The fine print: key contract clauses impacting cyber liability

This article, written by attorney JP Harris, was originally published by the NHBR and can be found here.


Before entering into any contract addressing data, keep contractual clauses under close scrutiny

Because data is essential in today’s economy, many contracts signed by businesses address the parties’ rights and responsibilities for data.  Contracts commonly restrict the use of the data to only those purposes expressly authorized by the agreement. But contracts also allocate the risks inherent in possessing and using the data, including those risks associated with personally identifiable information (PII), protected health information (PHI), or any data governed by the emerging privacy laws.

This article identifies several of the key contractual clauses that should be examined closely before entering into any contract addressing data.

The level of security

If data will be transferred to or accessible by the other party, it is important to specify the level of care the recipient will deploy to protect the data from unauthorized access.  Some contracts require “commercially reasonable security,” a standard that lacks specificity and may not be suitable.  Some contracts require the receiving party use the “same level of security that it uses to protect its own data.”

This language assumes, without any real assurance, that the receiving party adequately protects its own data.  If the circumstances warrant, consider requiring that the receiving party comply with a specific standard, such as NIST or ISO 27001.  You can insist on proof that a third party has certified that the receiving party adheres to the specified standard.  A good contract will set an objective standard by which a breach of those promises can be measured.

Indemnification

Indemnification clauses allocate responsibility for certain types of claims.  If you license software from a vendor, it makes sense for the vendor to be responsible if a third party hacks into the vendor’s system.  A good indemnification clause requires the responsible party to defend, indemnify and hold the innocent party harmless for breaches of security and violations of applicable privacy laws.  Of course, indemnification clauses are only valuable if the party at fault has the resources to pay for the fallout.  In that way, insisting on adequate insurance is also important.

Cyber insurance

Whenever data is involved as part of a business contract, it is wise to require the receiving party to procure a standalone insurance policy that affords meaningful coverage for the range of risks.  The contract should require that the policy cover first- and third-party liability, responding to any breach, forensic and legal expenses, ransomware and cyberextortion, data recovery, payment card liabilities, fraudulent instruction and funds transfer liability.  The contract should also set a minimum policy limit commensurate with the risk.

Limits of liability

Most vendor contracts cap any amount the vendor will pay in the event of a claim to the amount of fees the vendor has received from the customer during the twelve months prior to the event that caused the damage.  So, if you have paid $10,000 in the last 12 months to license software, the vendor’s total responsibility for any claim will not exceed $10,000, which may or may not be sufficient to cover a reasonably expected claim.  It is sometimes possible to negotiate for a cap that is some multiple of the fees that have been received (two or three times the fees paid, for example).

Regardless of the cap that is set, it is important to make clear that the limit of liability does not apply or cap the vendor’s indemnification obligations.  The cost to defend a claim — which, by definition, was caused by the vendor, so it has triggered the indemnification clause — will often exceed the amount of fees paid to the vendor for the software.

Required notices of data security events

It is important that vendors provide prompt notice of any event that potentially compromised the security of your data, not just those events that are deemed to be actual “breaches.”  Most states’ laws define “breaches,” but those definitions vary and it is possible for two people to view the same fact pattern and come to different conclusions about whether a breach occurred.  As the party sharing the data, it is better to be notified of any event that might have exposed your data, so you can make your own decision about any remedial steps.

Compliance with applicable law

As more states implement comprehensive data privacy laws and afford consumers with a bundle of rights and empower regulators to enforce them, it is important for contracts to allocate explicitly the responsibility for complying with applicable privacy laws.