.
• - Audit rights. The agreement should include clear rights permitting the company to audit the vendor to confirm compliance with the terms of the agreement and applicable laws and regulations. While reasonable limitations can be included regarding the number of times audits may be conducted and their timing, providers should avoid any unduly strict limitations (e.g., limiting audits to only once per year or imposing an excessive notice period before the audit can be conducted). The vendor should be required to reasonably cooperate with the audit, including providing all appropriate documentation. That cooperation should be at no cost to the businesses. Finally, the audit language should require the vendor furnish copies of all relevant third-party audit reports such as: (i) an SSAE 16 or its successor SSAE 18 “SOC 1” report for service organizations providing financial services, (ii) an SOC 2 Type I or Type II or SOC 3 reports for security and confidentiality, processing, privacy, and/or availability controls for other processing other service organizations, such as SaaS providers (Type II is generally preferred since it covers a minimum of a six-month period instead of a point of time), or (iii) an ISO/IEC 27001 certifications for any type of organization.
• - Limitation of liability. Most agreements have some form of “limitation of liability”—a provision designed to limit the type and extent of damages the contracting parties may be exposed to. It is not uncommon to see these provisions disclaim the vendor’s liability for all consequential damages (e.g., lost profits, harm to the business’ reputation) and limit all other liability to some fraction of the fees paid. These types of provisions are almost impossible to remove from most agreements, but it is possible to require the vendor to exclude from the limitations damages flowing from the vendor’s breach of confidentiality and their indemnity obligation for claims the vendor, itself, causes because of its failure to adequately secure its systems. Without those exclusions, the contractual protections described above would be essentially illusory. If the vendor has no real liability for breach of confidentiality because the limitation of liability limits the damages the vendor must pay to a negligible amount, the confidentiality provision is rendered meaningless.
• - Post-contract policing. Separate and apart from the contractual terms, the company should conduct ongoing audits, as described above, site visits, and other post-contract activities to ensure the vendor continues to comply with its information security obligations.