[Note: This is another in the series of my articles that I’ve been reposting. I thought I’d add a little variety by reposting an article on technology law rather than legal technology. This article from 2004 is a checklist (or “ten tips”) article that covers some of the key points to consider when addressing computer security issues in an IT agreement. Computer security issues have become all too common. Businesses signing IT agreements don’t always know that they have a number of approaches they can take to try to address their legitimate security concerns. In general, you will have to negotiate on these issues – don’t expect a vendor agreement to give you what you need to cover your security issues. This article will give you some starting points and some ideas on strategies.]
Ten Ways to Address Security Concerns in IT Contracts
While security is rapidly becoming job #1 for IT departments, coverage of security issues has found its way into surprisingly few IT contracts. Many companies discover, far too late, that their contracts are largely silent when security issues arise during the life of an IT agreement.
The following checklist shows you 10 places in your IT contracts where you can address security concerns. You will have to be a good negotiator or have great leverage in the deal to get coverage in all 10 places, but the list will give you a number of strategies to cover security issues.
The biggest weapon in your contract arsenal will be a warranty from your vendor. There are two types to consider:
1. Security Warranty. Ideally, you would like a vendor to represent and warrant that the software or services it will be providing will be secure and that your data, systems and networks will be secure from both third parties and the vendor’s employees. The language you get will largely depend on your bargaining power. While vendors will balk at warranting complete security, you might try to get a warranty providing security consistent with industry standards or obtain and maintain a recognized security certification. Failing that, you might try to get a warranty that provides reasonable security, keeps passwords safe or meets other specific requirements.
2. No Malicious Code. Another reasonable request is a warranty that software or services contain no viruses, Trojan horses, backdoors, malicious code or other programs that would allow anyone, including vendors, access to your computers or networks.
3. SLA Requirements. Service Level Agreements (SLAs) customarily cover areas like uptime, backup, support procedures and other service requirements. A good way to cover security issues is to include specific security requirements, such as firewall specifications, certification, testing and notice of security breaches in the SLA.
4. Specifications. Software and IT services agreements commonly contain an exhibit that sets out a list of detailed specifications. Consider including security requirements in this list.
Action Requirements
You can also create affirmative obligations for the vendor.
5. Security Audits. Providing for annual or more frequent security audits or testing will place a burden on the vendor to provide adequate security and a standard for judging whether they are doing so. Remember to spell out the consequences for a failure to pass the audit.
6. Reporting Requirements. You will definitely want to know when there has been a security breach, especially a major one. A clause spelling out what events trigger a notice and how quickly will address these concerns directly.
Modifying Standard Contract Provisions
Making adjustments to standard contract provisions can provide great results.
7. Confidentiality. Your biggest security concerns will relate to your customer data (for which you may have obligations under your privacy policy or applicable law) and confidential information. Rather than rely on a general obligation of confidentiality, consider setting out additional, specific obligations to protect the information through appropriate security measures.
8. Exempt Security Damages from Liability Cap. Software and IT agreements routinely set limits on liability and caps on damages. It is common to clarify that limits and caps do not apply to indemnification obligations and damages for breach of confidentiality obligations. You can also argue that it is appropriate to exclude damages from a security breach from any limitation or cap because the potential damages are so high.
9. Security Indemnity. A vendor’s breach of security obligations could cause damages to a third party for which the third party would sue you. If you have strong bargaining power, you might ask for an indemnification from the vendor for any claims that a third party makes against you as a result of the vendor’s failure to maintain security.
10. Termination / Transition. As a practical matter, if a vendor fails to provide adequate security, you will want out of the deal. Consider spelling that out clearly and providing for a short and secure transition to another service provider.
In today’s IT contracts, it is important to address security issues during the negotiation process rather than trying to sort them out later in litigation. By consulting the 10-point checklist above, you will have a number of ways to negotiate security protections in your IT contracts by approaching the issues in a number of different directions. You may not get all you ask for, but you should be able to get some protection or get a good sense of how comfortable you will be with a vendor who is not willing to stand behind its security efforts.
[Originally posted on DennisKennedy.Blog (https://www.denniskennedy.com/blog/)]
This post brought to you by LexThink(TM) – The Conference, Re-imagined. LexThink! – Think big thoughts, do cool things, change the world. November 11 & 12 – LexThink’s BlawgThink 2005.