• United States



Trojan Horse Contracts?

Oct 30, 20083 mins
Data and Information Security

Vendor contracts are increasingly including provisions that could lead to breaches of security.  At first glance, these types of provisions may appear innocuous, but they create the circumstances under which compromises of security may occur.  A few examples:

  • Connections for Remote Support and Maintenance:  Many vendor agreements include provisions permitting the vendor to connect remotely to the customer’s systems for purposes of rendering support.  Unless carefully controlled, these types of remote connections can create an open pipe to the customer’s systems that could compromise their data and operations.  In general, remote access rights should be limited to on-demand situations, subject to the customer’s then current information security and access policies (e.g., type of secure connection to be used, coordination with customer information security personnel, etc.).  The agreement should be clearly worded to ensure the vendor uses the connection only for purposes of rendering support and is responsible for the security of the connection on the vendor’s side, including any misuse of its passwords or access codes.

  • Phone-Home Features:  Many types of software have “phone-home” functionality in which the software periodically transmits data to the vendor.  The data transmitted typically relates to support issues and confirming the customer is not misusing the software (e.g., using the software in excess of the licensed number of users).  Customers should require the vendor to clearly identify exactly what information will be transmitted from their systems and ensure no sensitive data is included in the transmission.  Customers should also understand how and when the transmissions will be made.

  • Disabling Mechanisms:  Customers should be wary of language in vendor contracts that affords the vendor the ability to remotely shutdown software and equipment.  When systems are critical, the ability of the vendor to intentionally or inadvertently trigger a disabling mechanism can result in the customer’s data being corrupted or rendered unavailable.  If possible, these types of provisions should be deleted from the vendor agreement.  If deletion cannot be negotiated, the vendor should assume heightened or unlimited liability if it triggers a shutdown without good cause.

  • Audit Rights:  Finally, customers should beware of broadly written vendor audit rights that permit the vendor and, frequently, unspecified agents the right to enter the customer’s facilities, review their records, and access their systems to determine compliance with the agreement.  These types of audit rights should be narrowly written, ensure any agents are bound by an appropriate NDA, require the vendor to comply with the customer’s then current security and access policies, and make clear the vendor will be responsible for any disruption of the customer’s systems and operations.

    Customers should be on the lookout for these types of provisions and ensure they are properly revised to protect their systems and data.  Failing to do so may make vendor contracts into a significant new security risk.

Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author