[BreachExchange] Contract Corner: Contract Terms Associated with Data Breaches—It’s a Balancing Act

[Audrey McNeil]

http://www.natlawreview.com/article/contract-corner-contract-terms-associated-data-breaches-it-s-balancing-act

Companies’ increased awareness of the substantial costs and exposure
associated with data breaches has motivated them to beef up their data
security requirements in vendor contracts. Although this concept has
quickly become the market norm, the following issues frequently arise, and
companies should consider them when negotiating data security provisions.

What Customers Want

Customers want complete protection from data breaches, and therefore may
require a vendor to give representations similar to the following: “Vendor
has developed, implemented, and will maintain effective information
security controls, policies, and procedures that ensure the security and
confidentiality of data and information, protect against anticipated
threats to the security or integrity of such information, protect against
unauthorized use or access, and ensure the proper disposal of the data and
information.”

Because customers want the maximum protection, vendors should carefully
consider how broad a requested representation is. It’s a balancing act,
because vendors need to be able to be able to provide certain security
controls to win business, but they also need to also understand the
difference between providing an adequate degree of protection for their
customers and an insurance policy.

What Vendors Want

Vendors are willing to guarantee compliance with privacy and security
polices but are often unwilling to guarantee security on their platforms.
Vendors frequently argue that “we’re not your insurance policy” and “we run
a cost-effective, reasonably secure system for the price you’re paying.”

Should Damages Associated with Data Breaches Be Excluded from Limitations
of Liability?

Another important consideration is whether or not damages associated with
data breaches should be excluded from limitations of liability. As one
might expect, vendors often argue for damages associated with data breaches
being applied against the overall liability caps, with customers wanting
the opposite—to exclude such damages from limits on liability. The
resolution may turn on the controls in place, the cause of the data breach,
how direct and recoverable damages are categorized, and the overall caps
themselves.

Consider Cyber-Liability Insurance

Cyber-liability insurance may be a mechanism for a company (customer or
vendor) to mitigate its exposure with respect to damages associated with
security breaches. It is important to understand what the insurance
actually covers—requiring the covered party to closely check any applicable
policies to determine if likely damages associated with the potential types
of security breaches at hand are covered under the policy.

Tip

When drafting and negotiating data security provisions, It is crucial to
have a basic understanding of the type and scope of the data being handled
or accessed, as well as the type and scope of access that a vendor has to
such data. The type and scope of data and the third-party access to such
data will help shape the data breach risk profile and the appropriate
allocation of responsibility for damages between the parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160303/75c9521b/attachment.html>