Most businesses have realized the risks posed by and to their data. Some experience significant operational interruptions after data breaches. The litigation they face as a result directly impacts their bottom line.
Below are eight tips for protecting a company’s finances through better negotiation of data privacy language in vendor contracts. Such agreements may be with cybersecurity services vendors, insurers, or any entity — for example, customer service management software vendors, outsourced IT providers, accounting and law firms, and management consultants — that holds personal data.
The language in these contracts is crucial for ensuring that a company maximizes its investment and protects or eliminates risks associated with data privacy, among other reasons.
This is immediately helpful, regardless of a company’s bargaining position. When the company is in a strong position, having model language allows for quicker negotiations on the company’s terms and increased consistency.
Having a model to work from is beneficial even with less bargaining power, as it provides two advantages.
First, it acts as a checklist to ensure legal compliance. Second, it can be used as leverage when the other party’s agreement does not include the company’s desired language. We have seen businesses successfully gain key language by stating it was in their model and providing the reasons why.
A lot of negotiations center around indemnification, especially as the penalties, costs, and other risks surrounding data protection continue to balloon.
It seems increasingly common for vendors to provide great indemnification, only to strip down the amount they’ll pay in the event of a breach by limiting liability in the next section of the agreement. Taking a careful look and negotiating these sections together can better ensure getting the needed protection.
If a company agrees to limit a vendor’s liability to what it was paid for its product or service or agrees to pay early-termination fees, it provides the vendor with a gain or risk-free situation at the company’s expense.
This may seem unrelated to privacy, but it’s not. As privacy becomes a more prominent issue with bigger risks, it’s increasingly likely to be a reason to terminate a vendor agreement.
For example, if the use of a cloud-based human resources tool leads to a data breach, the company’s damages are likely to greatly exceed what it paid in fees to the service provider over the last 12 months. Terminating the agreement in such a situation may well be warranted.
While many accept these types of limits on liability as standard language, the primary result is that the company takes on risk while the vendor has a chance to make a profit without risk.
Early termination fees should also be avoided, especially for privacy-related services. For most services where privacy is critical (examples include customer and employee records management and analytics tools), it is highly unusual for a company to get an individually crafted product. If the company purchases existing software, data analytics, or HR support, there is no need for an early termination fee, because there likely will be no costs that the vendor would reasonably have the right to recover.
By all means, the company should pay for what it used. But if it ends a five-year agreement after three years, it shouldn’t pay for a portion of the unused time.
Complying with the law is critical to legal relationships and notice is a key component of compliance. All too often, agreements have very little if any language about notification in the event of a breach, violation of privacy law, or similar issue. When it comes to privacy, this puts both a company and its vendor at risk.
Privacy laws are increasingly requiring very quick notice to individuals and governmental entities, sometimes as little as 48 or 72 hours. If the agreement does not specify who to give notice to and how that notice is to be provided, there is little hope of actually meeting these requirements.
One important consideration: Be specific. Do not assume an address at the top or bottom of an agreement will be sufficient. Often it is too general for the types of notice being provided or would result in the wrong person receiving the information. This is akin to a 911 call. The vendor should know who to contact at your company when a problem occurs.
When negotiating privacy language, do not accept reasons such as “we do not accept modifications to that language,” or “what you are requesting is not in our pricing model,” or “we cannot accept that without elevating this matter.”
If the vendor refuses to agree to indemnification, ask about the basis for the refusal. It can lead to information or a response you can leverage to move the negotiations forward.
If the response is, “I would need to elevate that,” go ahead and let them. If it’s important enough for you to ask, it’s important enough for them to have an appropriate person evaluate the request and make a decision.
There should be an express agreement that the vendor will comply with all applicable data privacy and security laws. No carve-outs. No exceptions.
It is increasingly common for some vendors to say they cannot agree to this because the laws are changing too rapidly. A good response to that is, “How do you propose that I explain to the board that we are working with someone who will not agree to comply with applicable law?”
Deadlines are almost always a pressure tactic, not a real risk. If a vendor says they have special pricing but only for the next week, do not rush unless you are absolutely certain the price will be unavailable, which is virtually never the case.
Once they have offered “special pricing,” that should be used as a starting point for the price, not the end of the negotiation or a reason to rush. After all, once you know that price is available, why pay more?
When negotiating privacy and cybersecurity insurance, obtain written confirmation that it will cover the issues you are concerned about. Unlike general liability insurance, insurance for data-related issues can be surprisingly limited, often shockingly so.
Know what you are seeking insurance for (bad employees, hacking, social engineering, and the like) and ask for written confirmation that the policy covers those types of issues. You can’t necessarily guarantee a specific incident will be covered until it occurs, but you can get assurance that the types of issues you want insurance for are covered.
Charles Russman is a cybersecurity and data protection attorney with law firm Clark Hill.