United States: Reviewing Information Security Warranty In Vendor Agreements

Outsourcing to third parties has become more common as businesses experience efficiencies in moving process offsite to software as a service (SaaS) applications. Working with external service providers can involve highly confidential data of clients, business partners, employees, or even third parties.

Customers can face substantial financial and reputational damages if a data breach occurs. Accordingly, businesses also have the risks of harming their customer base and revenue prospects. Therefore, companies should require strong security controls and policies when sharing or storing confidential information with vendors.

In entering an agreement with vendors, businesses should ensure that the contract includes warranty clauses. Generally, all warranties are disclaimed unless specifically stated. So, here are a few information security warranties that can be considered when negotiating vendor agreements:

(1) compliance with the security program;

(2) performance in accordance with the standards;

(3) conducting security audits; and

(4) maintaining appropriate insurance coverage.

Because each business is unique, warranties that are specific to the nature of the solution and the business should be used. Vendor contracts may be the initial sources for legal and technical information protection. Hence, before finalizing a vendor agreement, consulting with legal counsel could help ensure that a vendor contract contains warranties that are appropriate for the business.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.