Reading Security Contracts 101
If your company is considering a contract with a third-party vendor that needs to secure your data (and most do), ask yourself: if this vendor gets hacked and the client gets sued, what happens? Many standard contracts say something like, “Vendor will cover the cost of adhering to privacy laws.” Sounds good, right?
Nope. Compliance with ‘privacy laws’ (which should be defined) is not the same as your company getting sued for a data breach. I bet you- dear reader- a coffee that if you look in the indemnification provision of one of your third-party software contracts, their standard provision will not indemnify you against consumers suing your company for the vendor’s loss of your company’s confidential data.
Make sure the indemnification provision is drafted properly and watch for other provisions disclaiming liability for data breaches. I just reviewed a security contract with a one-line(!) disclaimer of liability for data breaches in the “General” provisions section.
Furthermore, your company may not be aware of how much information it is sharing with a vendor. For example, say you are considering a contract for an email list administrator. You may think the vendor just has to protect your customer’s emails. But where do those emails come from? If they come from your online shopping platform, much more than emails could be shared: IP address, name, even purchase history.
Always check on the source of the data you think you are sharing with a third party, as other data could be going along with it. Minimizing the personal information you share with third parties makes it easier to comply with privacy laws and likely decreases the consequences of a data breach.