Vendor Contracts: Negotiating Strategy
“The fellow who says he'll meet you halfway usually
thinks he's standing on the dividing line.”
Orlando A. Battista
Vendor Contracts: Sharing Data
Sharing Personally Identifiable Information (PII)
with Vendors is a core business activity, but there is
inherent risk that the Vendor could fail to
adequately safeguard data or the systems that
Personal data is a much broader definition in the EU.
Sensitive information, included Protected Health
Information are also important classes of data.
Strong contractual protections help mitigate this
risk by requiring Vendors to meet specified
requirements as well as indemnifying you if there is a
breach of those requirements.
Vendor Contracts: Extensive Legal Requirements
Advertising and Apps
EU Data Directive,
Privacy Bill of Rights,
Support for CISPA
State Breach Notification
and Cybersecurity Laws
Vendor Contracts: Contract vs. MSA vs. SOW
Privacy and Security language can be included in Contract with a Service Provider,
Master Services Agreement (MSA) or Statement of Work (SOW)
Drafting note: These terms can be in the body of the Agreement or an Addendum.
When initiating a new Vendor relationship Privacy and Security can be baked into the Contract or MSA.
However, for existing Vendor relationships it may make the most sense to include this language in a SOW.
Paramount consideration is that there are strong contractual obligations binding the Vendor’s behavior and
imposing strict liability for any breach of these terms.
Vendor Contracts: Unauthorized Disclosure
The contract must restrict the Vendor from disclosing any confidential
information, including PII!
“Vendor agrees and covenants that it shall:
Keep and maintain all PII in strict confidence, using such degree of care as is
appropriate to avoid unauthorized access, use or disclosure;
Use and disclose PII solely and exclusively for the purpose for which the PII, or
access to it, is provided pursuant to the terms and conditions of this Agreement;
Not use, sell, rent, transfer, distribute, or otherwise disclose or make available PII
for Vendor's own purposes or for the benefit of anyone other than Company and
Not transfer any PII to or from different countries without the express prior written
consent of Company.”
Vendor Contracts: Data Minimization
Data minimization is a key principle of the EU Data Directive as implemented
through the FTC Safe Harbour Program.
The Vendor should be limited to collecting and processing only the confidential
and personal data that it needs to perform its contractual obligations.
Vendor should be required to return or destroy all personal and confidential data
upon termination of the Agreement.
“At any time during the term of this Agreement at Company’s written request, or upon the termination of
expiration of this Agreement for any reason, Vendor shall, and shall instruct all Authorized Persons to,
promptly and securely return or destroy any and all PII, whether in written, electronic or other form of media.”
Vendor Contracts: Authorized Access
Vendor must maintain strong access controls to restrict access to only
those employees who need it to perform contractual obligations.
Subcontractors only allowed with express written consent of Company
Lack of access controls is a leading contributor to data breaches involving
both internal and external bad actors.
“At a minimum, Vendor's safeguards for the protection of PII shall include:
(1) Limiting access of PII to Authorized Employees and Authorized Persons; (2) securing business facilities,
data centers, paper files, servers, back-up systems and computing equipment, including but not limited to all
mobile devices and other equipment with information storage capability; (3) implementing network, device,
application, database and platform security; (4) securing information transmission, storage and disposal;
(5) implementing authentication and access controls within media, applications, operating systems and
equipment; (6) Encrypting PII transmitted over public or wireless networks; (7) strictly segregating PII from
information from Vendor or its other customers so data is not comingled; (8) implementing appropriate
personnel security and integrity procedures and practices, including but not limited to, conducting background
checks consistent with applicable law; and (9) providing privacy and information security training to Vendor’s
employees and subcontractors.”
Vendor Contracts: Technical Safeguards
Vendor must meet or exceed requirements set by standards
bodies and self-regulatory organizations
“Vendor agrees and covenants that it will implement administrative, physical and
technical safeguards to protect PII that are no less rigorous than accepted industry
practices, including the International Organizational Standardization's standards:
ISO 27001 and ISO 27002 or other applicable established industry standards fir
information security and shall ensure that all such safeguards comply with
applicable laws, as well as the terms and conditions of this Agreement.
Compliance with Payment Card Industry Standards.
