Cybersecurity Watch-Outs – Use Your Contracts Wisely

cyber watchout

This week, I am continuing the heads-up on cybersecurity and what it means for your contracts. I’m fortunate to have a guest blogger, Jeff Mayer of Akerman LLP, to outline areas we should consider. Thank you, Jeff.

Thanks to Bill Michels for allowing me to be a guest blogger today. I have had the privilege of regularly advising purchasing departments and speaking on purchasing law issues, including at national and local ISM conferences, on many cutting edge issues relating to purchasing law, including international contracting, warranties and responding to sudden and unexpected catastrophic events (force majeure). Most recently, as Bill has noted, the hottest topic in contracting is data security, which impacts all the other critical contracting areas, such as warranties and force majeure events. Data security breaches are very real and very costly. In addition to legal risk, there is PR risk, stock price risk and, of course, people can lose their jobs for not taking the proper precautions to mitigate potential breaches. Use your contracts to help. Akerman is fortunate to have an entire team devoted to data security issues and I asked two of those team members, Melissa Koch and Elizabeth Hodge, to outline some of the most critical legal provision for purchasing departments concerned about data security issues. Melissa and Elizabeth’s top tips are:

  1. Be clear on what data is at issue (especially if it will include personal, confidential or sensitive information).
  2. Make sure the ownership rights are spelled out and well understood to help control who has access to the data and how it can be used.
  3. Understand all of the touch points on how the data will flow, who will have access to it, and where it will be stored. This is particularly important if a vendor is going to have access into your company systems. You will want to make sure there are at least industry standard procedures and processes in place to keep the touch points and data safe and secure. You will also want to make sure the transfer of the data complies with all applicable laws. Regulators across all industries increasingly expect data owners to know where the data lives and who is handling it. You will want to know if the data will stored beyond U.S. borders or if vendor employees and subcontractors outside the U.S. will have access to the data.
  4. Pre-qualification reviews, audits and certifications. Take the time to thoroughly evaluate the vendors with whom you will be sharing data, and make sure they are properly audited and certified using current standards. You will want to make sure their ISPs are also audited and certified.
  5. Make sure you have proper recourse in the event of a security incident through carefully drafted indemnity rights and carve outs from limitation of liability. Also verify if the service provider has appropriate cyber liability insurance and the limits on such coverage.
  6. Make sure the service provider is required to assist in transferring data back to you in the event the services agreement terminates. You want to make sure that the contract does not give the services provider to lock you out of access to your data, especially if the data at issue is critical to your business operations.
  7. You should not only demand that the vendor indemnify you, but also that they cooperate with any pending litigation or investigation.

And none of these issues stands apart from other issues that you face in a purchasing department. Just as legal systems vary, making international contracting challenging, so do local laws on data security and privacy. And, unlike other commercial laws, you may not be able to contract out of those obligations. Similarly, your warranties in a contract bear directly on legal obligations related to data security. And any force majeure clause needs to be examined closely to determine whether it provides an out or escape to the vendor in event of a major data breach. While data security issues go well beyond the contract, making sure your contracts fit with your overall data security strategy is just as essential as any other contract strategy.

Contact Information

Jeffrey J. Mayer

Akerman LLP

71 South Wacker Drive

46th Floor

Chicago, IL 60606

Dir: 312.634.5733

Fax: 312.424.1900

jeffrey.mayer@akerman.com

Melissa Koch

Akerman LLP

420 S. Orange Ave.

Suite 1200

Orlando, FL  32801-4904

Dir: 407.419.8422

Fax: 407.254.4213

melissa.koch@akerman.com

Elizabeth Hodge

Akerman LLP

777 South Flagler Drive

Suite 1100 West Tower

West Palm Beach, FL  33401

Dir: 813.209.5052

Fax: 561.651.1597

elizabeth.hodge@akerman.com

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s