In-house counsel should consider these key issues and topics to ensure that their organization and its vendors abide by applicable consumer data privacy law compliance requirements and maintain the security of the company’s and its customers’ data.
Contract provisions should attempt to transfer whatever risk the company is not able to mitigate on its own. When contracting with vendors, consider how common contract provisions can be used in ways that shift liability when it comes to matters related to data security.
Cyber liability insurance can help mitigate the risks associated with having vendors manage and handle customer and client data. A common request, which depends on the risk involved, is for $5 million in cyber insurance.
These contract provisions will often prescribe minimum limits, detail the types of incidents covered, or even demand that the company be added to the policy as a beneficiary. Confirm that policies cover ransomware incidents.
In these clauses, companies can seek to limit the amount of monetary damages with a cap. Also, companies can put limits on the possible categories of damages which the vendor may pursue, such as barring against damages for lost profits or special damages.
When contracting, companies can create indemnification categories, such as “violations of confidentiality” or “violations of security,” to protect themselves from potential legal issues.
Companies should seek reimbursement of investigation costs and other costs to legally evaluate both a vendor’s and its own compliance with data security obligations, including reasonable attorneys’ fees.
Because companies relinquish some control when they give vendors access to customer and client data, companies should be kept up to date on how vendors are operating. Additionally, companies should ensure that they are being updated when security incidents happen.
Companies can add data security-specific addendums that have detailed requirements on the administrative, technical, and physical safeguards that must be in place for the contract to move forward. An additional way to approach this is by requiring data security questionnaires and information about how vendors are ensuring confidentiality.
When contracting, the company should require the vendor to notify the company when suspected security incidents and confirmed data breaches occur so that the company can quickly and appropriately respond.
Companies should also reserve the right to require the vendor to provide notifications to the company’s customers at the vendor’s own cost, as well as the right to approve the specific notices that are sent out on the company’s behalf.
This is important because companies should know exactly when a vendor changes its practices so that the company can quickly evaluate if these new practices maintain the level of security the company agreed upon at the time the contract was executed.
As the supply chain for vendors and subcontractors gets longer, the company’s risk of experiencing data security breaches grows. If just one link in the chain has weak security, that makes every party involved even more vulnerable to data breaches.
If a company hires a vendor which then hires a subcontractor in a different country, then the vendor may be violating data localization laws. This is especially important with the growing activity in the international regulatory environment.
A perfectly written contract is only useful for ensuring data security if the company continues to check on its vendors to ensure ongoing compliance.
This can be done on an annual basis or upon the company’s request that additional information be provided to help the company ensure that the vendor is maintaining the security posture with which it started. Ongoing compliance also involves making sure the vendor does not have any other reported data breaches or security issues. Finally, compliance can be monitored with third-party audit reports.
New consumer data privacy laws and cybersecurity rules are bringing more scrutiny and complexity to the contract process. Download our GC Guide to Navigating 2024: Data Privacy and Cybersecurity Risk for analysis of the most pressing data privacy and cybersecurity challenges facing in-house counsel, from the use of AI in cyber attacks to navigating new SEC cyber disclosure rules.
Stay ahead of cybersecurity rules and developments with expert analysis, comprehensive coverage, news, and practice tools from Bloomberg Law. Our network of expert analysts is always on the case – so you can make yours. Request a demo to see why 91% of in-house counsel customers say Bloomberg Law’s research solutions helps them complete work with efficiency, accuracy, and confidence.