If Vendor has access to or will collect, access, use, store, process, dispose of or
disclose credit, debit or other payment cardholder information, Vendor shall at all
times be in compliance with the Payment Card Industry Data Security Standard
("PCI DSS") requirements, including promptly implementing all procedures and
practices to remain compliant with PCI DSS at Vendor's sole cost and expense.”
Vendor Contracts: Data Breach
Data Breach can be one of the most damaging issues a company can
face, both in terms of economic harm and damage to the brand.
Contracts should require Vendors to notify you in case of a breach or
potential breach within a very short specified time (anywhere from
immediately to as soon as practicable but no later than “X” many hours
“Vendor agrees and covenants that it shall: 1) provide Company with the name
and contact information for an employee of Vendor who shall serve as
Company's primary security contact and shall be available to assist Company
twenty-four hours per day, seven days per week as a contact in resolving
obligations associated with an actual or potential Security Breach; 2) notify
Company of an actual or potential Security Breach as soon as practicable, but no
later than four hours after Vendor becomes aware of an actual or potential
Security Breach; 3) notify Company of an actual or potential Security Breach by
contacting the primary business contact at Company by both telephone and email
as agreed upon.”
Vendor Contracts: Audit Rights
It is extremely important to maintain audit and supervisory rights over
Audit is an integral part of an effective Vendor Security Management
It is even more important to exercise these rights when appropriate!
“Upon Company’s written request and no less than 10 business days following
such written request, Vendor shall permit Company to conduct or oversee an
audit of Vendor's facilities and practices to confirm compliance with this
Agreement as well as any applicable laws and industry standards. Vendor is not
required to permit Company to conduct or oversee more than one audit per
calendar year, unless there has been an actual or potential Security Breach.”
Vendor Contracts: Insurance and Indemnification
Vendor must obtain sufficient insurance coverage to satisfy state legal requirements such as Worker’s
Vendor and Company must indemnify each other in the event of a breach or alleged breach.
Spelling out the process for Insurance and Indemnification in the Contract is an helps ensure that
situations that arise are handled in a way that protects the interests of Company.
Vendor shall: (i) name Company as an additional insured and loss payee on each insurance policy, (ii) ensure that
each insurance policy contains an endorsement deleting the condition thereof entitled "Other Insurance" as to any
insurance in force for or in the name of Company, (iii) ensure that each insurance policy includes a provision
requiring the insurance company issuing such insurance policy to give Company prompt notice of any revision or
modification to any insurance policy affecting Company's rights or any cancellation of any such insurance policy
and (iv) upon request, provide Company with a certificate of insurance evidencing that the requirements of this
Section have been satisfied.
The indemnified party shall provide the indemnifying party with prompt notice of any such claim for defense and
indemnification and shall cooperate reasonably with the indemnifying party in the defense, settlement or
compromise of any such action, at the indemnifying party's cost and expense. The indemnifying party shall have
sole control of the defense of any such action and all negotiations for its settlement or compromise, but shall not
settle any claim that involves a remedy other than the payment of money by the indemnifying party without the
prior written consent of the indemnified party.
Vendor Contracts: Checklist for Getting Started
Is data being collected from users/employees who reside in the U.S. or abroad?
What type of data is being collected (PII/Sensitive information/location/anonymized or aggregated data)?
(Personal Information: Name, street address, phone number, email address, zip code, date of birth, user
name, password, gender, or IP address. Sensitive Information: Health, medical, financial, race, religion,
sexual orientation, or political affiliation.
How is the information being collected (directly from the user or through a tag, cookie, pixel, etc…)?
Is it being collected for Company or for a third party (advertisers, agencies, etc…)?
Where is the information being stored (Vendor/Service Provider or Company’s servers, or the cloud)? If
information is stored outside Company it should always be partitioned and not co-mingled with another
vendor/service provider client’s data.
Will the data be encrypted? Depending on type of data, this should be required.
Who owns the data collected?
Is the collection of data targeted towards children under 13? If so, must comply with Children’s Online
Privacy Protection Act (COPPA), including new rules that go into effect July 2013.
How is the data being used? Is there a legitimate business reason for collecting the data (especially PII,
sensitive information and precise location)? We should not collect just to collect.
Will there be a transfer of information (Vendor/Service Provider to Company, or cross-border)? Consents
may need to be in place before such transfer of data can occur.
Has due diligence been done on the 3rd party vendor/service provider (review of data flow, security audit)?