Contracting for Cyber-Security Service AgreementsBy Guest Author | Posted 2015-10-21 Email Print
Contracting for cyber-security commitments in service provider relationships is a sensible business practice, and there’s no excuse for not doing it right.
Securing the Right Commitments
When negotiating a contract with a service provider, you can mitigate the risk by obtaining general data security commitments. These might include assurances to:
· Avoid disclosing your confidential information
· Keep your data secure (whether or not it's confidential)
· Comply with industry standards such as ISO 27001
· Comply with privacy and data security laws
· Comply with your written information security policies
· Implement and maintain specified physical and operational security measures.
However, there are opportunities throughout the contract to include commitments that reduce cyber-security risk. These include:
· Restrictions on subcontracting, including requirements to flow down data security clauses
· Background checks and personnel screening
· Data minimization obligations (including those under records retention policies)
· Limitations on access to systems
· Adequate cyber-liability coverage on a primary basis
· Restrictions on secondary uses of data (including aggregated, derived or anonymized data).
Because the cyber-threat is constantly evolving, also consider commitments to evolve cyber-security protections. These might be general commitments to evolve as threats evolve, or you might obtain options to allow you to purchase specific additional cyber-security protections at reasonably firm prices.
Setting the Right Incentives
Commitments help, but you also want your service providers to wake up every morning thinking about how to prevent a data breach, and, if one occurs, how to minimize the cost. You can do that by creating incentives, such as clauses that require the following:
· Reimbursement for the cost of audits that detect security failures
· Reimbursement for legally mandated costs of security breaches, such as data breach notification to consumers
· Reimbursement for customary additional actions, such as investigation, call centers, credit monitoring services, credit card replacements, etc.
· Reimbursement for other damages, perhaps those subject to a liability waiver or cap
· Termination rights triggered by breaches (e.g., deeming a data security incident involving loss of sensitive data a material breach).
As much as possible, these incentives should be designed to create an incentive not only to avoid causing security incidents but also to prevent them. Service providers, of course, will seek to limit their liability to security incidents that they cause.
Risk has always been a part of business, as has learning how to cope with new categories of risk when they emerge. Cyber-risk is just such an emerging category, and businesses are understandably still learning how to manage it.
However, as the novelty wears off, there is dwindling patience in the markets and the courts for businesses that don’t take sensible steps to minimize their risk of data breaches. Contracting for cyber-security commitments in service provider relationships is as sensible as such steps get, and there’s no excuse for not doing it right.
Brad Peterson is a partner and Julian Dibbell is an associate at the law firm of Mayer Brown LLP. Both are active in Mayer Brown’s Business & Technology Sourcing practice and its Cybersecurity and Data Privacy practice.