The Reciprocal Newsletter

 As with any contract, the clauses, wordings or phrases used in any agreement will depend upon the type of service being provided by the given service provider/vendor (Vendor) and consideration should be given that the final contract be reviewed by your legal counsel. Your company is potentially entrusting a third party to protect your sensitive data and IT systems through which you are upholding privacy responsibilities. Contracts should be modified to meet your company needs as it relates to the specific services being provided. 

With these types of contracts, your company’s main considerations are: 

1. Have your company named as an Additional Insured on the Vendor’s insurance policy.
2. Your company should not be assuming the liability of others. Your MEARIE Liability policy provides coverage for your Operations Covered only, not the operations of others.
3. Ensure the contract includes standards of care in handling data and network security that are equal or better than your own company’s – and ask for proof of this. 

Insurance Considerations – Get the Vendor to Protect You 

It is critical that the Vendor your company is engaging provides proof of insurance with a variety of features. The following section describes details of insurance coverage that should be expected. In some cases, the coverage described below may be broader than most vendors may carry. It is up to you to decide how flexible your terms should be but the decision should be made only after assessing the risk to your company. The Vendor’s full policy should be reviewed to ensure the coverage provided meets or exceeds your requirements. As with any contract, consideration should be given that the final contract be reviewed by your legal counsel. 

Your company should be added to the Vendor’s liability policy and cyber/privacy policy as an Additional Insured as it relates to the services being provided by the Vendor. The Vendor’s insurer should provide 30-day notification of cancellation or policy change. Request a certificate from them as proof of this. 

Your company should require the Vendor to have insurance in place that covers Privacy, Liability and Network Security Liability based on the coverage outlined below. 

MEARIE recommends coverage should provide a minimum $10,000,000 limit for Privacy, Liability and Network Security Liability and to Data Breach Expenses and sums the insured may become legally obligated to pay as compensatory damages. The actual limit you request should be determined by the exposure the Vendor poses to your data, customer information or security and your comfort with their security controls. Depending upon the size of the Vendor you are hiring, the $10,000,000 limit may be too high. Insurers may only be willing to provide smaller organizations with a $2,000,000 limit. Data Breach Expenses means those reasonable and necessary expenses incurred by the Vendor (Insured) or which the Insured becomes legally obligated to pay. The following are the types of cyber coverage to be considered: 

a) Network Security / Privacy Liability – Accidental release or unauthorized disclosure of private, non-public or public information maintained by the Insured including failure to prevent a party from unauthorized access or, unauthorized use of, tampering with or introduction of malicious code into data or systems alleged by a third party. Includes related breach expenses (details below under d) Crisis Management & Customer Notification). 

b) Data Recovery & Business Interruption – Reasonable, actual expenses in excess of your normal operating expenses directly related to the replacement, restoration, or recreation of any data stored in your computer systems that is lost or corrupted AND loss of income and extra expenses in excess of your normal operation costs resulting from a failure of security 

c) Privacy Regulatory Defense & Penalties – Request for information or civil investigation brought by a regulatory authority related to an actual or alleged breach or violation of any Privacy Regulation 

d) Crisis Management & Customer Notification – Includes several privacy breach related expenses including 

• • • • Notification Expenses – Costs incurred by you to comply with the privacy law to provide notice of any potential disclosure of or unauthorized access to private information.
      • Credit Monitoring Expenses – Costs to provide credit monitoring to the extent required by privacy law.
      • Crisis Management and Public Relations Expenses – Reasonable costs you incur to protect your reputation and investigate corrective action to mitigate a privacy breach event.
      • Cyber Investigation Expenses – Costs you incur to pay a third party to conduct an investigation of your computer systems to determine how and when a privacy breach occurred. 

e) Data Extortion – Reasonable expenses, in excess to normal expenses, to retain a negotiator or perform a system investigation for an incident. 

f) PCI DSS Coverage – Payment Card Industry (PCI) assessment fines or penalties arising from a privacy breach, security breach or breach of privacy regulations (this is specific to the payment card industry should any of you utilize these vendors) 

g) Technology E&O – Defense of claims alleging a negligent act, error or omission in the performance or failure to perform technology professional services. 

The above coverages are claims made, so the service contract should require the Vendor to maintain coverage for a certain period of time after completion of their work especially where Technology E&O is required. A typical reporting period would be three (3) years after completion of the contract. Coverage wordings may be provided as a standalone Cyber policy or embedded within another policy. 

Consideration should also be given to including a definition of “Personal Information” to help eliminate potential legal or claims issues. Both the MEARIE Liability policy and the Ontario Privacy Commissioner website include a definition which can be used. 

In addition to specific Cyber/Privacy-related requirements, it is important you also set general insurance criteria. For example, this would include: 

1. An indication of the financial stability of the insurance company with which the Vendor has insurance
2. Confirmation the Vendor’s policies are primary and non-contributory
3. Inclusion of a 30-day notification of cancellation or policy change from the Insurer 
   
   

Indemnification & Hold Harmless Agreement 

An Indemnification Clause or a Hold Harmless Agreement in a contract may be one of the most important and often overlooked clauses, potentially having a profound effect on your company. In a contract, an indemnity clause is a legally enforceable agreement whereby one party agrees to accept the risk (assume financial responsibility) of loss another party may suffer in a specific situation. Generally an indemnity clause is looking to make the party best able to manage a particular risk responsible for the consequences of the risk materializing1. 

Basically an indemnity is just an agreement to cover the loss and damage suffered by another. It is a provision in a contract under which one party (or both parties) commit to compensate the other (or each other) for any harm, liability, or loss arising out of the contract. 

