September 17, 2021

Volume XI, Number 260

Advertisement

September 17, 2021

Subscribe to Latest Legal News and Analysis

September 16, 2021

Subscribe to Latest Legal News and Analysis

September 15, 2021

Subscribe to Latest Legal News and Analysis

Contract Corner: Cybersecurity

As we have previously discussed, cybersecurity threats are mounting and are a major concern for senior management. In this month’s first Contract Corner post, we discuss contract provisions that cover the implementation and maintenance of proactive and preventive security measures. Below we list some key issues to consider when drafting these types of security provisions.

Documenting Security Requirements

As part of the contracting process, the vendor should agree to abide by the terms of a detailed security plan that meets or exceeds a customer’s requirements. When developing this documentation, consider how the vendor will do the following:

  • Ensure the security of customer data—Will the vendor warrant a specific, detailed security system, or will the customer rely on conformance to more general security standards? How will the vendor monitor security risks and breaches?

  • Protect against viruses and other threats to the integrity of customer data—Will the vendor warrant the absence of viruses or merely a standard of prevention? Is the vendor obligated to remediate all viruses, even if it did not cause them?

  • Protect against unauthorized access of customer data—What technology and processes will the vendor use to control access? What are the customers’ responsibilities, and how will the vendor test its defenses and notify customers of any unauthorized access?

  • Improve security systems—Will the vendor agree to meet or exceed best industry security practices as they evolve in the future?

  • Change any security measures—Will any vendor-initiated security changes require the customer’s consent? Will the customer have the ability to require changes?

Monitoring Security Commitments

Unless an actual security breach occurs, the customer may not be aware that a vendor is not complying with security requirements. Therefore, the customer should have processes in place to verify the implementation and efficacy of these requirements before a security failure occurs. Some questions to consider regarding security audits include the following:

  • How often will the vendor perform security audits? What will those audits test? What reporting will the vendor provide to the customer?

  • How can the customer participate in the vendor’s audits? Can the customer perform its own security audits of the vendor?

  • What are the remedies for any deficiencies found during an audit?

It is essential that that the security teams for both the customer and the vendor be part of the process in developing both the contract terms and the security plan. They will be responsible for implementing and monitoring these requirements and will be the first ones called when there is a breach.

This post is part of our recurring “Contract Corner” series, which provides analysis of specific contract terms and clauses that may raise particular issues or problems. Check out our prior Contract Corner posts for more on contracts, and be on the lookout for future posts in the series.

Copyright © 2021 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume IV, Number 289
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Peter Watt-Morse, Morgan Lewis, Intellectual property lawyer
Partner

Peter M. Watt-Morse, one of the founding partners of the firm’s Pittsburgh office, has worked on all forms of commercial and technology transactions for more than 30 years. Peter works on business and intellectual property (IP) matters for a broad range of clients, including software, hardware, networking, and other technology clients, pharmaceutical companies, healthcare providers and payors, and other clients in the life science industry. He also represents banks, investment advisers, and other financial services institutions.

412-560-3320
A. Benjamin Klaber, Intellectual property attorney, Morgan Lewis
Associate

A. Benjamin Klaber practices on a Morgan Lewis team that counsels clients on technology, outsourcing, and commercial transactions, intellectual property matters, mergers and acquisitions, private equity, venture capital, and general corporate matters. Before law school, Benjamin was a quantitative analyst in the investment management industry after earning a B.S.E. in operations research and financial engineering. He is a member of the Emerging Leadership Board of the Pittsburgh Venture Capital Association.​​

412-560-7422
Advertisement
Advertisement
Advertisement