The COVID-19 pandemic has increased the need for the demand for work-from-home tools. However, every law firm should be careful when negotiating for these tools and also put into consideration the risk involved in cybersecurity.
News of this sudden demand and then the scrutiny of some service provider shows just how important privacy and cybersecurity issues are when retaining a service provider. Even companies with long-standing contracts in place with these types of service provider may find those contracts outdated and in need of renegotiation in light of the growing demand for privacy legislation.
To consider privacy and cybersecurity appropriately when entering into, or renegotiating, vendor contracts, businesses should answer the following questions during the vendor negotiation process:
Each question is explained in details below.
Understand how personal information will be collected, used, and transferred.
To start, businesses should understand the depth of access the vendor will have to personal information or other sensitive information, how the vendor will use that information, and whether the vendor will transfer that information to any third parties. Vendors oftentimes default to giving themselves wide latitude with the personal information they process, which can trigger legal obligations for the companies using their services. Businesses should review their vendor contracts and vendors’ privacy policies closely and consult with their information security personnel to identify inconsistencies and limit access and use to only that which is appropriate under the circumstances. They should then ensure the vendor contract accurately reflects their understanding of the vendor’s use of personal information.
Regulators and litigants are increasingly suing businesses that don’t accurately disclose their data handling practices, so it is important that businesses update their privacy policies to accurately reflect the personal information collected, used, and shared with any new vendors. In addition, some vendors require that particular terms be included in their contractual partners’ privacy policies. If your vendor is one of them, make sure you know it and comply.
Consider the contract’s cybersecurity standards and breach notification obligations.
Businesses should evaluate the vendor’s cybersecurity practices and think about what will occur in the event of a data breach. This may require an examination of the parties’ contractual cybersecurity obligations, including the cybersecurity standards that the parties follow as a matter of course, any industry standards or best practices, and proof in the form of an audit. The contract should also address the parties’ obligations in the event of a cybersecurity incident or breach. Compare the definition of a “cybersecurity incident” in the contract to your information security team’s understanding of the term. It should be sufficiently broad to include incidents that may not rise to the level of a data breach under state notification laws.
Understand the vendor’s service obligations and plan for interruptions.
Many contracts promise uptime levels or percentages of uninterrupted service. As entire workforce work from home, there is unusual stress on technology, making system interruptions more likely. Knowing what the vendor contract promises in advance can help the business plan for interruptions and add certainty in uncertain times.