Stoll Keenon Ogden: Vendor risk management,10 questions to ask technology vendors

By Lynn H. Wangerin
Stoll Keenon Ogden

With the current focus on data privacy and security as well as the growing use of technology in your business, do your agreements with vendors contain the protections you need? Simply because you engaged a vendor for a particular task will not necessarily protect you from the potential for losses. Unfortunately, liability related to data breaches through vendors is common. Thus, it is all the more important that vendor engagements be drafted and entered into carefully, considering the vendor’s obligations to you for protection and compliance.

There should always be an assessment of what information/data a vendor will have access to, what data a vendor will store and process, and whether and how a vendor may use that data. For example, is personal information included, and is that personal information particularly sensitive? Is there confidential business information involved, and how confidential is it – “bet the business” information or simply something you would like to keep confidential?

There is often an assumption that the agreement a vendor presents is non-negotiable, but that is not always the case. Even if the agreement is non-negotiable, the following questions should be asked and answered to assess any potential risks– sometimes another path is better. Also, in some cases certain risks can be mitigated by, for example, using a numeric system instead of including identifying information of individuals.

Here are 10 questions to ask your technology (and perhaps other) vendors:

1. If there is a need to add users or otherwise broaden the scope of the services during the term of the agreement, is the cost to add users, etc. covered in the agreement or is the addition at the “then-current” price? Are the additions co-terminus with the term for the initial scope?
2. What security measures does the vendor have in place and what are the security obligations, if any, in the agreement?
3. Are there sufficient limits on the access to and use of your data by the vendor? Can the vendor, for example, use your data for its own business and contact your customers?
4. Is the vendor’s access to and use or processing of your data sufficiently covered in your privacy policy?
5. If the vendor’s system is breached, is there a requirement to notify you? To provide you updates on the status? Can the vendor notify your customers of the breach? What, if any, are your remedies for the breach?
6. Is the vendor required to make backups of your data? How long are they kept?
7. Is the vendor providing any warranty (many technology agreements do not provide any warranty and disclaim all implied warranties)? If so, what is the remedy for breach of the warranty?
8. Is there a service level obligation of some sort included – both with respect to responding to issues and, if applicable, an uptime obligation (that is the percentage of time the vendor represents the system will be useable and not offline), or an availability commitment? What are the remedies for failure – are only “credits” allowed with no right to terminate for significant downtime?
9. What are the limitations on the vendor’s liability for breach (most vendor agreements provide for significant limitations on what you might recover)? Is the vendor required to carry insurance and, if so, is your business listed as an additional insured?
10. At the end of the term of the agreement, how do you get your data back if needed? In what form is it provided? Do you need the vendor‘s help and, if so, is there a cost? Also, what is the vendor’s deletion/destruction or ongoing protection obligations?