This week, I am continuing the heads-up on cybersecurity and what it means for your contracts. I’m fortunate to have a guest blogger, Jeff Mayer of Akerman LLP, to outline areas we should consider. Thank you, Jeff.
Thanks to Bill Michels for allowing me to be a guest blogger today. I have had the privilege of regularly advising purchasing departments and speaking on purchasing law issues, including at national and local ISM conferences, on many cutting edge issues relating to purchasing law, including international contracting, warranties and responding to sudden and unexpected catastrophic events (force majeure). Most recently, as Bill has noted, the hottest topic in contracting is data security, which impacts all the other critical contracting areas, such as warranties and force majeure events. Data security breaches are very real and very costly. In addition to legal risk, there is PR risk, stock price risk and, of course, people can lose their jobs for not taking the proper precautions to mitigate potential breaches. Use your contracts to help. Akerman is fortunate to have an entire team devoted to data security issues and I asked two of those team members, Melissa Koch and Elizabeth Hodge, to outline some of the most critical legal provision for purchasing departments concerned about data security issues. Melissa and Elizabeth’s top tips are:
- Be clear on what data is at issue (especially if it will include personal, confidential or sensitive information).
- Make sure the ownership rights are spelled out and well understood to help control who has access to the data and how it can be used.
- Understand all of the touch points on how the data will flow, who will have access to it, and where it will be stored. This is particularly important if a vendor is going to have access into your company systems. You will want to make sure there are at least industry standard procedures and processes in place to keep the touch points and data safe and secure. You will also want to make sure the transfer of the data complies with all applicable laws. Regulators across all industries increasingly expect data owners to know where the data lives and who is handling it. You will want to know if the data will stored beyond U.S. borders or if vendor employees and subcontractors outside the U.S. will have access to the data.
- Pre-qualification reviews, audits and certifications. Take the time to thoroughly evaluate the vendors with whom you will be sharing data, and make sure they are properly audited and certified using current standards. You will want to make sure their ISPs are also audited and certified.
- Make sure you have proper recourse in the event of a security incident through carefully drafted indemnity rights and carve outs from limitation of liability. Also verify if the service provider has appropriate cyber liability insurance and the limits on such coverage.
- Make sure the service provider is required to assist in transferring data back to you in the event the services agreement terminates. You want to make sure that the contract does not give the services provider to lock you out of access to your data, especially if the data at issue is critical to your business operations.
- You should not only demand that the vendor indemnify you, but also that they cooperate with any pending litigation or investigation.
And none of these issues stands apart from other issues that you face in a purchasing department. Just as legal systems vary, making international contracting challenging, so do local laws on data security and privacy. And, unlike other commercial laws, you may not be able to contract out of those obligations. Similarly, your warranties in a contract bear directly on legal obligations related to data security. And any force majeure clause needs to be examined closely to determine whether it provides an out or escape to the vendor in event of a major data breach. While data security issues go well beyond the contract, making sure your contracts fit with your overall data security strategy is just as essential as any other contract strategy.
|Jeffrey J. Mayer
71 South Wacker Drive
Chicago, IL 60606
420 S. Orange Ave.
Orlando, FL 32801-4904
777 South Flagler Drive
Suite 1100 West Tower
West Palm Beach, FL 33401