• United States



Beware Aggregated Data Clauses in Vendor Contracts

Feb 09, 20122 mins
Data and Information Security

A growing number of cloud and other technology agreements include grants to the vendor of broad and generally undefined rights to take “aggregated data” derived from the engagement and use it for unspecified purposes.  Businesses should be aware of these clauses and revise them to accomplish two things:  ensure the data really is “aggregated” and reduce risk.  

Aggregated Data.  The first step is to ensure “aggregated data” is clearly defined as data that (i) is not identifiable to any person or entity (including the customer), (ii) does not contain any of the customer’s confidential information or intellectual property, and (iii) is combined with similar data of the vendor’s other customers.  In some instances, for example protected health information under HIPAA, there are specific requirements mandated by law for de-identifying data in this context.  If that type of data is at risk, the vendor must warrant it will ensure the data is properly de-identified in conformance with all applicable legal requirements.

Reducing Risk.  Even if the data is properly aggregated, there is still a possibility that some form of liability could arise from the vendor’s use of the data (e.g., the vendor violates applicable law in using the data, fails to properly de-identify it, etc.) and a claim results against the customer.  This is why it is generally a good idea to require the vendor to indemnify and hold the customer harmless from any and all liability that arises from the vendor’s use of the data, including failure to properly aggregate it.  As a further protection, customers should include language in the agreement that the customer is providing the data on an as-is basis, without warranties of any kind.  That is, customers should assume no liability or obligation whatsoever in providing the data to the vendor.  Put another way, the customer is doing the vendor a favor in providing the data.  The vendor should, therefor, assume all risks associated with its use of the data.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author