Negotiating and drafting data security obligations in commercial transactions

Data security is frequently an issue of critical importance in commercial contracts between both public and private sector customers and their respective suppliers.

Under commercial agreements, a supplier may have access to, or be responsible for managing or hosting, confidential business information, personal information or government official information of the customer or the customer’s end-users.

The issue of data security tends to be addressed in commercial contracts with an ever-increasing level of sophistication and detail, as technological developments continue to rapidly advance and the risk of data security breaches is ever-present.

Data security obligations in commercial contracts are often addressed under three topics:

  • data security;
  • privacy; and
  • confidentiality.

Data security obligations in commercial contracts can cover a number of aspects of data security, including compliance with a customer’s data security policies, the prevention of malicious code, application or system development in compliance with a customer’s security requirements, prescriptive technical requirements for security requirements, data sovereignty requirements, controls on suppliers’ personnel, and system access and monitoring requirements.

Commercial contracts also usually contain a range of privacy and confidentiality obligations.