Ten Ways to Address Security Concerns in IT Contracts

While security is rapidly becoming job # 1 for IT departments, coverage of security issues has found its way into surprisingly few IT contracts. Many companies discover, far too late, that their contracts are largely silent when security issues arise during the life of an IT agreement.

The following checklist shows you ten places in your IT contracts where you can address security concerns. You will have to be a good negotiator or have great leverage in the deal to get coverage in all ten places, but the list will give you a number of strategies to cover security issues.

Warranties.

The biggest weapon in your contract arsenal will be a warranty from your vendor. There are two types to consider.

1 . Security Warranty. Ideally, you would like a vendor to represent and warrant that the software or services it will be providing will be secure and that your data, systems and networks will be secure from both third parties and the vendor’s employees. The language you get will largely depend on your bargaining power. While vendors will balk at warranting complete security, you might try to get a warranty that they will provide security consistent with industry standards or obtain and maintain a recognized security certification. Failing that, you might try to a warranty to provide reasonable security, to keep passwords safe or meet other specific requirements.

2 . No Malicious Code. Another reasonable warranty to request is a warranty that software or services contain no viruses, Trojan horses, backdoors, malicious code or other programs that would allow anyone, including vendor, access to your computers or networks.

Procedures.

Specific security procedures may be specified.

3 . SLA Requirements. Service Level Agreements (SLAs) customarily cover areas like uptime, backup, support procedures and other service requirements. A good way to cover security issues is to include specific security requirements, such as firewall specifications, certification, testing and notice of security breaches in the SLA .

4 . Specifications. Software and IT services agreements commonly contain an exhibit that sets out a list of detailed specifications. Consider including security requirements in this list.

Action Requirements.

You can also create affirmative obligations for the vendor.

5 . Security Audits. Providing for annual or more frequent security audits or testing will place a burden on the vendor to provide adequate security and a standard for judging whether they are doing so. Remember to spell out the consequences for a failure to pass the audit.

6 . Reporting Requirements. You will definitely want to know when there has been a security breach, especially a major one. A clause spelling out what events trigger a notice and how quickly will address these concerns directly.

Modifying Standard Contract Provisions.

Making adjustments to standard contract provisions can provide great results.

7 . Confidentiality. Your biggest security concerns will relate to your customer data (for which you may have obligations under your privacy policy or applicable law) and confidential information. Rather than rely on a general obligation of confidentiality, consider setting out additional, specific obligations to protect the information through appropriate security measures.

8 . Exempt Security Damages from Liability Cap. Software and IT agreements routinely set limits on liability and caps on damages. It is common to clarify that limits and caps do not apply to indemnification obligations and damages for breach of confidentiality obligations. You can also argue that it is appropriate to exclude damages from a security breach from any limitation or cap because the potential damages are so high.

9 . Security Indemnity. A vendor’s breach of security obligations could cause damages to a third party for which the third party would sue you. If you have strong bargaining power, you might ask for an indemnification from the vendor for any claims that a third party makes against you as a result of the vendor’s failure to maintain security.

10 . Termination / Transition. As a practical matter, if a vendor fails to provide adequate security, you will want out of the deal. Consider spelling that out clearly and providing for a short and secure transition to another service provider.

Conclusion.

In today’s IT contracts, it is important to address security issues during the negotiation process rather than trying to sort them out later in litigation. By consulting the ten-point checklist in this article, you will have a number of ways to negotiate security protections in your IT contracts by approaching the issues in a number of different directions. You may not get all you ask for, but you should be able to get some protection or get a good sense of how comfortable you will be with a vendor who is not willing to stand behind its security efforts.