Cyber security items every vendor contract should include


Following recent high profile data breaches, many companies are wondering what terms and conditions should be in vendor contracts. That is great question to ask. Many companies – big and small – sign vendor contracts without considering the data security issues. Often times, a contract that is “small potatoes” from a dollar standpoint has the potential to create a disproportionate level of risk. (Consider, for example, a company hired to empty your company’s shredder bin.)  Such contracts often get signed without careful review, putting companies at risk.

While each company should get individualized legal advice, here are six things that should generally be addressed within vendor contracts:

Identification of the kind of confidential information that will be made available to the vendor. The contract should make clear what kind of confidential information will be in the vendor’s hands. Is it your customers’ financial information?  Health information? Your company’s trade secrets?

A promise to protect the confidential information. The vendor should promise to protect that which it has access to. It should have a security program, and there should be a standard of care established. There should also be a way for you to determine whether the vendor is meeting this standard.

Procedures to deal with a loss of your confidential information. The vendor must have an obligation to notify you of any breach in a timely manner. You should have a primary point of contact that understands what information it has and how that information has been stored. The vendor should be obligated to cooperate with any investigation you want to make.

An obligation to return or destroy confidential information when the contract ends.  It can be difficult to get confirmation that information has been returned or destroyed if the parties are no longer doing business together. Put it in the contract.

An obligation to cover your losses if the vendor fails to protect your confidential information. This is often difficult to get, especially in contracts small dollar value contracts.  Be aware of the risk your company is undertaking if you choose not to contract for this protection.

An obligation to have cyber risk insurance that will protect you if the vendor fails to protect your confidential information. You should identify what coverage is needed, mandate the limits, and give you a right to be listed as an additional insured.

[ Image courtesy of stockimages / ]

Share this story


  1. says

    Jack, thanks for the great information as the legal aspect of cyber security is so incredibly important. I’ll pass this on to our clients. I also wanted to add that cyber security threats are going to continue to grow in the coming years, so it’s highly essential that companies start securing their entire digital infrastructure, which begins by putting in place information security policies and procedures, provisioning and hardening of such systems, and then undertaking comprehensive security awareness training for employees. Call it the 3-point stance for protecting your organization. The problem is that most companies have (1). Outdated policies (2). Don’t have formalized procedures and checklists for hardening their information systems, and (3) do little or nothing when it comes to security awareness training. This won’t cut it in today’s world, so it’s time to get serious about information security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *