Following recent high profile data breaches, many companies are wondering what terms and conditions should be in vendor contracts. That is great question to ask. Many companies – big and small – sign vendor contracts without considering the data security issues. Often times, a contract that is “small potatoes” from a dollar standpoint has the potential to create a disproportionate level of risk. (Consider, for example, a company hired to empty your company’s shredder bin.)  Such contracts often get signed without careful review, putting companies at risk.

While each company should get individualized legal advice, here are six things that should generally be addressed within vendor contracts:

Identification of the kind of confidential information that will be made available to the vendor. The contract should make clear what kind of confidential information will be in the vendor’s hands. Is it your customers’ financial information?  Health information? Your company’s trade secrets?

A promise to protect the confidential information. The vendor should promise to protect that which it has access to. It should have a security program, and there should be a standard of care established. There should also be a way for you to determine whether the vendor is meeting this standard.

Procedures to deal with a loss of your confidential information. The vendor must have an obligation to notify you of any breach in a timely manner. You should have a primary point of contact that understands what information it has and how that information has been stored. The vendor should be obligated to cooperate with any investigation you want to make.

An obligation to return or destroy confidential information when the contract ends.  It can be difficult to get confirmation that information has been returned or destroyed if the parties are no longer doing business together. Put it in the contract.

An obligation to cover your losses if the vendor fails to protect your confidential information. This is often difficult to get, especially in contracts small dollar value contracts.  Be aware of the risk your company is undertaking if you choose not to contract for this protection.

An obligation to have cyber risk insurance that will protect you if the vendor fails to protect your confidential information. You should identify what coverage is needed, mandate the limits, and give you a right to be listed as an additional insured.

[ Image courtesy of stockimages / ]