Drafting Data and Cybersecurity Provisions in Third-Party Vendor Agreements: Limits to Liability, Indemnification

Aaron Tantleff (Partner, Chicago) joins this Strafford CLE webinar to explore the risks in utilizing outside service providers as data processors. The panel will discuss the need for routine audits, assessments, and training, as well as provide tips on how contracts should address data protection requirements and standards, breaches, and indemnification.

Cyber risks are increasing as more ubiquitous and sensitive data is stored on connected devices such as laptops, tablets, routers, smartwatches, manufacturing equipment, and even automobiles. While these are valuable tools for organizations, their proliferation has led to greater network vulnerability, increasing the possibility of a cybersecurity incident.

The use of third-party data and payment processors can significantly streamline operations and help an organization focus on its core missions. Organizations must be aware of the risks associated with using these data processors, which represent another category of a third-party vendor that exposes a company to significant cybersecurity risk.

Considering the potential harm that a third-party breach or other misuses of shared data can cause, organizations should devote serious time and effort to address these threats before they arise. In addition, companies may be obligated, under specific regulations, to verify such third parties’ security and privacy capabilities.

Organizations should create a vendor inventory to identify precisely which outside entities have access to what information. The inventory should include a data classification exercise, which involves categorizing data shared with third parties according to importance and sensitivity and determining the level of security required for vendors in possession of data in each category.

Counsel for businesses can also limit the liability stemming from third-party breaches through contractual agreements. Third-party service provider contracts should require prompt notification if a security breach occurs, and the vendor should be contractually required to maintain an adequate cybersecurity response plan.

Notification periods should be consistent across all contracts. Failure to timely notify of a breach should constitute a material breach under the contract, allowing the company to cut ties with a vendor that fails to provide this crucial notification. Companies should ideally have broad indemnification language in third-party vendor agreements, holding the vendor responsible for costs and liability arising out of or in connection with a vendor data breach. Companies should also consider purchasing insurance that covers loss due to third-party cybersecurity breaches.

The presenters will discuss data processor security and what routine audits, assessments, and training should include. They will further address the requirements of third-party vendor agreements, including the limitations of liability and indemnification provisions.

Outline

Data processor agreements
1. Vetting vendors
2. Cybersecurity
  1. Response plan
3. Notification periods
4. Indemnification
5. Limitations on liability
6. Cyber insurance

Benefits

The panel will review these and other key topics:

How should general counsel develop a vendor inventory for data processors?
What requirements for limitations of liability should counsel include in data processor vendor agreements?
What are best practices for auditing third-party vendors?

Click here to register.

Partner

[email protected]

Chicago 312.832.4367

Related Insights

View All Posts

01 May 2024 Article

DOJ and FTC Raise Concerns about Overlapping Ownership in Public Utility Companies

On April 25, 2024, the U.S. Department of Justice Antitrust Division and the Federal Trade Commission filed a joint comment with the Federal Energy Regulatory Commission raising concerns about FERC’s blanket authorization policy, which, among other things, allows holding companies, including investment companies, to acquire noncontrolling ownership interests in public utility companies, subject to certain conditions.

22 May 2024 Events

May 2024 Midwest Cyber Security Alliance Meeting | Integrating Trending AI and CMMC Compliance Into Vendor Management

Join us on Wednesday, May 22, 2024, at the next Midwest Cyber Security Alliance meeting, where sponsor Sikich LLP, along with Foley attorneys Chanley Howell and Leighton Allen, will delve into the integration of two critical components — AI due diligence and Cybersecurity Maturity Model Certification (CMMC) compliance — to fortify vendor management practices.

16 May 2024 Events

Litigating Patent Claims at the ITC and How It Could Impact Your Company

The U.S. International Trade Commission is a fast-paced, high-stakes forum empowered by Section 337 of the U.S. Tariff Act to hear and resolve patent infringement complaints brought by companies against acts in the importation of products.