BarbriSFCourseDetails
  • videocam On-Demand
  • signal_cellular_alt Intermediate
  • card_travel Corporate Law
  • schedule 90 minutes

Drafting Data and Cybersecurity Provisions in Third-Party Vendor Agreements: Limits to Liability, Indemnification

$297.00

This course is $0 with these passes:

CLE
ALL
  1. keyboard_arrow_leftBack
BarbriPdBannerMessage

Description

Cyber risks are increasing as more ubiquitous and sensitive data is stored on connected devices such as laptops, tablets, routers, smartwatches, manufacturing equipment, and even automobiles. While these are valuable tools for organizations, their proliferation has led to greater network vulnerability, increasing the possibility of a cybersecurity incident.

The use of third-party data and payment processors can significantly streamline operations and help an organization focus on its core missions. Organizations must be aware of the risks associated with using these data processors, which represent another category of a third-party vendor that exposes a company to significant cybersecurity risk.

Considering the potential harm that a third-party breach or other misuses of shared data can cause, organizations should devote serious time and effort to address these threats before they arise. In addition, companies may be obligated, under specific regulations, to verify such third parties' security and privacy capabilities.

Organizations should create a vendor inventory to identify precisely which outside entities have access to what information. The inventory should include a data classification exercise, which involves categorizing data shared with third parties according to importance and sensitivity and determining the level of security required for vendors in possession of data in each category.

Counsel for businesses can also limit the liability stemming from third-party breaches through contractual agreements. Third-party service provider contracts should require prompt notification if a security breach occurs, and the vendor should be contractually required to maintain an adequate cybersecurity response plan.

Notification periods should be consistent across all contracts. Failure to timely notify of a breach should constitute a material breach under the contract, allowing the company to cut ties with a vendor that fails to provide this crucial notification. Companies should ideally have broad indemnification language in third-party vendor agreements, holding the vendor responsible for costs and liability arising out of or in connection with a vendor data breach. Companies should also consider purchasing insurance that covers loss due to third-party cybersecurity breaches.

Listen as our authoritative panel discusses data processor security and what routine audits, assessments, and training should include. The panel will address the requirements of third-party vendor agreements, including the limitations of liability and indemnification provisions.

Presented By

Patrick J. Austin
Of Counsel
Woods Rogers PLC

Mr. Austin advises clients on breach response, data privacy, information security, and regulatory compliance related to domestic and international privacy laws and regulations, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and the Health Insurance Portability and Accountability Act (HIPAA). He is a Certified Information Privacy Professional with expertise in both U.S. and European law (CIPP/US & CIPP/E) by the International Association of Privacy Professionals (IAPP).

expand_circle_down Expand to View Full Bio expand_circle_up Collapse Bio
Aaron K. Tantleff
Partner
Foley & Lardner LLP

Mr. Tantleff, CIPP/E, is a partner in Foley’s Technology Transactions, Cybersecurity, and Privacy; and the Environmental, Social, and Corporate Governance (ESG) practice groups. He represents companies in various technology, privacy, security, information management, open source, and intellectual property matters, such as the development of compliance policies, programs, cybersecurity breach preparation, incident response, big data, and data monetization initiatives. Mr. Tantleff also regularly represents clients in mergers and acquisitions, outsourcing transactions, strategic alliances, development and licensing arrangements, supply and distribution arrangements, and other strategic and collaborative transactions involving significant technology and intellectual property. He  is a frequent speaker on technology, security, privacy, and outsourcing matters, and is regularly quoted in The Wall Street Journal, Reuters, Politico, Fortune, and other top-tier publications on topics such as cyberattacks, privacy law developments, and data protection, including regarding the General Data Protection Regulation (GDPR) and the Asia Pacific Cross Border Privacy Rules. Mr. Tantleff has been retained for data protection, cybersecurity, monetization of big data/IoT programs, and data breach response, remediation, and simulations by companies across all industries and sizes, domestically and abroad, including several Fortune 100 companies. He has also counseled several state legislators on cybersecurity legislation.

expand_circle_down Expand to View Full Bio expand_circle_up Collapse Bio
Credit Information

  • This 90-minute webinar is eligible in most states for 1.5 CLE credits.


  • Live Online


    On Demand

Date + Time

  • event

    Thursday, April 25, 2024

  • schedule

    1:00 p.m. ET./10:00 a.m. PT

  1. Data processor agreements
    1. Vetting vendors
    2. Cybersecurity
      1. Response plan
    3. Notification periods
    4. Indemnification
    5. Limitations on liability
    6. Cyber insurance

The panel will review these and other key topics:

  • How should general counsel develop a vendor inventory for data processors?
  • What requirements for limitations of liability should counsel include in data processor vendor agreements?
  • What are best practices for auditing third-party vendors?