Addressing Cyber Attacks & Data Breaches in Supplier Contracts

Part 1: Contractual Protections With Respect to Data Breaches

Given the unrelenting, it seems, news reports of cyber attacks and data breaches affecting customer records and data, the issue of what are the appropriate contractual provisions that should govern data breaches in a contract between customers and suppliers remains timely, sticky, and constantly-evolving. Below are several observations regarding contractual language and protections with respect to data breaches, where a supplier has access to and/or could cause or allow a customer’s data to be breached.

• Customers continue to insist upon strict terms and conditions requiring their suppliers to protect the customer’s confidential information, including with respect to the customer’s (i) data (i.e., information stored in equipment and software), (ii) Personally Identifiable Information (PII), and (iii) Protected Health Information (PHI).

• In some cases, customers are requiring their suppliers to agree contractually to separate security and/or privacy exhibits as part of their Customer Agreement. These generally go above and beyond the general “Confidential Information” terms and conditions, and focus on the specific tools, equipment, software, processes, procedures, encryption, and physical/logical security that must be instituted and complied with by the suppliers. If you are a customer and concerned about how your suppliers treat your data, you may want to consider creating a (or bulking up your existing) standard set of security and/or privacy terms that can be attached to your supplier agreements. These exhibits often are prepared by the Corporate Security, Risk or CIO department, and may be applicable to some deals but not others (for instance, it would not be applicable if the scope of the deal does not involve the supplier having access to the customer’s data). As an aside, these exhibits can also cause problems from a deal negotiation perspective, if they incorporate a “kitchen sink” approach, as negotiation of “one size fits all” security terms can lead to lengthy contracting delays. To speed the negotiation process, consider tailoring such a security and/or privacy exhibit, as appropriate for the scope of your particular deal.

• Customers frequently require that their suppliers have adequate Error & Omissions (E&O) insurance and Cyber Breach insurance policies, so that the supplier is adequately protected (financially) if the supplier causes a data breach.

• Additionally, many customers are (themselves) making sure that they have sufficient E&O and Cyber Breach insurance policies to cover damages resulting from data breaches (especially if the customer is not successful in passing the responsibility for that liability to the supplier, or in order to cover potential damages that may be in addition to applicable limits of liability within the customer’s supplier agreements).

• Customers should insist on indemnification protection, requiring suppliers to indemnify and defend the customer for a breach of the supplier’s obligations with respect to Confidential Information (again, including with respect to data, PII and PHI).

• There is increasing focus on defining, within supplier agreements, the types of damages that are reimbursable by the supplier as “direct damages”, to the extent resulting from a data breach. For example, potential costs might include: (i) the notification costs/letters to affected customers informing them of the data breach; (ii) establishment of a call center/1-800 number to provide information to affected customers; (iii) costs for credit monitoring services; (iv) costs of identity restoration services or fraud resolution services; (v) costs of identity theft insurance provided for the benefit of affected customers; (vi) reimbursement for credit freezes; and (vii) fees/expenses associated with investigating and responding to a data breach.

• Where a supplier has access to a customer’s data, there are frequently hard-fought negotiations regarding the total amount of damages that the supplier is willing to absorb, if the supplier is the cause of a data breach. We will discuss this further in Part 2 of this Post.