[BreachExchange] 8 Ways to Shore Up Cybersecurity Agreements

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 31 20:42:30 EST 2019


Most businesses have realized the risks posed by and to their data. Some
experience significant operational interruptions after data breaches. The
litigation they face as a result directly impacts their bottom line.

Below are eight tips for protecting a company’s finances through better
negotiation of data privacy language in vendor contracts. Such agreements
may be with cybersecurity services vendors, insurers, or any entity — for
example, customer service management software vendors, outsourced IT
providers, accounting and law firms, and management consultants — that
holds personal data.

The language in these contracts is crucial for ensuring that a company
maximizes its investment and protects or eliminates risks associated with
data privacy, among other reasons.

Create and Leverage Model Language

This is immediately helpful, regardless of a company’s bargaining position.
When the company is in a strong position, having model language allows for
quicker negotiations on the company’s terms and increased consistency.

Having a model to work from is beneficial even with less bargaining power,
as it provides two advantages.

First, it acts as a checklist to ensure legal compliance. Second, it can be
used as leverage when the other party’s agreement does not include the
company’s desired language. We have seen businesses successfully gain key
language by stating it was in their model and providing the reasons why.

Sync the Indemnity and Limited Liability Provisions

A lot of negotiations center around indemnification, especially as the
penalties, costs, and other risks surrounding data protection continue to

It seems increasingly common for vendors to provide great indemnification,
only to strip down the amount they’ll pay in the event of a breach by
limiting liability in the next section of the agreement. Taking a careful
look and negotiating these sections together can better ensure getting the
needed protection.

Stop Insuring Your Vendors’ Liability

If a company agrees to limit a vendor’s liability to what it was paid for
its product or service or agrees to pay early-termination fees, it provides
the vendor with a gain or risk-free situation at the company’s expense.

This may seem unrelated to privacy, but it’s not. As privacy becomes a more
prominent issue with bigger risks, it’s increasingly likely to be a reason
to terminate a vendor agreement.

For example, if the use of a cloud-based human resources tool leads to a
data breach, the company’s damages are likely to greatly exceed what it
paid in fees to the service provider over the last 12 months. Terminating
the agreement in such a situation may well be warranted.

While many accept these types of limits on liability as standard language,
the primary result is that the company takes on risk while the vendor has a
chance to make a profit without risk.

Early termination fees should also be avoided, especially for
privacy-related services. For most services where privacy is critical
(examples include customer and employee records management and analytics
tools), it is highly unusual for a company to get an individually crafted
product. If the company purchases existing software, data analytics, or HR
support, there is no need for an early termination fee, because there
likely will be no costs that the vendor would reasonably have the right to

By all means, the company should pay for what it used. But if it ends a
five-year agreement after three years, it shouldn’t pay for a portion of
the unused time.

Require Specific Notice Provisions

Complying with the law is critical to legal relationships and notice is a
key component of compliance. All too often, agreements have very little if
any language about notification in the event of a breach, violation of
privacy law, or similar issue. When it comes to privacy, this puts both a
company and its vendor at risk.

Privacy laws are increasingly requiring very quick notice to individuals
and governmental entities, sometimes as little as 48 or 72 hours. If the
agreement does not specify who to give notice to and how that notice is to
be provided, there is little hope of actually meeting these requirements.

One important consideration: Be specific. Do not assume an address at the
top or bottom of an agreement will be sufficient. Often it is too general
for the types of notice being provided or would result in the wrong person
receiving the information. This is akin to a 911 call. The vendor should
know who to contact at your company when a problem occurs.

Have It Your Way

When negotiating privacy language, do not accept reasons such as “we do not
accept modifications to that language,” or “what you are requesting is not
in our pricing model,” or “we cannot accept that without elevating this

If the vendor refuses to agree to indemnification, ask about the basis for
the refusal. It can lead to information or a response you can leverage to
move the negotiations forward.

If the response is, “I would need to elevate that,” go ahead and let them.
If it’s important enough for you to ask, it’s important enough for them to
have an appropriate person evaluate the request and make a decision.

Hold Their Feet to the Fire

There should be an express agreement that the vendor will comply with all
applicable data privacy and security laws. No carve-outs. No exceptions.

It is increasingly common for some vendors to say they cannot agree to this
because the laws are changing too rapidly. A good response to that is, “How
do you propose that I explain to the board that we are working with someone
who will not agree to comply with applicable law?”

Time Is On Your Side

Deadlines are almost always a pressure tactic, not a real risk. If a vendor
says they have special pricing but only for the next week, do not rush
unless you are absolutely certain the price will be unavailable, which is
virtually never the case.

Once they have offered “special pricing,” that should be used as a starting
point for the price, not the end of the negotiation or a reason to rush.
After all, once you know that price is available, why pay more?

Ensure that Insurers Address Key Concerns

When negotiating privacy and cybersecurity insurance, obtain written
confirmation that it will cover the issues you are concerned about. Unlike
general liability insurance, insurance for data-related issues can be
surprisingly limited, often shockingly so.

Know what you are seeking insurance for (bad employees, hacking, social
engineering, and the like) and ask for written confirmation that the policy
covers those types of issues. You can’t necessarily guarantee a specific
incident will be covered until it occurs, but you can get assurance that
the types of issues you want insurance for are covered.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191231/654c1a80/attachment.html>

More information about the BreachExchange mailing list