When it comes to information security, all too often when entering into contracts with vendors and suppliers, the entire focus is on “show us your audit reports and security policy.” Don’t get me wrong, that information is clearly of great importance to assessing the overall security posture of the vendor. The problem is that the content of those reports and policy are of little value without real vendor responsibility if the vendor fails to comply with them, suffers a breach, mishandles its systems and data, etc.
There are four key pitfalls in vendor contracting. Unless those pitfalls are avoided, a vendor can have the absolute best security documents in the industry and still present material risk to its customers. The pitfalls identified below represent lessons learned in hundreds of transactions. In addition, they are the types of items regulators routinely identify as problematic in vendor contracts. For these reasons, when negotiating vendor agreements, don’t fall victim to these pitfalls.
Pitfall #1: Do your homework
The first pitfall revolves around failing to do even basic diligence of the proposed vendor. Before moving forward with contract negotiations, preliminary diligence should be conducted of every vendor. Obviously, the depth and scope of the diligence will be directly proportional to the criticality and size of the engagement.
Many businesses have adopted extensive questionnaires to assist in conducting vendor diligence. While certainly a key element of diligence, questionnaires tell only part of the story and vendors have been known to exaggerate or, even, present false information in their responses. To complement these questionnaires, businesses should conduct interviews of the vendor and a sample of their current and past customers. Avoid contacting only those customers on the vendor’s official reference list. In some cases, it may be appropriate and advisable to ask the vendor for the names of two or three customers who elected not to renew contracts with the vendor. In larger engagements, it may also be worth conducting extensive internet searches and litigation searches (including any regulatory actions) on relevant vendors.
Pitfall #2: Know the vendor’s liability
The next key pitfall is the issue of liability. While I have written about this issue more extensively in past entries, it bears a quick summary here. Every vendor agreement includes a “limitation of liability”, which specifies exactly how much liability the vendor will have under the agreement. That is, if the vendor breaches the agreement (e.g., causes a data breach or other security incident), the limitation of lability provision defines the amount of damages you can recover from them. You may be surprised in many instances to find that a vendor has little or no material liability for even the most severe and egregious conduct. Therefore, your first stop in reviewing every vendor agreement is the limitation of liability provision. Don’t fall into the pitfall of having outstanding security language, but no ability to recover any substantial damages if the vendor fails to comply with its security obligations.
Pitfall #3: Don’t go negative
This pitfall is frequently overlooked. During the diligence phase of the relationship, the customer will get information about the vendor’s security practices and rely on that information in moving forward. The problem is that the contract frequently affords the vendor the ability to change those practices at-will, without notice to the customer and without the customer’s ability to object. That is, the security information you relied on in entering into a contract with the vendor, may not be valid in the future. Some or all of those stellar security practices may, even, be abandoned.
Most vendors will be uncomfortable locking their security practices to the version existing as of the date the contract is entered into. It may also be contrary to the customer’s best interests to do so. New risks and vulnerabilities arise all the time. We want the vendor to evolve its security practices to address those new issues. How then to address this pitfall? The simplest approach is to include language in the contract preventing the vendor from materially reducing its overall approach to security from that existing as of the date the contract was executed. The vendor can always improve its security practices but cannot “go negative.”
Pitfall #4: Forgetting about the regulators
Let’s face it, the world is changing. More and more regulators are getting involved in information security and privacy, particularly in healthcare, financial services, and consumer services and products. Some regulators have the power to directly assess a business’ third-party vendor relationships to determine if they pose a material risk and, if so, require remediation of that risk.
So what happens if you have signed a five year contract and a regulator identifies the agreement as requiring revision to comport with the customer’s regulatory obligations (e.g., a healthcare provider failed to negotiate appropriate privacy or security obligations on the part of the vendor; a bank failed to include proper controls over the vendor’s use of subcontractors)? The answer is to include language acknowledging regulators have the right to review the relationship and if an issue is identified, the parties will work together in good faith to resolve it. If the parties are unable to reach agreement on the issue or resolve it to the satisfaction of the regulator, the customer should be afforded a termination right without penalty. This is a key protection that is becoming ever more important in the current regulatory environment.
While these four pitfalls may seem self-evident, in my experience the overwhelming majority of vendor engagements fail to take them into account. This is your opportunity to benefit from lessons learned in hundreds of transactions. Make sure to consider each of these pitfalls and avoid them in your vendor agreements.