Vendor contracts are increasingly including provisions that could lead to breaches of security.\u00a0 At first glance, these types of provisions may appear innocuous, but they create the circumstances under which compromises of security may occur.\u00a0 A few examples: Connections for Remote Support and Maintenance:\u00a0 Many vendor agreements include provisions permitting the vendor to connect remotely to the customer\u2019s systems for purposes of rendering support.\u00a0 Unless carefully controlled, these types of remote connections can create an open pipe to the customer\u2019s systems that could compromise their data and operations.\u00a0 In general, remote access rights should be limited to on-demand situations, subject to the customer\u2019s then current information security and access policies (e.g., type of secure connection to be used, coordination with customer information security personnel, etc.).\u00a0 The agreement should be clearly worded to ensure the vendor uses the connection only for purposes of rendering support and is responsible for the security of the connection on the vendor\u2019s side, including any misuse of its passwords or access codes. Phone-Home Features:\u00a0 Many types of software have \u201cphone-home\u201d functionality in which the software periodically transmits data to the vendor.\u00a0 The data transmitted typically relates to support issues and confirming the customer is not misusing the software (e.g., using the software in excess of the licensed number of users).\u00a0 Customers should require the vendor to clearly identify exactly what information will be transmitted from their systems and ensure no sensitive data is included in the transmission.\u00a0 Customers should also understand how and when the transmissions will be made. Disabling Mechanisms:\u00a0 Customers should be wary of language in vendor contracts that affords the vendor the ability to remotely shutdown software and equipment.\u00a0 When systems are critical, the ability of the vendor to intentionally or inadvertently trigger a disabling mechanism can result in the customer\u2019s data being corrupted or rendered unavailable.\u00a0 If possible, these types of provisions should be deleted from the vendor agreement.\u00a0 If deletion cannot be negotiated, the vendor should assume heightened or unlimited liability if it triggers a shutdown without good cause. Audit Rights:\u00a0 Finally, customers should beware of broadly written vendor audit rights that permit the vendor and, frequently, unspecified agents the right to enter the customer\u2019s facilities, review their records, and access their systems to determine compliance with the agreement.\u00a0 These types of audit rights should be narrowly written, ensure any agents are bound by an appropriate NDA, require the vendor to comply with the customer\u2019s then current security and access policies, and make clear the vendor will be responsible for any disruption of the customer\u2019s systems and operations. Customers should be on the lookout for these types of provisions and ensure they are properly revised to protect their systems and data.\u00a0 Failing to do so may make vendor contracts into a significant new security risk.