Addressing Risks to Data in Vendor Agreements

pexels-photo-373543.jpegIn the now infamous Target data breach, hackers gained access to roughly 40 million customers’ data by hacking Target’s vendor- a refrigeration, heating and air conditioning provider. Target suffered $162 million in expenses directly related to the hack, a 46% percentage drop in profits in the 4th quarter of 2013, and finally settled for $18.5 million in damages in May of 2017.

As the number and frequency of data breaches multiply, sharing data with vendors has become even more risky. Some data privacy laws such as Health Information Portability and Accountability Act (HIPAA) and General Data Protection Regulation (the EU privacy regulation due to be implemented in 2018) require a certain level of vendor management and due diligence in contracting with vendors. However, even if a company is not required to comply with these laws, it is prudent for it to ensure that its vendors are taking adequate steps to protect data, so that it can minimize the risk to its reputation, revenues, and lawsuits.

The vendor agreement plays an important role in mitigating these risks. First, the vendor agreement helps mitigate risk of the occurrence of a data breach by including representations and warranties from vendors regarding their compliance with the relevant privacy laws and industry standards. Alternatively, or in addition, a company may require vendors to follow specific privacy and security procedures (which may exceed the compliance requirements). Security and procurement groups in the company should separately verify the vendor’s compline with such standards and procedures through tests or certifications. The vendor agreement should be carefully reviewed to ensure that there is no disclaimer against warranty as to security and privacy (unless those warranties are specifically provided in the representations and warranties section). Further, it may provide companies the right to regularly audit the privacy and security standards of vendors, and impose penalties for failure to comply, including contract termination.

Second, a vendor agreement helps mitigate the cost and expenses related to a data breach occurring through a vendor. Some tools to mitigate the cost and expense include (i) carving out direct and indirect losses related to data breaches from the vendor’s limitation of liability clause, or (ii) limiting vendor’s liability from a data breach to a higher amount for losses arising out of data breaches (since the typical limitation amount which is tied to the amount paid to vendor would not cover for the loss from data breaches), and (iii) carving out indemnification from the limitation of liability clause, i.e. in case of third party claims and lawsuits, there should be no limitation of liability, and the vendor should cover the cost of defense, damages, attorney fees, remedial measures, etc.

Another important aspect of addressing data security and privacy in vendor agreements is the vendor’s insurance policy. Every data lost costs around $188 to make whole, according to a recent Ponemon Institute survey. The cost of defending and remedying a large data breach can thus run into millions of dollars. Such costs cannot be met out of pocket by the vendors, and in case of a data breach, companies need to ensure that the vendor’s insurance would cover the vendor’s indemnification obligations. The question of whether general commercial liability insurance covers data breaches has been resolved differently by different courts, depending on the manner of breach and the language of insurance policy. Thus, requiring specific cyber-insurance coverage in vendor agreements is highly recommended.

Top Issues to Address in Software as a Service Agreements

IP photoSoftware as a Service (SaaS) is becoming an increasingly popular method of delivering services to businesses. According to Gartner, SaaS revenue is expected to increase 20.1% in 2017, reaching $46.3 Billion in total sales. This is more than a 3% increase from cloud market growth, according to Salesforce.

SaaS essentially refers to using software as a tool to deliver services. The software is developed, owned, and managed by a service provider, and accessed by the customer through a website, mobile app, or offline facilities. Customers use SaaS for various business processes such as sales, marketing, storing and processing customer data, etc. For example, Tableau helps visualize data; Dropbox helps sync and synchronize documents; and Hubspot helps centralize high quality content marketing.

 

There are a number of approaches to drafting SaaS agreements. Some attorneys consider it a service agreement at its core, while other consider it a license agreement with service components. The risk arising from both the service parameters and the software license need to be addressed in SaaS agreement. While each SaaS agreement should be structured based on the particular services, industry, customer, and type of data handled by the service provider, some of the main issues that all well drafted SaaS agreement address include:

 

  1. The Service Level Agreement (SLA). The SLA defines the extent of guarantee of service availability (uptime) or the remedies for unavailability or errors in service (downtime) of the service provider. The remedies typically include refunds, credits, promise to repair in a certain time period, or some combination of both. The idea is for the service provider to limit the remedy in case the services become unavailable because of excessive use or other issues.

 

  1. Privacy, Data Management, Data Breach. When the customer’s sensitive data is stored with and processed by the service provider, it is important to include one or multiple clauses regarding the service provider’s obligation to keep the data secure and confidential, in compliance with the applicable laws. Moreover, the SaaS agreement should require the service provider to properly return or destroy data at the end of engagement. It is also important preserve the customer’s right to seek damages in case of data breach or data loss. Thus, the typical clauses of confidentiality, representations and warranties, limitation of liability, and indemnification, need to be reviewed from the lens of the risk of data loss and its consequent damages.

 

  1. The Software License. Customers need to access the software to use the service provider’s services. Thus, the SaaS agreement should specifically define the services being provided and limit customer’s access to software to use of those services. Further, the license clause needs to specify other restrictions, such as- (a) number of users (customer’s whole organization, specific number of users, specific personnel, etc.), (b) ability to sublicense to agents or third parties (independent contractors, customer’s customers), (c) territory, (d) method of access (website, cloud, physical facilities), (e) non-exclusivity, and (e) restrictions on ability to modify, reverse engineer, introduce malware, etc.

 

  1. Terms, Renewals, and Payment Structures. Structuring the term of the SaaS agreement appropriately is crucial to its commercial viability. Many SaaS companies adopt a model of annual contract with the annual subscription payments due at the beginning of the term, automatic renewals, and no refunds for customers if they want to terminate services before the end of the contract term. These could create a number of legal issues.

 

Automatic renewals have been the subject the many lawsuits and investigations by the Federal Trade Commission. In fact The Restore Online Shoppers’ Confidence Act (ROSCA)in 2011, was specifically promulgated to generally prohibit companies from charging online consumers for goods or services through a “negative option feature” to an agreement, whereby the customer’s silence or failure to cancel the agreement is treated as acceptance of the offer. Thus, it is important to receive express consent before renewing subscriptions and to prominently display the automatic renewal notice before the charging the customer. Providing renewal notice 30-60 days in advance goes a long way in proving consent.  Similarly, the no refunds policy should be explicitly detailed in the SaaS agreement and prominently displayed at the time of payment of an annual fee to avoid disputes later.