Chapter 2 Overview of Information Security and Compliance:
3.4 The Second Tool: Key Contractual Protections
Most contracts have little or no specific language governing informa- tion security. At most, there is a passing reference to undefined security requirements and a basic confidentiality clause. Today’s best practices relating to the protection of data suggest that far more specific language is required.
In addition to an appropriately written license grant (see Chapter 7, “Licensing Big Data”), the following protections related to information security should be considered for inclusion in relevant agreements:
• Warranties
• Specific information security obligations • Indemnity
• Responsibility for costs associated with security breach notification • Limitation of liability
• Confidentiality • Audit rights
3.4.1 Warranties
In addition to any standard warranties relating to how the agreement is to be performed and authority to enter into the agreement, the following specific warranties relating to information security should be considered in appropriate agreements:
• A warranty requiring the third party to comply with “best industry practices relating to information security.” This creates an evolving standard to keep pace with advances in the industry as security mea- sures improve over time.
• A warranty against sending data and intellectual property offshore to subcontractors or affiliates unless specifically authorized to do so by the customer.
• If a due diligence questionnaire has been completed, a warranty stating that the responses to the due diligence questionnaire (described previously) are true and correct. The questionnaire should be attached as an exhibit to the contract.
• To the extent any data disclosed is subject to a state or federal law or regulation (personally identifiable information), a warranty of compliance with those laws and regulations.
3.4.2 Specific Information Security Obligations
In addition to the general information security warranty discussed and confidentiality clause, consider addressing information that is more specific on security obligations. Where appropriate, insert specific lan- guage requiring the third party to secure and defend its information systems and facilities from unauthorized access or intrusion, to partic- ipate in joint security audits, to periodically test its systems and facili- ties for vulnerabilities, to use appropriate encryption and access control technology, and to use proper methods and techniques for destruction of sensitive information (e.g., the DoD 5220-22-M Standard or NIST Special Publication 800-88, Guidelines for Media Sanitization).
3.4.3 Indemnity
In addition to general indemnity language, a specific provision requir- ing the third party to hold the business harmless from claims, damages, liabilities, and expenses incurred as a result of a breach of the security obligations should be included. That is, the third party should protect the business from lawsuits and other claims that result from the third party’s failure to adequately secure its systems.
3.4.4 Limitation of Liability
Most commercial agreements have some form of “limitation of liability”— a provision designed to limit the type and extent of damages to which the contracting parties may be exposed. It is not uncommon to see these pro- visions disclaim a party’s liability for all consequential damages (e.g., lost profits, harm to the reputation of the business) and limit all other liability to some fraction of the fees paid. These types of provisions are almost impossible to remove, but it is possible to require certain exclusions for damages, including damages flowing from a breach of the confidentiality or information security obligations. Without these exclusions, the con- tractual protections described previously would be largely illusory. If the third party has no real liability for breach of privacy or confidentiality because the limitation of liability limits the damages the third party must pay to a negligible amount, the contractual protections of the business are rendered meaningless.
3.4.5 Confidentiality
A fully fleshed-out confidentiality clause should be the cornerstone for information security protections related to intellectual property and highly sensitive databases. The confidentiality clause should be drafted broadly to include all information the business desires to be held in con- fidence. Specific examples of protected information should be included (e.g., source code, proprietary care plans, marketing plans, new product information, trade secrets, financial information). Although the term of confidentiality protection is often fixed (e.g., five years from the date of disclosure or, more likely, termination of the agreement), ongoing, per- petual protection should be expressly provided for valuable information such as the trade secrets of the business or personally identifiable data.
Requirements stating that the business mark relevant information as “confidential” or “proprietary” should be avoided. These types of require- ments are unrealistic in the context of most arrangements. The parties frequently neglect to comply with these requirements, resulting in propri- etary, confidential information being placed at risk.
3.4.6 Audit Rights
The agreement should include clear rights permitting the business to audit the third party to confirm compliance with the terms of the agreement and applicable law, including the license grant for the database. While rea- sonable limitations can be included regarding the number of times that audits may be conducted and their timing, businesses should avoid any strict limitations (e.g., limiting audits to only once per year or imposing an excessive notice period before the audit can be conducted). The third party must reasonably cooperate with the audit, including providing all appropriate documentation. That cooperation should be at no cost to the business. Finally, the audit language should require that the third party furnish the business with copies of all relevant third-party audit reports (e.g., SSAE 16).