Post on 16-Jan-2016
Dino Tsibouris(614) 360-3133
dino@tsibouris.com
Vendor Contracts: What You Need and What You May Be Missing
Let’s just use our standard agreement and attach the proposal to it, we should be good to go!
What do you need to know?
• Contracts, exhibits, schedules, letters, emails• Who is responsible for compliance• Consumer data privacy and security roles• Ownership of data• Minimum service and data availability• Indemnities, disclaimer of warranties,
limitation of liability
…is there more?
• Termination rights and retention and access to data
• Breach notification when it happens at the vendor
• Compelled Disclosure of your data on the vendor’s system
But I’m…
• Not a lawyer• Too busy to “go deep”• Not worried, it’s a small dollar contract• Pretty sure it’s already covered• Used to lawyers making things too
complicated
The problem: Words mean things
• Some words aren’t what they seem• The cost of a deal gone wrong is time and
money, not just money• Small processors of personal data can create
big liability (SMS/TCPA)• Your issue may not be covered• Lawyers can make it complicated but it
shouldn’t be
Description of Services
Agreement Schedule
Description of Services
Description of Services
Agreement Schedule
In the event of conflict, Schedule governs.
Description of Services
Agreement Schedule
When Agreement terminates, some of the services in the Schedule need not terminate.
Privacy and Security of Customer Data in the Cloud
Source: Ponemon Institute
Privacy and Security of Customer Data in the Cloud
Source: Ponemon Institute
Privacy and Security of Customer Data in the Cloud
Privacy and Security ofCustomer Data
Privacy and Security ofCustomer Data
Privacy and Security ofCustomer Data
Privacy and Security ofCustomer Data
• Data stored in the cloud may be compromised due to a breach
• Contract must take into consideration an obligation to immediately notify, cooperate, and bear the cost of sending out breach notifications and remedial actions
• Consider insurance for breaches
Breach Notification
• Vendor may have a breach involving your data• Must they tell you?• When?• What is your obligation to your customers?
Breach Notification
• Prompt breach notification of confirmed breaches and suspected breaches is crucial.
Audit Rights
• Data collection and usage• Security procedures/contract compliance• Financials • Timing and frequency• SAS 70/third party provided audits
Service and Data Availability
Service and Data Availability
Service and Data Availability
• The cloud service may be subject to disruptions
• Where possible, negotiate fines or reimbursement for outages above and beyond scheduled maintenance
• Where possible, contract for greater availability and fault tolerance
Termination Provisions and Retention and Access to Data
Termination Provisions and Retention and Access to Data
Termination Provisions and Retention and Access to Data
Termination Provisions and Retention and Access to Data
Termination Provisions and Retention and Access to Data
Lessons: • Ensure that ownership of information is clearly
defined. • Ensure that service provider agreement takes
into consideration your ability to access your data and return of your data in the form that you want at the end of the relationship.
Disposal of Data
• How does the contract address data return?• How does the contract address data disposal?• Ensure that service provider agreement takes
into consideration your legal obligations to dispose and delete information
Compelled Disclosure
Compelled Disclosure
Compelled Disclosure
• Data stored in the cloud is subject to compelled disclosure and possibly without your knowledge due to the Stored Communications Act and National Security Letters
Pertinent Laws and Compliance with Them
Shurland v. Bacci
Shurland v. Bacci
Shurland v. Bacci
Shurland v. Bacci
Shurland v. Bacci
Shurland v. Bacci
• Translink to "use due care in providing services covered by this Agreement" and to conduct its "performance of all services called for in this Agreement . . . consistent with industry standards.”
Shurland v. Bacci
• Merchant warrants and agrees that Merchant shall fully comply with all federal, state, and local laws, rules and regulations, as amended from time to time, including the Truth-in-Lending Act and Regulation Z of the Board of Governors of the Federal Reserve System.”
Shurland v. Bacci
Lesson: Parties should clearly and unambiguously assign the responsibility to comply with each law that is material to the transaction.
Indemnification
Indemnification
• The other side pays your costs if they are specifically named
• Claims• Losses• Reasonable attorney fees• Costs
Limitation of Liability
Limitation of Liability
• No liability • As-Is• Refund of fees paid• Capped dollar amount• Insurance proceeds only• “Direct damages” only
Yes, but…
Ensure that the limitation of liability clause and the indemnification clause properly interact with one another
“Shall indemnify … Subject to Section 20 (Limitation of Liability).”
Notice
• Abide by the Notice requirements of the Agreement.
Notice
Clarity takes time…
When should we start?