In the now infamous Target data breach, hackers gained access to roughly 40 million customers’ data by hacking Target’s vendor- a refrigeration, heating and air conditioning provider. Target suffered $162 million in expenses directly related to the hack, a 46% percentage drop in profits in the 4th quarter of 2013, and finally settled for $18.5 million in damages in May of 2017.
As the number and frequency of data breaches multiply, sharing data with vendors has become even more risky. Some data privacy laws such as Health Information Portability and Accountability Act (HIPAA) and General Data Protection Regulation (the EU privacy regulation due to be implemented in 2018) require a certain level of vendor management and due diligence in contracting with vendors. However, even if a company is not required to comply with these laws, it is prudent for it to ensure that its vendors are taking adequate steps to protect data, so that it can minimize the risk to its reputation, revenues, and lawsuits.
The vendor agreement plays an important role in mitigating these risks. First, the vendor agreement helps mitigate risk of the occurrence of a data breach by including representations and warranties from vendors regarding their compliance with the relevant privacy laws and industry standards. Alternatively, or in addition, a company may require vendors to follow specific privacy and security procedures (which may exceed the compliance requirements). Security and procurement groups in the company should separately verify the vendor’s compline with such standards and procedures through tests or certifications. The vendor agreement should be carefully reviewed to ensure that there is no disclaimer against warranty as to security and privacy (unless those warranties are specifically provided in the representations and warranties section). Further, it may provide companies the right to regularly audit the privacy and security standards of vendors, and impose penalties for failure to comply, including contract termination.
Second, a vendor agreement helps mitigate the cost and expenses related to a data breach occurring through a vendor. Some tools to mitigate the cost and expense include (i) carving out direct and indirect losses related to data breaches from the vendor’s limitation of liability clause, or (ii) limiting vendor’s liability from a data breach to a higher amount for losses arising out of data breaches (since the typical limitation amount which is tied to the amount paid to vendor would not cover for the loss from data breaches), and (iii) carving out indemnification from the limitation of liability clause, i.e. in case of third party claims and lawsuits, there should be no limitation of liability, and the vendor should cover the cost of defense, damages, attorney fees, remedial measures, etc.
Another important aspect of addressing data security and privacy in vendor agreements is the vendor’s insurance policy. Every data lost costs around $188 to make whole, according to a recent Ponemon Institute survey. The cost of defending and remedying a large data breach can thus run into millions of dollars. Such costs cannot be met out of pocket by the vendors, and in case of a data breach, companies need to ensure that the vendor’s insurance would cover the vendor’s indemnification obligations. The question of whether general commercial liability insurance covers data breaches has been resolved differently by different courts, depending on the manner of breach and the language of insurance policy. Thus, requiring specific cyber-insurance coverage in vendor agreements is highly recommended.