Cyber Security and Contracts: Have you looked at them lately?

You may not think you’re vulnerable, but anything connected to your organization’s network is a potential threat

William L. Michels
William L. Michels

In October I had the pleasure of attending and speaking at the Zycus Horizon 2015 conference. The thing about conferences is that you always learn something and this one was no exception, especially when I listened to a presentation by Deborah Wilson from Gartner on “Cyber Security: What the CPO needs to know.” The thing that I found most interesting in the presentation was that all supplier contracts need specific language about risks, obligations and notifications concerning cyber security breaches. Yet, thinking of my contracts and those of my clients, most do not address this area of the law where businesses are subject to extreme risk.

While reading news headlines waiting for my flight after the conference, this one caught my eye: “Average Cost of Cyber-crime in the U.S. Rises to $15 Million.” On the four-hour flight from Atlanta to Phoenix, I saw several articles in business magazines and looked through a few contracts on my PC; no, clauses specifically addressing cyber security were not there. As soon as got back to my office I called a few law firms I’ve worked with over the years and all of them confirmed that data security is the fastest growing practice in their respective firm. All were now building new contracts with cyber security language. The Security and Exchange Commission issued guidelines that have gotten a lot of attention as companies build the contract language to protect them.

This was a wakeup call to me; many businesses are highly exposed as they have not added new language and contract clauses, not just because they’re not aware, but because they don’t know what to include. To close the gap in this area, Jeffrey Mayer, partner at Akerman LLP, helped outline the areas that should be considered. Jeff regularly advises purchasing departments and speaks on many cutting edge issues relating to purchasing law, including international contracting, warranties and responding to sudden and unexpected catastrophic events (force majeure). Here’s what Jeff and his team suggest:

Data security breaches are very real and very costly. In addition to legal risk, there is PR risk, stock price risk and, of course, people can lose their jobs for not taking the proper precautions to mitigate potential breaches. Use your contracts to help. Akerman has an entire team devoted to data security issues and two of those team members, Melissa Koch and Elizabeth Hodge, outline some of the most critical legal provision for purchasing departments concerned about data security issues. Melissa and Elizabeth’s top tips are:

  1. Be clear on what data is at issue (especially if it will include personal, confidential or sensitive information).
  2. Make sure the ownership rights are spelled out and well understood to help control who has access to the data and how it can be used.
  3. Understand all of the touch points on how the data will flow, who will have access to it, and where it will be stored. This is particularly important if a vendor is going to have access into your company systems. You will want to make sure there are at least industry standard procedures and processes in place to keep the touch points and data safe and secure. You will also want to make sure the transfer of the data complies with all applicable laws. Regulators across all industries increasingly expect data owners to know where the data lives and who is handling it. You will want to know if the data will stored beyond U.S. borders or if vendor employees and subcontractors outside the U.S. will have access to the data.
  4. Pre-qualification reviews, audits and certifications. Take the time to thoroughly evaluate the vendors with whom you will be sharing data, and make sure they are properly audited and certified using current standards. You will want to make sure their ISPs are also audited and certified.
  5. Make sure you have proper recourse in the event of a security incident through carefully drafted indemnity rights and carve-outs from limitation of liability. Also verify if the service provider has appropriate cyber liability insurance and the limits on such coverage.
  6. Make sure the service provider is required to assist in transferring data back to you in the event the services agreement terminates. You want to make sure that the contract does not give the services provider to lock you out of access to your data, especially if the data at issue is critical to your business operations.
  7. You should not only demand that the vendor indemnify you, but also that they cooperate with any pending litigation or investigation.

And none of these issues stands apart from other issues that you face in a purchasing department. Just as legal systems vary, making international contracting challenging, so do local laws on data security and privacy. And, unlike other commercial laws, you may not be able to contract out of those obligations. Similarly, your warranties in a contract bear directly on legal obligations related to data security.  And any force majeure (chance occurrence or unavoidable accident) clause needs to be examined closely to determine whether it provides an out or escape to the vendor in event of a major data breach.  While data security issues go well beyond the contract, making sure your contracts fit with your overall data security strategy is just as essential as any other contract strategy.

With this information, I am enhancing risk management plans and reviewing contracts, especially evergreen contracts. You may not think you’re vulnerable, but anything connected to your organization’s network is a potential threat from medical infusion pumps to supplier invoices (both caused highly publicized breaches). How prepared are you?

Jeffrey Mayer, a partner in the Litigation Practice Group at Akerman LLP, Chicago, also contributed to this article.