The recent string of data breaches has shown how different industries respond to new fears about data security. For instance, in response to the growing concerns of clients, corporate lawyers are moving to define and limit cyber risk exposure by adding a data breach clause to IT contracts. This raises the question: should your contracts have a data breach clause?
CorporateCounsel offers some advice to software, IT, and other tech businesses concerned about data liabilities. Going forward, your IT service contracts should do the following:
- Define a data breach.
- Identify who needs to be contacted in case of a breach.
- Specify when and how the proper personnel should be informed.
These are fairly basic items to include in a contract. What's shocking is that many older contracts simply don't have any information about data breaches, much less a clause like this that explains how to handle them. Let's look at how adding a section like this to your contracts can limit your risk and reduce the cost of a data breach.
Why IT Contracts Need to Offer Basic Data Breach Response Guidelines
IT professionals may find themselves in many different contractual relationships. Whether you're hired as a freelancer for a small project or you have a long-term service relationship with a company, it's essential to have data breach guidelines in your contracts to protect your business.
Studies show that having a data breach response plan significantly reduces the cost of a breach. According to the Ponemon Institute's 2014 Cost of Data Breach study, by adopting a strong security posture and having a data breach plan in place, you can reduce breach costs by 10 percent.
Many organizations still don't have one employee who is their go-to person when it comes to data security. Some organizations name a CIO / CSO (Chief Information Officer / Chief Security Officer), but depending on the industry your clients work in, they might not even think to have a C-level executive whose responsibility is overseeing data security.
Having the right language in a contract can make sure that data security issues are always handled with appropriate protocol. As we reported in the post, "IT Professional's Firing Would Have Been a Lawsuit for an IT Contractor," when Maricopa County Community College District suffered a data breach, there was a lot of finger pointing. Top members of the school district's IT staff each assumed that breaches were someone else's responsibility. A disorganized response meant that security flaws lingered longer than they should have and the cost of the data breach ballooned.
Rethink the Way You Do IT Contracts
For many IT freelancers, contracts are a source of confusion and uncertainty. If you hire a lawyer to review them, it gets expensive quickly. You're left to sign the complicated document on the dotted line and not ask any questions. This is especially true for IT contractors just starting out, but it doesn't have to be that way. Instead, start reshaping the way you think about contracts.
A contract isn't just a bunch of garbled legalese. It can be a way for you and your clients to communicate clearly. By defining a data breach in the contract and outlining each party's responsibility, you're telling your clients what you will do and what you expect them to do. It helps you avoid…
- Exorbitant costs.
- Miscommunications.
- Lasting damage.
Make your contracts and plans clear so if there is a data breach, the right people are handling it and limiting the harm.
If you're looking for more information on IT contracts, look at our sample IT contracts and templates you can use.
