As with any contract, the clauses, wordings or phrases used in any agreement will depend upon the type of service being provided by the given service provider/vendor (Vendor) and consideration should be given that the final contract be reviewed by your legal counsel. Your company is potentially entrusting a third party to protect your sensitive data and IT systems through which you are upholding privacy responsibilities. Contracts should be modified to meet your company needs as it relates to the specific services being provided.
With these types of contracts, your company’s main considerations are:
It is critical that the Vendor your company is engaging provides proof of insurance with a variety of features. The following section describes details of insurance coverage that should be expected. In some cases, the coverage described below may be broader than most vendors may carry. It is up to you to decide how flexible your terms should be but the decision should be made only after assessing the risk to your company. The Vendor’s full policy should be reviewed to ensure the coverage provided meets or exceeds your requirements. As with any contract, consideration should be given that the final contract be reviewed by your legal counsel.
Your company should be added to the Vendor’s liability policy and cyber/privacy policy as an Additional Insured as it relates to the services being provided by the Vendor. The Vendor’s insurer should provide 30-day notification of cancellation or policy change. Request a certificate from them as proof of this.
Your company should require the Vendor to have insurance in place that covers Privacy, Liability and Network Security Liability based on the coverage outlined below.
MEARIE recommends coverage should provide a minimum $10,000,000 limit for Privacy, Liability and Network Security Liability and to Data Breach Expenses and sums the insured may become legally obligated to pay as compensatory damages. The actual limit you request should be determined by the exposure the Vendor poses to your data, customer information or security and your comfort with their security controls. Depending upon the size of the Vendor you are hiring, the $10,000,000 limit may be too high. Insurers may only be willing to provide smaller organizations with a $2,000,000 limit. Data Breach Expenses means those reasonable and necessary expenses incurred by the Vendor (Insured) or which the Insured becomes legally obligated to pay. The following are the types of cyber coverage to be considered:
a) Network Security / Privacy Liability – Accidental release or unauthorized disclosure of private, non-public or public information maintained by the Insured including failure to prevent a party from unauthorized access or, unauthorized use of, tampering with or introduction of malicious code into data or systems alleged by a third party. Includes related breach expenses (details below under d) Crisis Management & Customer Notification).
b) Data Recovery & Business Interruption – Reasonable, actual expenses in excess of your normal operating expenses directly related to the replacement, restoration, or recreation of any data stored in your computer systems that is lost or corrupted AND loss of income and extra expenses in excess of your normal operation costs resulting from a failure of security
c) Privacy Regulatory Defense & Penalties – Request for information or civil investigation brought by a regulatory authority related to an actual or alleged breach or violation of any Privacy Regulation
d) Crisis Management & Customer Notification – Includes several privacy breach related expenses including
e) Data Extortion – Reasonable expenses, in excess to normal expenses, to retain a negotiator or perform a system investigation for an incident.
f) PCI DSS Coverage – Payment Card Industry (PCI) assessment fines or penalties arising from a privacy breach, security breach or breach of privacy regulations (this is specific to the payment card industry should any of you utilize these vendors)
g) Technology E&O – Defense of claims alleging a negligent act, error or omission in the performance or failure to perform technology professional services.
The above coverages are claims made, so the service contract should require the Vendor to maintain coverage for a certain period of time after completion of their work especially where Technology E&O is required. A typical reporting period would be three (3) years after completion of the contract. Coverage wordings may be provided as a standalone Cyber policy or embedded within another policy.
Consideration should also be given to including a definition of “Personal Information” to help eliminate potential legal or claims issues. Both the MEARIE Liability policy and the Ontario Privacy Commissioner website include a definition which can be used.
