Issue link: https://nebusinessmedia.uberflip.com/i/710928
W W W. M A I N E B I Z . B I Z 33 A U G U S T 8 , 2 0 1 6 F O C U S H OW TO B Y J O S H U A T . S I L V E R O ne of the draws of technology management is the thrill of riding the wave of exciting new stuff . But with growing concerns over data security, executives and IT departments must work closely to negotiate agreements with technology service providers that eff ectively protect their data, their cus- tomers and their employees. Special attention to the areas below can help contain potential risks in a new vendor relationship. Here are several things to keep top of mind: 1. Cyber risk Confi dentiality and information security concerns are at the top of the list of things keeping company executives and shareholders up at night. IT managers must pay special attention when nego- tiating technology vendor contracts. A problem like a data breach can quickly become a customer's problem. Compliance with law: When vendors touch data that is covered under privacy and data security laws, compliance escalates. Vendors must comply with privacy and data security laws that apply to the ven- dor, the licensee and the product. Compliance may require vendor certifi cations from third parties. Compliance with licensee's policies: IT managers live under their own company policies as well. Here is where negotiation needs to take care to satisfy requirements without using up negotiation capital that might be needed elsewhere. Licensees should carefully vet pro- spective vendors' policies to identify critical gaps ahead of time. Data location: If the technology requires movement and storage of sensitive data outside of the licensee's infrastructure, then the contract should specify vendor limitations on accessing, storing, processing or transmitting that data. Because of regulatory restrictions on cross- border transmissions of personal information, the safest approach is to prohibit vendors from handling that data outside of the jurisdiction from which it was collected. Data encryption: All sensitive data in vendor hands needs encryption of the highest industry standard. Encryption protects against hacking, and is a safe harbor under most data breach notifi cation laws, which could save signifi cant expense and embar- rassment in the event of an incident. Notifi cation of data breaches: Vendors should be contractually obligated to notify the licensee immediately upon discovery of an actual or suspected data breach. 2. License or use rights is section of the agreement must spec- ify who, how, when, where and to what extent the licensee can use the technol- ogy. A product may be licensed on a metric basis such as per user, computer, server, site, etc. Use of a product may also be limited to specifi c employees, or be enterprise-wide. License rights may also allow use in connection with a joint venture with an unrelated third party. All desired scenarios must be explicitly iden- tifi ed in the agreement, or the licensee may fi nd itself in breach of the license. 3. Indemnity Indemnity from liability is critical, especially when hiring an untested ven- dor. Indemnifi cation language should contractually obligate the vendor to indemnify the licensee against third- party claims arising out of the product's infringement or misappropriation of intellectual property of a third party and fi rst-party costs and third-party claims arising out of information security breaches. If the licensee is prohibited from continued use of the product because of an infringement claim, then the vendor should obtain the neces- sary licenses for the licensee to continue using the product or provide a substitute product with similar functionality. 4. Service level agreements Finally, a good agreement directs ongo- ing expectations and behaviors of the technology and the vendor. e agree- ment should keep the technology cur- rent for the duration of the relationship and often provides for service credits in the event SLAs are not met. J T. S is a shareholder in Bernstein Shur's business law practice group and co-chair of the data security team. He can be reached at @ . Effectively negotiate a technology vendor contract We're here. We're local. We're independent... Employee Benefits Team PAQUIN & CARROLL INSURANCE www.insurancepc.com Toll free: 800-287-1486 ...and we won't drop the ball. We're there when it matters most with friendly, trusted insurance advice. We can help you find the most affordable health care plan with no additional cost to you or your company. Give our team a call today! Home | Business | Auto | Employee Benefits Biddeford • Saco • Westbrook