Ten Ways to Address Security Concerns in IT Contracts
Friday, April 30, 2004
Posted by: Dennis Kennedy
While security is rapidly becoming job #1 for IT departments, coverage of security issues has found its way into surprisingly few IT contracts. Many companies discover, far too late, that their contracts are largely silent when security issues arise during the life of an IT agreement.
The following checklist shows you 10 places in your IT contracts where you can address security concerns. You will have to be a good negotiator or have great leverage in the deal to get coverage in all 10 places, but the list will give you a number of strategies to cover security issues.
The biggest weapon in your contract arsenal will be a warranty from your vendor. There are two types to consider:
1. Security Warranty Ideally, you would like a vendor to represent and warrant that the software or services it will be providing will be secure and that your data, systems and networks will be secure from both third parties and the vendor's employees. The language you get will largely depend on your bargaining power. While vendors will balk at warranting complete security, you might try to get a warranty providing security consistent with industry standards or obtain and maintain a recognized security certification. Failing that, you might try to get a warranty that provides reasonable security, keeps passwords safe or meets other specific requirements.
2. No Malicious Code Another reasonable request is a warranty that software or services contain no viruses, Trojan horses, backdoors, malicious code or other programs that would allow anyone, including vendors, access to your computers or networks.
3. SLARequirements Service Level Agreements (SLAs) customarily cover areas like uptime, backup, support procedures and other service requirements. A good way to cover security issues is to include specific security requirements, such as firewall specifications, certification, testing and notice of security breaches in the SLA.
4. Specifications Software and IT services agreements commonly contain an exhibit that sets out a list of detailed specifications. Consider including security requirements in this list.
You can also create affirmative obligations for the vendor.
5. Security Audits Providing for annual or more frequent security audits or testing will place a burden on the vendor to provide adequate security and a standard for judging whether they are doing so. Remember to spell out the consequences for a failure to pass the audit.
6. Reporting Requirements You will definitely want to know when there has been a security breach, especially a major one. A clause spelling out what events trigger a notice and how quickly will address these concerns directly.
Modifying Standard Contract Provisions
Making adjustments to standard contract provisions can provide great results.
8. Exempt Security Damages from Liability Cap Software and IT agreements routinely set limits on liability and caps on damages. It is common to clarify that limits and caps do not apply to indemnification obligations and damages for breach of confidentiality obligations. You can also argue that it is appropriate to exclude damages from a security breach from any limitation or cap because the potential damages are so high.
9. Security Indemnity A vendor's breach of security obligations could cause damages to a third party for which the third party would sue you. If you have strong bargaining power, you might ask for an indemnification from the vendor for any claims that a third party makes against you as a result of the vendor's failure to maintain security.
10. Termination / Transition As a practical matter, if a vendor fails to provide adequate security, you will want out of the deal. Consider spelling that out clearly and providing for a short and secure transition to another service provider.
In today's IT contracts, it is important to address security issues during the negotiation process rather than trying to sort them out later in litigation. By consulting the 10-point checklist above, you will have a number of ways to negotiate security protections in your IT contracts by approaching the issues in a number of different directions. You may not get all you ask for, but you should be able to get some protection or get a good sense of how comfortable you will be with a vendor who is not willing to stand behind its security efforts.
Dennis Kennedy (firstname.lastname@example.org) is a St. Louis computer lawyer whose practice focuses on review and negotiation of IT agreements, software licensing and e-commerce contracts. View his technology law resource page on his Web site at www.denniskennedy.com.