Redlining the Security Agreements

In business, written agreements and contracts are crucial. But let's be real, the terms aren't always fair, and often, one company ends up with the short end of the stick. Is that your company?

Most legal and contract teams aren't cybersecurity experts, so executives often don't fully understand and get the full picture on the security commitments they're making. Clauses like those allowing for audits and site visits can put too much pressure on one side[1].

This is where careful redlining of customer contracts becomes crucial. The process involves reviewing and marking up a contract to ensure that all terms are fair and balanced. By meticulously going through each clause, businesses can negotiate terms that are more equitable and prevent potential disputes down the line[2]. In certain cases, contracts will have separate terms and these can be added at a later time, in the form of a contract amendment or “security addendums.”

Security Addendums

Security addendums are another critical component, especially when dealing with sensitive information, putting in place additional resources, personnel, processes, or operations[3]. These addendums are intended to outline the security measures and responsibilities of each party, helping to outline what steps each party takes to protect the confidentiality, integrity, and availability of data. Protecting against unfair requests and ensuring that both parties are held accountable for maintaining security standards often requires the help of a Chief Information Security Officer (CISO) and other security professionals[3].

Indemnification

Indemnification clauses, which are often included in these addendums, provide a safety net by compensating one party for losses or damages incurred due to the other party's actions[4]. Together, redlining contracts and including comprehensive security addendums can safeguard businesses from unfair practices and enhance the overall security and fairness of agreements[2].

Data Breaches

As security breaches become more prevalent, security addendums have become more one-sided and unfair, often placing excessive burdens on vendors[5]. This trend has been driven by the increasing frequency and impact of data breaches involving third-party suppliers[6]. According to a report by Black Kite, the number of third-party data breaches nearly doubled in 2022, with 4.73 affected companies per vendor compared to 2.46 in 2021[7]. Additionally, 51% of businesses have suffered a data breach caused by a third party, with 44% experiencing a breach within the previous 12 months.

Third-Party Risks

These statistics highlight the growing risk associated with third-party vendors and the need for stringent security measures. However, the burden of these measures often falls disproportionately on vendors, who may face unrealistic requests for security standards, prohibitive penalties for non-compliance, and extensive third-party risk management requirements[5][8]. This imbalance can lead to unfair contract terms that place undue pressure on vendors, potentially affecting their ability to operate effectively and maintain profitability.

A Balancing Act

To address this issue, it's crucial for businesses to negotiate balanced security addendums that consider the capabilities and limitations of vendors while still ensuring robust security measures. Agreements are created by attorneys, who are mostly focused on the financial risks and limiting damages for their clients. Their lack of expertise in security, makes it easy for them to add terms for security controls that are unfair, intrusive, and in certain cases impossible to accomplish.

For example, addendums will usually require vendors to obtain certifications or enforce security policies that their own companies do not have, and would not put in place. It’s important to realize that in doing business, there is an exchange of information, and both companies need to have complementing controls in place to ensure that confidentiality and privacy controls are adequate during the exchange. Would you demand someone to have cybersecurity and general liability insurance if you do not have it yourself?

It is important to read the clauses from of a perspective of fairness and suitability to the business and transactional information being handled. This approach can help create a more equitable and sustainable partnership between businesses and their third-party suppliers.

Below is a short list of common clauses you will find in contracts, along with recommendations on some counter proposals that companies can negotiate.

• Un-announced and/or Unlimited Audits: Frequent and unrestricted audits can be time-consuming, costly, and disruptive to the normal course of business.

  Recommendation: Have a written policy that limits on-site audits to regulators, and law enforcement, and confined to specific areas (not labeled ‘For Authorized Personnel Only’). Propose a 30-day written notice for regular audits, provide a process for requesting information electronically, and limit the number of audits to once per year.

• On-site visits and tours: These are becoming a DeFacto for organizations that handle sensitive data, such as a data center or backup/archival service. For certain types of organizations, a site visit can expose visitors to seeing other customer information (maybe just seeing that you do business with a competitor) and this may be hazardous. Allowing constant site visits can affect daily operations and compromise confidentiality.

