Overview: Data security in commercial transactions

Negotiating and drafting data security obligations in commercial transactions

Data security is frequently an issue of critical importance in commercial contracts between both public and private sector customers and their respective suppliers.

Under commercial agreements, a supplier may have access to, or be responsible for managing or hosting, confidential business information, personal information or government official information of the customer or the customer’s end-users.

The issue of data security tends to be addressed in commercial contracts with an ever-increasing level of sophistication and detail, as technological developments continue to rapidly advance and the risk of data security breaches is ever-present.

Data security obligations in commercial contracts are often addressed under three topics:

  • data security;
  • privacy; and
  • confidentiality.

Data security obligations in commercial contracts can cover a number of aspects of data security, including compliance with a customer’s data security policies, the prevention of malicious code, application or system development in compliance with a customer’s security requirements, prescriptive technical requirements for security requirements, data sovereignty requirements, controls on suppliers’ personnel, and system access and monitoring requirements.

Commercial contracts also usually contain a range of privacy and confidentiality obligations.

Managing data security obligations in commercial transactions

Managing data security obligations in commercial transactions usually requires both the customer and supplier to allocate appropriate personnel and IT systems, develop contract management manuals, and implement a range of operational processes.

Both customers and suppliers have concerns in relation to managing data security obligations.

Both customers and suppliers should ensure that they assign appropriate personnel and resources to managing their contractual obligations relating to data security.

A service provider should conduct regular audits of its IT security systems, processes, practices and policies.

There are a number of key contract management issues in relation to data security that customers and suppliers should be aware of.

Cybersecurity liability and insurance

Cybersecurity insurance provides an organisation with the ability to insure itself against certain cybersecurity risks.

By obtaining cybersecurity insurance, an organisation seeks to transfer the risk of financial loss associated with a cybersecurity incident to the insurer.

Cybersecurity insurance policies vary in the nature and extent of the risks covered. They also vary in the nature and extent of the exclusions from insurance coverage.

If an organisation does not have cybersecurity insurance, it may be required to pay the costs associated with cybersecurity incidents itself that it may otherwise have been able to claim under the insurance policy.

An organisation may seek to limit or exclude its liability for breaches of data security by entering into a contract with another organisation or person that contains provisions that limit or exclude the organisation’s liability for breaches of data security.