This is the second article in a series on Third Party and Vendor Management. The first article discussed pertinent considerations for vendor contracts in the context of cybersecurity.

Contracting in the context of subcontractors, outsourcing, and privacy and security laws can be fast-paced, complex, and onerous. Like most contracts, complications do not typically arise until there is a breach. Furthermore, in the context of cybersecurity and outsourcing, the cost of a contractual breach can increase drastically depending on whether the incident occurred in the context of a security breach and the associated reporting requirements. Accordingly, drafting your own checklist and standard provisions that satisfy your company's privacy and security requirements in advance can save time and money in the future.

Once drafted these standard provisions can be incorporated into various agreements or used with the checklist to evaluate vendor agreements. The following are recommended subjects to cover in your vendor agreements:

  • General security and confidentiality covenants for Customer Data
    • standard confidentiality exceptions should not apply (i.e. customer data made public in a breach should still be treated as confidential)
  • Compliance with security standards and annual certification
  • Audit reports
    • on-site security audits and penetration testing
    • costs of audits that detect security failures
  • Compliance with privacy and data security laws
  • Data locations, processing, and storage
  • Data transfers including remote access
  • Written information security policies
  • Physical, technical and organizational security measures
  • Security incident reporting
    • define incident, personal information, and time period for incident reporting
  • Restrictions on subcontracting and flow-down of obligations to the first tier of subcontractors and all the sub-tiers and sub-processors as well
  • Background checks and personnel screening
  • Data minimization and compliance with records retention policies
  • Limitations on access to systems
  • Adequate cyber-liability coverage
  • Restrictions on secondary uses of data (including aggregated, derived or anonymized data)
  • Rights to change policies and standards to respond to changes in laws or new threats
  • Rights to obtain commitments directly from personnel
  • Rights to require use of new technologies such as biometrics, when available
  • Costs of security breaches, such as data breach notification to consumers, credit monitoring services, forensic investigations, and breach identification costs
  • Other damages and liability caps (i.e. consequential and direct damages)
  • Termination rights triggered by breaches