The Vendor should always agree to defend and indemnify your company and its employees, directors, officers, agents, volunteers against liability for personal injury or property damage arising out of the Vendor’s performance under the contract. If the Vendor will not accept an indemnification clause, this should be a red flag and your company may wish to reconsider entering into a contractual relationship with the company. 

Don’t accept any sort of language in a contract that includes or requires your company to assume the liability arising out of the operations of the Vendor. The Vendor should be responsible for their own actions and liability arising from them. The Vendor should be agreeing to indemnify your company, if the Vendor causes a loss to your company. 

• A Hold Harmless Agreement is the provision in a contract that requires one contracting party to respond to certain legal liabilities of the other party. It is recommended that a “limited form” or an “intermediate form” hold harmless clause be accepted:
• Limited Form Hold Harmless – Where the Vendor holds your company harmless from suits arising out of the Vendor’s sole negligence. Your company is thus protected when it is held vicariously liable for the actions of the Vendor. 

Intermediate Form Hold Harmless – Where the Vendor holds your company harmless for suits alleging sole negligence of Vendor or the negligence of both the Vendor and your company. 

Indemnification Hold Harmless Agreement Sample Wording: 

The following is a sample of an Indemnification Hold Harmless Agreement contract wording. (Consideration should be given that all contracts be reviewed by your legal counsel.): 

Generally, liability insurance policies cover the operations of the Insured and do not provide for the assumption of liability under a contract, without charging additional premium and scheduling the contract. When reviewing and analyzing various contract offers from potential Service providers, it is important to consider the indemnification clause that is being provided by each vendor. 

The Potential Cost for Indemnification 

Ensure your company is considering the financial responsibility being transferred to the Service provider and realize this is part of what should be built into the fee structure of the contract. If a Service provider is willing to accept the financial responsibility - through the indemnification clause you are asking them to assume - there will be an increased cost. A Service provider offering a lower bid may not be prepared to accept or take on the liability. Not all offers are equal and not all indemnification clauses are equal. Understand you get what you pay for, not necessarily what you ask for. 

Set the Bar High for a Standard of Care 

Will the Service provider have access to your company’s Customer data, personal information or other data that could create a privacy breach issue? 

As part of an agreement with Service providers it is recommended, at a minimum, the agreement follows your own corporate IT policies and procedures related to privacy and network security and are equal to your own standards. 

During the terms of the contract, the Service provider is responsible for the privacy and security of all of your company’s data and customer information. The Service provider needs to demonstrate their understanding of how: 

1. They represent and warrant its collection, access, use, storage, disposal and disclosure of your company’s data and customer personal information
2. It will comply with all federal and provincial privacy and data protection laws, as well as all other applicable regulations and directives. 

At a minimum the Service provider’s controls for the protection of your company’s data and customer information shall include:

• Limiting access to data and information to authorized individuals
• Securing all facilities, data centres, hard copy files, servers, back-up systems and data processing equipment including but not limited to all mobile devices and other equipment with information storage capabilities
• Implementation of network device, application, database and platform security
• Securing information transmission, storage and disposal
• Authentication and access controls within media, applications, operating systems and equipment
• Encryption of highly sensitive data and customer information stored on mobile media
• Encryption of highly sensitive data and customer information transmitted over public or wireless networks
• Strictly segregating your company’s data and customer information from Service provider’s or other customers so that your company’s data is not co-mingled with any other types of information or data
• Implementing appropriate personal security and integrity procedures and practices included but not limited to background checks consistent with applicable laws
• Provide Service provider’s employees with privacy and information security training 

The Service provider needs to agree to Security Breach Procedures that protect your company. Pursue agreement that the Service provider shall do the following in the event of a security breach involving your data/systems: 

• Provide your company with the name and contact information for an employee of the Service provider who shall serve as your company’s primary security contact and shall be available to assist your company 24 hours per day, 7 days per week, as a contact in resolving obligations associated with a security breach.
• Notify your company of a security breach as soon as practicable, but no later than 24 hours after Service provider becomes aware of it.
• Immediately following the Service provider’s notification to your company of a security breach, both parties shall coordinate with each other to investigate the security breach in accordance with the Service provider’s standard policies and procedures, a copy of which has been provided to your company.
• Take reasonable steps to immediately remedy any security breach and prevent further security breaches at the Service provider’s expense in accordance with applicable privacy rights, laws, regulations and standards.
• Reimburse your company for actual costs incurred by your company in responding to and mitigating damages caused by a security breach, including all costs of notice and/or remediation.
• Agree that it shall not inform any third party of any security breach without first obtaining your company’s prior written consent, other than to inform a complainant that the matter has been forwarded to your company’s legal counsel. Further, the Service provider agrees that your company shall have the sole right to determine:
  • • • whether notice of the security breach is to be provided to any individuals, regulators, law enforcement, consumer reporting agencies or others as required by law or regulation or otherwise in your company’s discretion; and
      • the contents or such notice, whether any type of remediation may be offered to affected persons and the nature and extent of such remediation. 

• Fully cooperate with your company in any litigation, claim or other formal action deemed necessary by your company to protect its rights relating to the use, disclosure, protection and maintenance of your company’s data and customer information.
• Notify MEARIE of any potential incidents. 

Entrusting another company with access to your electronic environment or with handling your data is a significant decision. Ensuring your company is protected in as many ways as possible is of the utmost importance. Hopefully the information here has given you some ideas for how to develop and pursue some of the main protections. 

The MEARIE Group is advancing risk management capabilities and providing solutions, developed specifically for the risks of the electricity sector. As an advocate for proactive risk management programs, we are your ally for support on practical risk management solutions and intelligence.