November 29, 2021

Volume XI, Number 333


Contract Corner: Cybersecurity (Part 2)

Last week, we discussed contract provisions that focused on documenting security requirements and monitoring security commitments. These provisions are designed to require the implementation of proactive measures to protect data and systems and to reduce the risk of security incidents. In this Contract Corner post, we switch focus to contract provisions that address a security incident if one occurs. In an earlier post, we outlined practical steps to take in response to an incident, including communications with authorities and cyber insurance matters. Below we list some key issues to consider when drafting contract provisions regarding these response measures.

Definition. The contract should define the types of circumstances that qualify as a “security incident.” For example, a security incident could be limited to an actual security breach, or it could be more broadly defined to include a breach of security protocols or a new cyber threat that increases the risk of a potential breach.

Vendor obligations. A vendor’s obligations upon discovery or notice of a security incident should be detailed in the contract, including whether, how, and when the vendor will

  • notify the customer of the incident and investigate the incident;

  • mitigate the effects of the incident and cure all applicable failures; and

  • provide the customer with details of the incident, its consequences, the vendor’s response, and how the vendor will adequately prevent reoccurrence of the incident.

Responsibilities for each of these obligations (including any associated costs) should be allocated between the customer and vendor, depending on whether the incident was caused by or within the control of the vendor, the customer, or a third party.

Cooperation. The contract should outline the obligations of each of the parties to cooperate in the event of a security incident, including the following:

  • Whether and when the parties will meet to establish a remediation plan for the incident and whether and when the incident will be escalated to the parties’ senior management

  • The extent to which the customer has the right to participate in the vendor’s investigation of the incident

  • The extent to which the vendor must cooperate with any customer investigation or litigation against third parties

Customers should note that, although an incident response plan is a necessary and important tool to limit the damage caused by a security incident, they may also negotiate for and pursue additional remedies in the event of a security incident. (We will address these rights in our next Contract Corner post.)

This post is part of our recurring “Contract Corner” series, which provides analysis of specific contract terms and clauses that may raise particular issues or problems. Check out our prior Contract Corner posts for more on contracts, and be on the lookout for future posts in the series.

Copyright © 2021 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume IV, Number 295

About this Author

Peter Watt-Morse, Morgan Lewis, Intellectual property lawyer

Peter M. Watt-Morse, one of the founding partners of the firm’s Pittsburgh office, has worked on all forms of commercial and technology transactions for more than 30 years. Peter works on business and intellectual property (IP) matters for a broad range of clients, including software, hardware, networking, and other technology clients, pharmaceutical companies, healthcare providers and payors, and other clients in the life science industry. He also represents banks, investment advisers, and other financial services institutions.

A. Benjamin Klaber, Intellectual property attorney, Morgan Lewis

A. Benjamin Klaber practices on a Morgan Lewis team that counsels clients on technology, outsourcing, and commercial transactions, intellectual property matters, mergers and acquisitions, private equity, venture capital, and general corporate matters. Before law school, Benjamin was a quantitative analyst in the investment management industry after earning a B.S.E. in operations research and financial engineering. He is a member of the Emerging Leadership Board of the Pittsburgh Venture Capital Association.​​