This is part 6 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Ownership of Trademarks, Copyrights, Patents and Other Trade secrets, Source Code escrow Agreements. Typically, each party should own its pre-existing materials and derivative works thereof and materials developed by the parties or their contractors individually and outside of the contract, and each party should provide the other with licenses to its materials necessary to receive or provide the services during the term. The contract should include intellectual property provisions that clearly define each party’s intellectual property rights for their pre-existing materials and materials developed as part of the contract.

Does the vendor currently own or have the right to use all of the patents, trademarks, copyrights, etc., needed to provide the services under the contract or are they using intellectual property assets owned by the bank? If the contract involves the use of software purchased from a third party which needs to be customized, does the vendor or the bank have the legal rights to do that? The contract should address who will own any intellectual property created by the vendor as a direct result of the contract. Oftentimes, but not always, that will be the bank.

In contracts where the vendor is providing or using software in delivering the services, issues may arise over ownership and the right to use the software. Banks will generally want the vendor to represent that the vendor has full use of the software and that it is providing the bank with a non-exclusive right to use it. Usually the vendor will be required to indemnify the bank in the event a third party asserts a claim that the bank’s use of the software was improper. If a successful claim of infringement is made, the bank may want to either obligate the vendor to obtain alternative software to be able to continue providing the services or be able to terminate the contract immediately. As a practical matter, if a successful infringement claim is made, the vendor may simply need to obtain a license from the other party in order to continue providing the software to the bank.

The contract should provide that the data of the bank remains the property of the bank and that the vendor is prohibited from using such data for any purposes other than providing the services under the contract.

If the bank purchases software, it should consider establishing escrow agreements to provide for the bank’s access to “source code” and programs under certain conditions (e.g., insolvency of the vendor). “Source code” includes not only the human readable source code for the software in question but also any customizations and enhancements that were done for the bank. The typical escrow agreement would require the vendor to deposit new source code if a new, different, upgraded, or customized version of the software is delivered to the bank during the life of the contract. If any of the source code is encrypted the vendor must also provide the escrow agent with the decryption tools and decryption keys. This type of arrangement ensures that the bank will be able to continue using and/or benefitting from the software even if the vendor goes defunct.

Confidentiality. The bank will want the vendor to maintain the confidentiality of all information provided by the bank. This includes preventing the vendor or its subcontractors from using the information in a manner that is not anticipated by the contract. The contract should require that the vendor has, and at all times will maintain, an information security program that includes appropriate administrative, electronic, technical, physical and other security measures and safeguards reasonably designed, at a minimum, to: (a) ensure the security and confidentiality of all confidential information (specifically including any data on the bank’s customers); (b) protect against any unauthorized access to or use of such confidential information; and (c) protect against any anticipated threats or hazards to the security or integrity of such confidential information. The vendor’s security protocols are oftentimes attached as an exhibit to the contract.

One very important element of this provision is a notice requirement on the part of the vendor in the event of an information breach. Security breach should be defined to include unauthorized access, disclosure, or misuse of bank data or information that can be used to access bank data. Such a breach may trigger reporting obligations on the part of the bank. The contract should require the vendor to investigate, remediate, and mitigate the effects of the breach. The vendor should be required to develop a plan for implementing the remedial actions for bank approval.

It is important to note here that what we are talking about here is not necessarily an actual loss of bank client information, but rather a breach of the vendor’s systems in general. The practical concern is that if the vendor suffers a breach of its systems, it may presage a later use by a hacker to use the vendor’s connection to the bank to piggybacking its way into the bank’s systems. There have been a number of highly publicized information breaches that were accomplished by using this approach and it continues to be of great concern to the banking regulators.

The vendor should be required to allow the bank and its agents, access to the vendor’s premises to the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity and confidentiality of bank information. The vendor will also need to acknowledge that it may need to provide access to the bank’s state and federal bank regulators. The vendor should provide the bank with notice that the regulators have requested such access.