  Recommendation: As with the above recommendation for audits, have policies where you set boundaries and document a clear process and schedule for site visits, ensuring minimal impact on operations and limiting the scope to only showing what data, application, or service is being sold to the customer. Protect your organization’s intellectual property and that of other customers at all cost.

• Excessive Data Retention Requirements: Holding onto data longer than it is legally necessary can increase storage costs and security risks. Making it known to your customers that you keep such data can open yourself up to being asked to show it and one mistake, gap, or missing piece of data can make it look like you are hiding something.

  Recommendation: Have clearly documented document retention policies in place and ensure that these are followed consistently by all departments. Enable Data Loss Prevention (DLP) settings on your email (Outlook or Gmail) to automatically set limits. Ensure that data is stored only to complete a task and deleted upon completion. Negotiate reasonable data retention periods that align with industry standards and business needs. Example: Billing and financial records are kept for a maximum of 7 years, but all customer sensitive data is purged and erased using a multi-pass overwrite process after 30 days of a contract termination and/or expiration.

• Overly Broad Indemnification Clauses: These can expose vendors to undue legal and financial risks, not to mention increased costs on liability insurance. While indemnity clauses tend to appear in nearly all types of contracts, in security, a negligence can occur on the part of both, or another party one or both companies have in common, and therefore care should be placed in ensuring a balance.

  Recommendation: Limit indemnification clauses to specific scenarios, such as data breaches due to the vendor's willful negligence and set a maximum on damages not to exceed the equivalency of the annual contract (or total products/services paid for).

• Certifying and Adopting Unrealistic Security Standards: Adopting standards that are too rigid or not relevant to the vendor's context can be impractical. These can sometimes involve standards like HiTRUST and putting in place controls to protect things like Electronic Protected Health Information (ePHI), whereas your organization does not handle this type of data, or PCI-DSS for companies that process payments but use payment processors that do not store credit card or banking information, etc.

  Recommendation: Advocate for the adoption of industry-standard security practices that are feasible and relevant to both parties. Make use of an Information Transfer Agreement (ITA) or Mutual Non-Disclosure Agreement (NDA) during every exchange or project as these are less burdensome and contain standard language on what each party has to do to protect pertinent data from unauthorized disclosure.

• Prohibitive Penalties for Non-Compliance: Excessive penalties can create financial strain and may not be proportionate to the risk.

  Recommendation: Suggest reasonable penalties that reflect the severity of the non-compliance to a termination of the contract, instead of payment, and provide a good faith grace period for a remediation, where you can have up to 90 days to remedy a situation.

• Third-Party Risk Management: Extensive requirements for managing third-party risks can be costly and complex. Requiring suppliers to perform due diligence when selecting their own suppliers and vendors is to be expected but ensure the verbiage does not imply you would require doing more than you can.

  Recommendation: Propose a collaborative approach to third-party risk management, sharing responsibilities and costs. Maybe offer to provide details to explain what third-parties (if any) will have access to the customer’s data, where the data will reside, and that you do not sell or share their data with any other parties.

These recommendations can help vendors negotiate more balanced and fair security requirements, reducing undue burdens, and ensuring a mutually beneficial partnership. This is not a complete list and it is not intended to provide legal/contract advice.

###End of Article

1. www.sitelint.com

2. https://www.concord.app/blog/redline-contracts-negotiation/

3. https://le.fbi.gov/cjis-division/cjis-security-policy-resource-center/appendicies/security-addendum.pdf/view

4. https://www.contractscounsel.com/b/indemnification

5. https://pro.bloomberglaw.com/insights/privacy/checklist-managing-privacy-and-cybersecurity-law-risks-in-vendor-contracts/

6. https://securityboulevard.com/2021/06/third-party-data-breaches-a-rising-threat/

7. https://blackkite.com/whitepaper/2023-third-party-breach-report/

8. https://www.getastra.com/blog/security-audit/third-party-data-breach-statistics/

The views, opinions, and explanations presented in this article are solely the personal opinions of the author and do not in any way reflect the official views, opinions, policies, or discussions of the author’s employer, affiliated organizations, its employees, clients, or other stakeholders. Information provided is intended for informational and educational purposes only and is not to be understood as advice or legal guidance of any kind. For legal or professional advice, please engage a subject matter expert.