In Part 1 and Part 2 of this Contract Corner, we discussed the importance of assessing and defining the types of data involved in a services agreement, and highlighted issues to consider with respect to the ownership and control of company and personal data.

In this Part 3, we discuss key drafting points regarding the operational security requirements typically addressed in services agreements.

Document the Security Requirements

  • Setting the Standard. When structuring the security requirements section of the contract, consider starting with a general standard. What are the objectives of the data safeguards? For example, consider requiring the service provider to implement and maintain rigorous security measures that protect the security of company data and that protect against the unauthorized access or use of such data. In addition, consider whether the safeguards should be designed to comply with particular industry standards, such as ISO 27001 or the standards, practices, and guidelines issued by the National Institute for Standards and Technology (NIST).
  • Defining the Details. After setting the general objectives and standards of the security measures, the contract should further define and describe the key requirements of the data safeguards. To accomplish this, consider attaching the company’s security policy for third parties or starting with a description of the service provider’s security offering, which is becoming a more common practice. If the contract uses the service provider’s policy, the company should analyze it for gaps and ensure that its own security team is comfortable with the practices described by the provider. Major gaps should be separately addressed in the contract. Key issues to consider when developing or reviewing contractual security requirements include encryption technologies and standards, password policies, multifactor authentication, employee and contractor training (which should include phishing awareness training), network monitoring, vulnerability scanning, intrusion detection systems, and penetration testing. In addition, consider including geographic limitations, such as requiring all access, processing, hosting, and storage of company data to be solely in and from the United States.
  • Audit Rights. The contract should include obligations for the service provider to regularly audit, review, test, or otherwise monitor its information security policies and procedures and its safeguards’ controls, systems, and procedures to ensure their continued effectiveness and determine whether adjustments are necessary, including with respect to changes in law, regulation, technology, or threats or hazards to company data. The service provider should periodically identify reasonably foreseeable internal and external security risks and ensure that there are safeguards in place to control those risks. In addition, the service provider should be required to provide a copy of its written privacy and information security policies and procedures to the company at appropriate intervals and should provide a report, carried out by an independent third party, regarding its security controls. Finally, be sure to reserve the right to carry out or have carried out a security audit of the services, with cooperation and assistance from the service provider.
  • Data/Security Breach Obligations. Aside from liability considerations in the event of a security or data breach (which will be discussed in Part 4 of this series), the contract should delineate the service provider’s obligations in response to any such breach. Consider adding specific response, remediation, and mitigation responsibilities, including assembling and preserving pertinent information relating to the breach, providing detailed reports and root-cause analyses, advising on the status of remedial efforts, and cooperating with investigations performed by company and governmental authorities. For breaches involving personal data, the service provider should be required to assist the company in providing notices as required by law (including to individuals and governmental authorities), as determined by the company. Make sure the contract reserves the company’s right to approve the content and format of all such notices prior to publication or communication.

This post is part of our recurring Contract Corner series. Part 4, coming next week, will discuss key liability issues with respect to data protection obligations.

In Part 1 of this Contract Corner, we discussed the importance of evaluating the types of data to be processed or accessed by a service provider at the beginning of the contracting process and key considerations to address when defining the types of data in the services contract.

This Part 2 highlights issues to consider with respect to the ownership and control of company data.

Retain Ownership and Control of the Data

To help ensure that company data remains “safe” with a service provider, contractual provisions regarding ownership, control, and access to the data should not be overlooked or forgotten. Below we discuss some key concepts to consider.

Ownership: The contract should clearly state that, as between the company and the service provider, all “company data” (as defined) is and shall remain the property of the company and shall be deemed the company’s confidential information. As with other intellectual property, consider adding a present assignment of rights (if any) in such data from the service provider back to the company.

Use Rights: After establishing clear ownership rights, consider what use rights the service provider requires to provide the services under the agreement. Consider the following:

  • Include a provision that, without company’s approval (in its sole discretion), the company data shall not be used by the service provider other than as necessary for the service provider’s performance under the agreement and solely in connection with providing the services
  • In addition, the contract should expressly restrict the service provider from commercially exploiting the company data and from disclosing, selling, assigning, or otherwise providing the data to third parties without the company’s consent
  • Some service providers may be interested in using a service recipient’s data (or components thereof) in aggregated and de-identified form for the purposes of improving its services. Consider whether your company will allow this right and whether additional restrictions should be added to the contract, including that the service provider shall not reverse engineer, combine, anonymize, de-identify, aggregate, or commingle any company data. If aggregated data use is permitted, be sure to make clear that such data must not permit the identification of the company, its data, or any of its confidential or proprietary information (including employees and customers)

Access and Return: Retaining access to data is critical, both during the term of the agreement and upon expiration or termination. The contract should address the following:

  • Upon the company’s request at any time, the service provider should be obligated (at no charge) to promptly return the company data and/or provide access to the company data, in the format and on the media requested by the company
  • In addition, the service provider should be obligated to erase or destroy all or any part of the company data in its possession upon request by the company
  • The service provider should be responsible for developing and maintaining procedures for the reconstruction of lost company data in its possession or control, and should be obligated to correct or restore any lost, destroyed, or altered data in its possession or control at no charge

Retention: Proper retention of company data is another critical component of data protection. As part of the services, the service provider should be obligated to assist the company in meeting the company’s legal obligations with respect to the retention of data and records in the service provider’s control. Consider whether the service provider must follow the company’s record retention policies or if the service provider’s policies are sufficient for this purpose.

Legal Holds: Building on the general retention obligations of the service provider, consider whether the data at issue could be subject to a legal hold that would require cooperation and assistance from the service provider. If, for instance, certain data will be hosted and backed up by the service provider, then the company may require assistance in complying with litigation holds. Appropriate contract language should be added to set forth the process for notifying the service provider of a legal hold and the service provider’s commitments with respect to any such legal hold, such as preservation and/or access of the data and the expected time period for the hold.

This post is part of our recurring Contract Corner series. Part 3 will address operational security requirements in services agreements.