2. Security Provisions

2. Security Provisions

If the vendor will have access to information the licensee classifies as critical (e.g., personally identifiable customer information, highly confidential business information, etc.) and will be storing that information on its own servers, in addition to the standard confidentiality provision described above, the licensee should consider including specific contractual requirements relating to the vendor's obligations to secure that information from unauthorized access. These types of requirements can run the gamut from a general "security" provision to additional warranties, indemnities, and lengthy exhibits regarding information handling procedures (e.g., encryption of information in transit, secure disposal of media on which information has been stored, "air-gaping" of critical machines, etc.). The size of the transaction and criticality of the data will govern the level of protections required.

While these additional vendor obligations may at first seem onerous and potentially difficult to negotiate, our experience has shown they are generally some of the easier protections to obtain from vendors. Most reputable vendors will likely already have implemented many of the standard security procedures as part of their normal business operations. For example, the vast majority of vendors will likely already use anti-virus software, firewalls, physical and logical security procedures, monitor their systems for possible intrusions, conduct employee education regarding security, and ensure access to confidential information is limited to only those employees who have a need to know.

If security of data and information will be an issue in a particular transaction, the best approach is to raise the issue early with the vendor. We suggest including specific security expectations and requirements in the Request for Proposals. If RFP is not used, the licensee should consider sending the vendor a security questionnaire, requesting information about the prospective vendor's security practices. When completed, the questionnaire should be attached as an exhibit to the agreement and a warranty included by the vendor stating that its responses are true and accurate.

The following is an example of a basic security provision:

Example Provision:

Security Requirements . Vendor will maintain and enforce safety and physical security procedures with respect to its access and maintenance of Customer's Confidential Information that are (a) at least equal to industry standards for such types of locations, and (b) which provide reasonably appropriate technical and organizational safeguards against accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access of Customer Confidential Information. Without limiting the generality of the foregoing, Vendor will take all reasonable measures to secure and defend its location and equipment against "hackers" and others who may seek, without authorization, to modify or access Vendor's systems or the information found therein. Vendor will periodically test its systems for potential areas where security could be breached. Vendor will immediately report to Customer any breaches of security or unauthorized access to Vendor's systems that Vendor detects or becomes aware of. Vendor will use diligent efforts to remedy such breach of security or unauthorized access in a timely manner and deliver to Customer a root cause assessment and future incident mitigation plan with regard to any breach of security or unauthorized access affecting Customer Confidential Information.