Beware Aggregated Data Clauses in Vendor Contracts

A growing number of cloud and other technology agreements include grants to the vendor of broad and generally undefined rights to take “aggregated data” derived from the engagement and use it for unspecified purposes.  Businesses should be aware of these clauses and revise them to accomplish two things:  ensure the data really is “aggregated” and reduce risk.  

Aggregated Data.  The first step is to ensure “aggregated data” is clearly defined as data that (i) is not identifiable to any person or entity (including the customer), (ii) does not contain any of the customer’s confidential information or intellectual property, and (iii) is combined with similar data of the vendor’s other customers.  In some instances, for example protected health information under HIPAA, there are specific requirements mandated by law for de-identifying data in this context.  If that type of data is at risk, the vendor must warrant it will ensure the data is properly de-identified in conformance with all applicable legal requirements.

Reducing Risk.  Even if the data is properly aggregated, there is still a possibility that some form of liability could arise from the vendor’s use of the data (e.g., the vendor violates applicable law in using the data, fails to properly de-identify it, etc.) and a claim results against the customer.  This is why it is generally a good idea to require the vendor to indemnify and hold the customer harmless from any and all liability that arises from the vendor’s use of the data, including failure to properly aggregate it.  As a further protection, customers should include language in the agreement that the customer is providing the data on an as-is basis, without warranties of any kind.  That is, customers should assume no liability or obligation whatsoever in providing the data to the vendor.  Put another way, the customer is doing the vendor a favor in providing the data.  The vendor should, therefor, assume all risks associated with its use of the data.

Related:

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies