Blogs

CFO.com's "8 Ways to Shore Up Privacy Language in Cybersecurity Agreements" presents sound guidance for negotiating data privacy provisions in vendor contracts, e.g., contracts with cybersecurity vendors, insurers, and other firms that maintain personal data including software vendors, outsourced IT service providers, accounting and law firms, consultants, etc.

Key takeaways include:

• Creating and leveraging model contract language facilitates better negotiation terms for the company and consistency across contracts even if the company has the lesser bargaining power as between the two parties.
• Ensure that the liability provision doesn't undermine the indemnity provision - i.e., limiting the vendor's liability weakens the indemnity. Along those lines, avoid limitations of liability that effectively shift the risk associated with the transaction from the service/product provider to the company.  
• In view of multiple and increasingly stringent regulatory notification requirements, ensure that notice provisions in the event of a breach, privacy law violation, or the like that involves company data identify how quickly the vendor needs to notify the company, who they need to notify, and how.
• Stick to your guns on the contract language - don't be intimidated into compromising your desired position simply because a term or provision may need to be elevated to higher level of management on the vendor's side.  
• Don’t allow carve-outs for the vendor's compliance with laws notwithstanding any purported rationale, as this is also effectively a risk-shifting tactic that the company should not need to assume to do business.