A hot topic nowadays, cybersecurity has gained momentum and most likely will accelerate its pace with old and new challenges fuelled by remote work, IoT supply chain and increasingly targeted and sophisticated ransomware attacks, just to name a few. The real threat and risks are sometimes just a click away and the effects may be catastrophic for both individuals and businesses. Securing and managing data in a tech ecosystem becomes extremely difficult considering the intertwining of multivendor relationship, applicable laws, business objectives and the technology itself.
While many stress the importance of building cybersecurity resilience through the adoption and implementation of cybersecurity strategies, businesses are considering cybersecurity risks as a standard business risk which may be allocated through contractual terms - at the end, mitigating risks is one of the many goals of a contract.
Can businesses use contracts to allocate or mitigate cybersecurity risks and what should be considered when negotiating cybersecurity and privacy provisions?
Security standards mandated by the law or other regulations
Parties’ choice in negotiating and agreeing on privacy and cybersecurity provisions is significantly restricted by mandatory legal or regulatory requirements. The nature of the products or services and the type of the information and assets relevant to the transaction between parties is key in determining what technical and organizational measures should a business adopt to be fully compliant so to avoid, on top of cybersecurity risks, also any compliance and regulatory risk.
If the information shared or processed by parties qualifies as personal data, the General Data Protection Regulation will most certainly apply. The GDPR requires the adoption of “appropriate technical and organisational measures” whenever there is processing of personal data involved. This is a very outcomes-based approach, which translates into an obligation for businesses to carry out a risk analysis, and to adopt internal policies and, physical and technical measures when processing personal data. Businesses are, therefore, “free” to assess the state of art and cost implementation of such measures, as long as they are able to ensure confidentiality, integrity, availability and resilience of systems and services involved in the processing of personal data.
Less famous, but equally important, the EU Directive on Security of Network and Information Systems (NIS Directive) also establishes security and notification requirements for the so-called operators of essential services (OoES) such as transport, energy, financial market infrastructure, banking, health, drinking water and digital infrastructure; and digital service providers (DSP) that include online marketplaces, online search engines and cloud computing services.
Finally, suppliers or service providers operating in a regulated industry such as financial services or healthcare may be subject to additional security requirements which should be considered when negotiation cybersecurity and privacy provisions. For example, the revised Payment Service Directive (PSD2) and the European Banking Authority (EBA) Guidelines on ICT and Security Management Risks establishes specific and far-reaching security standards in the banking and payment services sectors. The Medical Device Regulation explicitly sets out certain essential safety requirements for manufacturers of medical devices concerning hardware, IT networks characteristics and IT security measures. The regulation applies to all medical devices including those incorporating software and software that are themselves medical devices.
So, what is left to negotiate?
Actually, plenty of room. In particular, when negotiating security and privacy provisions, the following issues will most certainly pop-up:
The “appropriate technical and organisational measures
When personal data are involved, the level of specification of the appropriate technical and organizational measures that parties need to adopt to ensure security of data, will depend on their respective role and bargaining power. This will often be included in a data processing agreement, attached to the main contract. Controllers will normally want general security measures requirements reflected in the agreement, with the possibility to regularly monitor and update measures upon request. Processors, on the other hand, will be reluctant to accept general security measures imposed and insist on including an exhaustive list of security measures in a data processing agreement.
Auditing rights often are key negotiation points in ICT contracts. Depending on the purpose and objectives, audits help parties to check and assess how the information (be it data or other proprietary information) provided under the contract is being used. A “right to audit” clause can also provide businesses with an effective tool in mitigating cybersecurity risks, especially when business seek to assess parties’ compliance with the security measures required. When negotiating these clauses, parties’ major concerns will be ensuring confidentiality of the information accessed and audit results, avoiding business disruption, the notification period and audit cost allocation.
Security incident response: notification, cooperation, and remediation
Though it may go under different names, security/data breach or security incidents clauses are also frequently addressed and highly disputed in contracts. If personal data are involved, data breach response is strictly regulated, and parties have little space to negotiate. However, possible redlines in these types of clauses will often concern the definition of security incidents, notification triggers and timeline (within the limits allowed by the law), corrective actions and remediation timelines and reimbursement of costs (which ties to the negotiation of the liability clauses discussed below). The power to negotiated will most certainly depend on the type of transaction, party’s interest at stake, but also party’s internal information security policies and organizational security structure.
Liabilities and indemnities
Last but not least, the circumstances under which a party will be liabile for breach of security measures (or breach of data) are often fiercely disputed and the scope of the indemnity provided will mostly depend on the type of transaction and bargaining power of the respective parties. Usually, parties agree on excluding liability for indirect damages and cap liability for direct damages. However, when negotiating security and privacy provisions, where multivendor arrangements are often involved, it becomes even more crucial to carefully consider and allocate cybersecurity risks.
As mentioned above, depending on the role and the interest at stake, parties will either cap liability at the lowest amount possible or, carve out or provide for separate super caps for breach of data security and privacy. When negotiating liability caps, it is very important to understand the real risks associated with the type of transaction, the type of product or services and whether there is any third party involved which affects parties’ liability.
Cybersecurity is a key risk many businesses are addressing in B2B relationships. An increasing regulatory intervention, frequent reliance on third-party service providers for data processing and imminent cybersecurity threats to business data and assets has led businesses to reconsider security and privacy provisions in their new and existing contractual relationships. Security standards established by laws and regulations are intentionally open-ended to keep up with the pace of technology changes. There is no one-size-fits-all approach to allocating cybersecurity risks through contractual terms, yet businesses should be able to understand the implications of cybersecurity and privacy provisions in their contracts and strategically negotiate these terms.