In addition to specific Cyber/Privacy-related requirements, it is important you also set general insurance criteria. For example, this would include:
An Indemnification Clause or a Hold Harmless Agreement in a contract may be one of the most important and often overlooked clauses, potentially having a profound effect on your company. In a contract, an indemnity clause is a legally enforceable agreement whereby one party agrees to accept the risk (assume financial responsibility) of loss another party may suffer in a specific situation. Generally an indemnity clause is looking to make the party best able to manage a particular risk responsible for the consequences of the risk materializing1.
Basically an indemnity is just an agreement to cover the loss and damage suffered by another. It is a provision in a contract under which one party (or both parties) commit to compensate the other (or each other) for any harm, liability, or loss arising out of the contract.
The Vendor should always agree to defend and indemnify your company and its employees, directors, officers, agents, volunteers against liability for personal injury or property damage arising out of the Vendor’s performance under the contract. If the Vendor will not accept an indemnification clause, this should be a red flag and your company may wish to reconsider entering into a contractual relationship with the company.
Don’t accept any sort of language in a contract that includes or requires your company to assume the liability arising out of the operations of the Vendor. The Vendor should be responsible for their own actions and liability arising from them. The Vendor should be agreeing to indemnify your company, if the Vendor causes a loss to your company.
Intermediate Form Hold Harmless – Where the Vendor holds your company harmless for suits alleging sole negligence of Vendor or the negligence of both the Vendor and your company.
The following is a sample of an Indemnification Hold Harmless Agreement contract wording. (Consideration should be given that all contracts be reviewed by your legal counsel.):
Vendor shall defend, indemnify and hold harmless your company, subsidiaries, affiliates and their respective officers, directors, employees, agents, and successors (each of your company’s Indemnitees) from and against all losses, damage, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs or expenses of whatever kind, including reasonable legal fees, the cost of enforcing any right to indemnification here under and the cost of pursuing any insurance providers, arising out of or resulting from any third party claims against your company Indemnitee arising out of or resulting from Vendor’s failure to comply with any obligation under this contract. |
Generally, liability insurance policies cover the operations of the Insured and do not provide for the assumption of liability under a contract, without charging additional premium and scheduling the contract. When reviewing and analyzing various contract offers from potential Service providers, it is important to consider the indemnification clause that is being provided by each vendor.
The Potential Cost for Indemnification
Ensure your company is considering the financial responsibility being transferred to the Service provider and realize this is part of what should be built into the fee structure of the contract. If a Service provider is willing to accept the financial responsibility - through the indemnification clause you are asking them to assume - there will be an increased cost. A Service provider offering a lower bid may not be prepared to accept or take on the liability. Not all offers are equal and not all indemnification clauses are equal. Understand you get what you pay for, not necessarily what you ask for.
Will the Service provider have access to your company’s Customer data, personal information or other data that could create a privacy breach issue?
As part of an agreement with Service providers it is recommended, at a minimum, the agreement follows your own corporate IT policies and procedures related to privacy and network security and are equal to your own standards.
During the terms of the contract, the Service provider is responsible for the privacy and security of all of your company’s data and customer information. The Service provider needs to demonstrate their understanding of how:
At a minimum the Service provider’s controls for the protection of your company’s data and customer information shall include:
The Service provider needs to agree to Security Breach Procedures that protect your company. Pursue agreement that the Service provider shall do the following in the event of a security breach involving your data/systems:
Entrusting another company with access to your electronic environment or with handling your data is a significant decision. Ensuring your company is protected in as many ways as possible is of the utmost importance. Hopefully the information here has given you some ideas for how to develop and pursue some of the main protections.
The MEARIE Group is advancing risk management capabilities and providing solutions, developed specifically for the risks of the electricity sector. As an advocate for proactive risk management programs, we are your ally for support on practical risk management solutions and intelligence.
This Reciprocal Newsletter is an electronic publication intended for Subscribers of The MEARIE Group’s Insurance programs. It is published on a periodic basis and intended for information purposes only. In the event of specific claims, incidents or legal actions against the Subscriber, coverage will be determined by MEARIE policy interpretation. |