How To: Effectively negotiate a technology vendor contract
Joshua T. Silver
One of the draws of technology management is the thrill of riding the wave of exciting new stuff. But with growing concerns over data security, executives and IT departments must work closely to negotiate agreements with technology service providers that effectively protect their data, their customers and their employees.
Special attention to the areas below can help contain potential risks in a new vendor relationship. Here are several things to keep top of mind:
1. Cyber risk
Confidentiality and information security concerns are at the top of the list of things keeping company executives and shareholders up at night. IT managers must pay special attention when negotiating technology vendor contracts. A problem like a data breach can quickly become a customer's problem.
- Compliance with law: When vendors touch data that is covered under privacy and data security laws, compliance escalates. Vendors must comply with privacy and data security laws that apply to the vendor, the licensee and the product. Compliance may require vendor certifications from third parties.
- Compliance with licensee's policies: IT managers live under their own company policies as well. Here is where negotiation needs to take care to satisfy requirements without using up negotiation capital that might be needed elsewhere. Licensees should carefully vet prospective vendors' policies to identify critical gaps ahead of time.
- Data location: If the technology requires movement and storage of sensitive data outside of the licensee's infrastructure, then the contract should specify vendor limitations on accessing, storing, processing or transmitting that data. Because of regulatory restrictions on cross-border transmissions of personal information, the safest approach is to prohibit vendors from handling that data outside of the jurisdiction from which it was collected.
- Data encryption: All sensitive data in vendor hands needs encryption of the highest industry standard. Encryption protects against hacking, and is a safe harbor under most data breach notification laws, which could save significant expense and embarrassment in the event of an incident.
- Notification of data breaches: Vendors should be contractually obligated to notify the licensee immediately upon discovery of an actual or suspected data breach.
2. License or use rights
This section of the agreement must specify who, how, when, where and to what extent the licensee can use the technology. A product may be licensed on a metric basis such as per user, computer, server, site, etc. Use of a product may also be limited to specific employees, or be enterprise-wide. License rights may also allow use in connection with a joint venture with an unrelated third party. All desired scenarios must be explicitly identified in the agreement, or the licensee may find itself in breach of the license.
3. Indemnity
Indemnity from liability is critical, especially when hiring an untested vendor. Indemnification language should contractually obligate the vendor to indemnify the licensee against third-party claims arising out of the product's infringement or misappropriation of intellectual property of a third party and first-party costs and third-party claims arising out of information security breaches. If the licensee is prohibited from continued use of the product because of an infringement claim, then the vendor should obtain the necessary licenses for the licensee to continue using the product or provide a substitute product with similar functionality.
4. Service level agreements
Finally, a good agreement directs ongoing expectations and behaviors of the technology and the vendor. The agreement should keep the technology current for the duration of the relationship and often provides for service credits in the event SLAs are not met.
Joshua T. Silver is a shareholder in Bernstein Shur's business law practice group and co-chair of the data security team. He can be reached at jsilver@bernsteinshur.com
Most Recent
Most Recent
Comments