Practical Guidance

Checklist: How to Manage Privacy and Cybersecurity Law Risks in Vendor Contracts

February 6, 2023
Checklist: How to Manage Privacy and Cybersecurity Law Risks in Vendor Contracts

RELATED ARTICLES

Which States Have Consumer Data Privacy Laws? 

Is Biometric Information Protected by Privacy Laws?

China’s Personal Information Protection Law (PIPL)

Browse all privacy articles

Contributed to Bloomberg Law by Reena Bajowala, data security and privacy partner at Ice Miller

In-house counsel should consider these key issues and topics to ensure that their organization and its vendors abide by applicable consumer data privacy law compliance requirements and maintain the security of the company’s and its customers’ data.

[Download our 27-point Data Security Checklist for Managing Vendor Contracts.]

Shifting liability

  • Does the contract mitigate the inherent uncertainties of vendors managing and handling data by requiring the vendor to have cyber liability insurance?
  • Does the contract’s limitation of liability clause adequately allocate the liability between the parties?
  • Does the contract allocate which party will be responsible for any fines or other costs relating to the vendor’s violations of requirements to keep data secure?

Contract provisions should attempt to transfer whatever risk the company is not able to mitigate on its own. When contracting with vendors, consider how common contract provisions can be used in ways that shift liability when it comes to matters related to data security.

Cyber liability insurance can help mitigate the risks associated with having vendors manage and handle customer and client data. A common request, which depends on the risk involved, is for $5 million in cyber insurance.

These contract provisions will often prescribe minimum limits, detail the types of incidents covered, or even demand that the company be added to the policy as a beneficiary. Confirm that policies cover ransomware incidents.

In these clauses, companies can seek to limit the amount of monetary damages with a cap. Also, companies can put limits on the possible categories of damages which the vendor may pursue, such as barring against damages for lost profits or special damages.

When contracting, companies can create indemnification categories, such as “violations of confidentiality” or “violations of security,” to protect themselves from potential legal issues.

Companies should seek reimbursement of investigation costs and other costs to legally evaluate both a vendor’s and its own compliance with data security obligations, including reasonable attorneys’ fees.

Information sharing and notifications

  • Does the contract require the vendor to share information with the company about how the vendor is managing the company’s data?
  • Does the contract have mechanisms in place that allow the company to promptly respond to security incidents?
  • Does the contract require vendors to notify the company if the vendor materially alters an aspect of its security practices?
  • Does the contract require vendors to notify the company when the vendor hires a new contractor?

Because companies relinquish some control when they give vendors access to customer and client data, companies should be kept up to date on how vendors are operating. Additionally, companies should ensure that they are being updated when security incidents happen.

Companies can add data security-specific addendums that have detailed requirements on the administrative, technical, and physical safeguards that must be in place for the contract to move forward. An additional way to approach this is by requiring data security questionnaires and information about how vendors are ensuring confidentiality.

When contracting, the company should require the vendor to notify the company when suspected security incidents and confirmed data breaches occur so that the company can quickly and appropriately respond.

Companies should also reserve the right to require the vendor to provide notifications to the company’s customers at the vendor’s own cost, as well as the right to approve the specific notices that are sent out on the company’s behalf.

This is important because companies should know exactly when a vendor changes its practices so that the company can quickly evaluate if these new practices maintain the level of security the company agreed upon at the time the contract was executed.

Flow down of requirements

  • Does the contract require vendor requirements to flow down to subcontractors?
  • Do breach notification obligations flow up from subcontractors to the vendor?
  • Does the contract recognize that data localization laws are an important part of the flow down of requirements?
  • Does the contract require that new subcontractors are well-versed in the specific standards of security and confidentiality obligations that the subcontractor is required to comply with?

As the supply chain for vendors and subcontractors gets longer, the company’s risk of experiencing data security breaches grows. If just one link in the chain has weak security, that makes every party involved even more vulnerable to data breaches.

If a company hires a vendor which then hires a subcontractor in a different country, then the vendor may be violating data localization laws. This is especially important with the growing activity in the international regulatory environment.

Ongoing compliance

  • Does the contract allow companies to have a streamlined process for amending the contract when new regulations come into effect?
  • Does the contract allow the company to monitor the ongoing compliance of the vendor?

A perfectly written contract is only useful for ensuring data security if the company continues to check on its vendors to ensure ongoing compliance.

This can be done on an annual basis or upon the company’s request that additional information be provided to help the company ensure that the vendor is maintaining the security posture with which it started. Ongoing compliance also involves making sure the vendor does not have any other reported data breaches or security issues. Finally, compliance can be monitored with third-party audit reports.

[Download our 27-point Data Security Checklist for Managing Vendor Contracts.]

From live events to in-depth reports, discover singular thought leadership from Bloomberg Law

New consumer data privacy laws and cybersecurity rules are bringing more scrutiny and complexity to the contract process. In our on-demand webinar Privacy, Cybersecurity, and Contract Drafting, our panel of expert practitioners provides a practical view into significant operational trends and guidance on navigating the complex implications for contract drafting and approval processes.

Download our General Counsel Guide to Navigating 2023 for 75+ pages of expert-written analysis, how-to guidance, and checklists to help general counsel and their teams navigate the pressing legal developments shaping 2023, including privacy, ESG, labor and employment, and transactional matters.

Request a demo and see why 91% of in-house counsel customers say Bloomberg Law’s Practical Guidance helps them complete work with efficiency, accuracy, and confidence.

Related privacy resources

View All

General Data Protection Regulation - GDPR

Virginia Consumer Data Protection Act (VCDPA)

The VCDPA vs. CCPA: Comparing State Privacy Laws
Top