Checklist: Managing privacy and cybersecurity law risks in vendor contracts

IN THIS ARTICLE

1. Shifting liability

2. Information sharing and notifications

3. Flow down of requirements

4. Ongoing compliance

Contributed to Bloomberg Law by Reena Bajowala, data security and privacy partner at Ice Miller

[Download our GC Guide to Navigating 2023 for a full copy of this document plus insights into the latest ESG, privacy, labor and employment, and transactional matters impacting your organization.]

This checklist raises key issues and topics for in-house counsel to consider in ensuring that their organization and its vendors abide by applicable compliance requirements and maintain the security of the company’s and its customers’ data.

1. Shifting liability

Contract provisions should attempt to transfer whatever risk the company is not able to mitigate on its own. When contracting with vendors, consider how common contract provisions can be used in ways that shift liability when it comes to matters related to data security.

• Does the contract mitigate the inherent uncertainties of vendors managing and handling data by requiring the vendor to have cyber liability insurance?

Comment: Cyber liability insurance can help mitigate the risks associated with having vendors manage and handle customer and client data. A common request, which depends on the risk involved, is for $5 million in cyber insurance.

These contract provisions will often prescribe minimum limits, detail the types of incidents covered, or even demand that the company be added to the policy as a beneficiary. Confirm that policies cover ransomware incidents.

• Does the contract’s limitation of liability clause adequately allocate the liability between the parties?

Comment: In these clauses, companies can seek to limit the amount of monetary damages with a cap. Also, companies can put limits on the possible categories of damages which the vendor may pursue, such as barring against damages for lost profits or special damages.

• Does the contract allocate which party will be responsible for any fines or other costs relating to the vendor’s violations of requirements to keep data secure?

Comment: When contracting, companies can create indemnification categories, such as “violations of confidentiality” or “violations of security,” to protect themselves from potential legal issues.

Companies should seek reimbursement of investigation costs and other costs to legally evaluate both a vendor’s and its own compliance with data security obligations, including reasonable attorneys’ fees.

[Download our GC Guide to Navigating 2023 for a full copy of this document plus over 75 pages exploring the trends and issues general counsel need to know]

2. Information sharing and notifications

Because companies relinquish some control when they give vendors access to customer and client data, companies should be kept up to date on how vendors are operating. Additionally, companies should ensure that they are being updated when security incidents happen.

• Does the contract require the vendor to share information with the company about how the vendor is managing the company’s data?

Comment: Companies can add data security-specific addendums that have detailed requirements on the administrative, technical, and physical safeguards that must be in place for the contract to move forward. An additional way to approach this is by requiring data security questionnaires and information about how vendors are ensuring confidentiality.

• Does the contract have mechanisms in place that allow the company to promptly respond to security incidents?

Comment: When contracting, the company should require the vendor to notify the company when suspected security incidents and confirmed data breaches occur so that the company can quickly and appropriately respond.

Companies should also reserve the right to require the vendor to provide notifications to the company’s customers at the vendor’s own cost, as well as the right to approve the specific notices that are sent out on the company’s behalf.

• Does the contract require vendors to notify the company if the vendor materially alters an aspect of its security practices?

Comment: This is important because companies should know exactly when a vendor changes its practices so that the company can quickly evaluate if these new practices maintain the level of security the company agreed upon at the time the contract was executed.

• Does the contract require vendors to notify the company when the vendor hires a new contractor?

3. Flow down of requirements

As the supply chain for vendors and subcontractors gets longer, the company’s risk of experiencing data security breaches grows. If just one link in the chain has weak security, that makes every party involved even more vulnerable to data breaches.

• Does the contract require vendor requirements to flow down to subcontractors?
• Do breach notification obligations flow up from subcontractors to the vendor?
• Does the contract recognize that data localization laws are an important part of the flow down of requirements?

Comment: If a company hires a vendor which then hires a subcontractor in a different country, then the vendor may be violating data localization laws. This is especially important with the growing activity in the international regulatory environment.

• Does the contract require that new subcontractors are well versed in the specific standards of security and confidentiality obligations that the subcontractor is required to comply with?

4. Ongoing compliance

A perfectly written contract is only useful for ensuring data security if the company continues to check on its vendors to ensure ongoing compliance.

• Does the contract allow companies to have a streamlined process for amending the contract when new regulations come into effect?
• Does the contract allow the company to monitor the ongoing compliance of the vendor?

Comment: This can be done on an annual basis or upon the company’s request that additional information be provided to help the company ensure that the vendor is maintaining the security posture with which it started. Ongoing compliance also involves making sure the vendor does not have any other reported data breaches or security issues. Finally, compliance can be monitored with third-party audit reports.

[Download our GC Guide to Navigating 2023 for a full copy of this document plus insights into the latest ESG, privacy, labor and employment, and transactional matters impacting your organization.]