vendor contracts: what you need and what you may be missing

Dino Tsibouris(614) 360-3133

dino@tsibouris.com

Vendor Contracts: What You Need and What You May Be Missing

Let’s just use our standard agreement and attach the proposal to it, we should be good to go!

What do you need to know?

• Contracts, exhibits, schedules, letters, emails• Who is responsible for compliance• Consumer data privacy and security roles• Ownership of data• Minimum service and data availability• Indemnities, disclaimer of warranties,

limitation of liability

…is there more?

• Termination rights and retention and access to data

• Breach notification when it happens at the vendor

• Compelled Disclosure of your data on the vendor’s system

But I’m…

• Not a lawyer• Too busy to “go deep”• Not worried, it’s a small dollar contract• Pretty sure it’s already covered• Used to lawyers making things too

complicated

The problem: Words mean things

• Some words aren’t what they seem• The cost of a deal gone wrong is time and

money, not just money• Small processors of personal data can create

big liability (SMS/TCPA)• Your issue may not be covered• Lawyers can make it complicated but it

shouldn’t be

Description of Services

Agreement Schedule

Description of Services

Description of Services

Agreement Schedule

In the event of conflict, Schedule governs.

Description of Services

Agreement Schedule

When Agreement terminates, some of the services in the Schedule need not terminate.

Privacy and Security of Customer Data in the Cloud

Source: Ponemon Institute

Privacy and Security of Customer Data in the Cloud

Source: Ponemon Institute

Privacy and Security of Customer Data in the Cloud

Privacy and Security ofCustomer Data

Privacy and Security ofCustomer Data

Privacy and Security ofCustomer Data

Privacy and Security ofCustomer Data

• Data stored in the cloud may be compromised due to a breach

• Contract must take into consideration an obligation to immediately notify, cooperate, and bear the cost of sending out breach notifications and remedial actions

• Consider insurance for breaches

Breach Notification

• Vendor may have a breach involving your data• Must they tell you?• When?• What is your obligation to your customers?

Breach Notification

• Prompt breach notification of confirmed breaches and suspected breaches is crucial.

Audit Rights

• Data collection and usage• Security procedures/contract compliance• Financials • Timing and frequency• SAS 70/third party provided audits

Service and Data Availability

Service and Data Availability

Service and Data Availability

• The cloud service may be subject to disruptions

• Where possible, negotiate fines or reimbursement for outages above and beyond scheduled maintenance

• Where possible, contract for greater availability and fault tolerance

Termination Provisions and Retention and Access to Data

Termination Provisions and Retention and Access to Data

Termination Provisions and Retention and Access to Data

Termination Provisions and Retention and Access to Data

Termination Provisions and Retention and Access to Data

Lessons: • Ensure that ownership of information is clearly

defined. • Ensure that service provider agreement takes

into consideration your ability to access your data and return of your data in the form that you want at the end of the relationship.

Disposal of Data

• How does the contract address data return?• How does the contract address data disposal?• Ensure that service provider agreement takes

into consideration your legal obligations to dispose and delete information

Compelled Disclosure

Compelled Disclosure

Compelled Disclosure

• Data stored in the cloud is subject to compelled disclosure and possibly without your knowledge due to the Stored Communications Act and National Security Letters

Pertinent Laws and Compliance with Them

Shurland v. Bacci

Shurland v. Bacci

Shurland v. Bacci

Shurland v. Bacci

Shurland v. Bacci

Shurland v. Bacci

• Translink to "use due care in providing services covered by this Agreement" and to conduct its "performance of all services called for in this Agreement . . . consistent with industry standards.”

Shurland v. Bacci

• Merchant warrants and agrees that Merchant shall fully comply with all federal, state, and local laws, rules and regulations, as amended from time to time, including the Truth-in-Lending Act and Regulation Z of the Board of Governors of the Federal Reserve System.”

Shurland v. Bacci

Lesson: Parties should clearly and unambiguously assign the responsibility to comply with each law that is material to the transaction.

Indemnification

Indemnification

• The other side pays your costs if they are specifically named

• Claims• Losses• Reasonable attorney fees• Costs

Limitation of Liability

Limitation of Liability

• No liability • As-Is• Refund of fees paid• Capped dollar amount• Insurance proceeds only• “Direct damages” only

Yes, but…

Ensure that the limitation of liability clause and the indemnification clause properly interact with one another

“Shall indemnify … Subject to Section 20 (Limitation of Liability).”

Notice

• Abide by the Notice requirements of the Agreement.

Notice

Clarity takes time…

When should we start?

Questions & Answers

Dino Tsibouris(614) 360-3133dino@tsibouris.com