We seem to hear about a company suffering a data breach and losing control over its customers’ sensitive information every few weeks. In the past year alone millions have been affected by data breaches at E-Bay, Target and Living Social, to name a few. Such data breaches can have significant reputational costs from disgruntled customers, but also present the real threat of spawning litigation or regulatory issues (especially in finance and healthcare sectors) which will result in lost dollars from the bottom line. Of course many businesses are no longer handling much, if any, of their IT functions in-house, looking to third-party companies who specialize in providing secure systems for their networking technology services.
What may surprise a business owner or chief technology officer is that many service providers are using contracts explicitly exempting them from liability if a data loss occurs. Aside from the contract protections the service providers often ensure for themselves, if litigation results there are additional complications when a business uses more than one provider (an increasingly common occurrence) and does not perform adequate system logging to demonstrate persuasively to a court which provider, if any, was responsible for the breach. If an organization does not address these issues before a problem occurs, it will often find itself holding the bag on an expensive problem that it had very little, if anything, to do with creating.
Luckily there are solutions. Negotiation with service providers and careful contract drafting can be utilized to shift the burden of proof to the service provider to demonstrate that it was not the cause of a data breach should a problem arise. There are insurance policies which either your organization or the service provider can obtain to cover losses associated with a data breach (although you will want to be a named insured if the service provider obtains the policy). From a potential litigation standpoint, it is critical to have a vendor who is solely responsible for system logging, or have this function undertaken by your organization, so that if a problem does arise the proof you need to show what party was responsible is available to you.
Of course every contractual relationship is different. If your organization is a large hospital, a regional service provider may be willing to make greater concessions on indemnification provisions than if you are a small retailer negotiating with a large service provider. However, in every relationship there should be a balancing point in which both parties can feel secure that their needs and concerns are being addressed. The next time your organization has a contract for services which implicate data security up for renewal or under negotiation, early consultation with an attorney can help you identify what issues need to be addressed and how to best address them in your situation.