Part of our series on Security for Medium Businesses.
Note: while understanding is not wholly predicated on formal accreditation, Simple Salt would be remiss in failing to inform you that recommendations here should not be construed as legal advice and should not be used as a replacement for a lawyer advising you on the specifics of your situation. tl;dr: IANAL.
A successful business must balance customer service with efficient operations. You ensure customer loyalty by delighting them, but overextending cuts into margin. A well-run business sets clear expectations with customers and vendors about who does what; fuzzy lines between your responsibility and theirs sets up risky situations.
At best, these situations risk your margin, and at worst, they risk an argument. In life and the law, the most expensive activity is arguing, so it pays to think through and write down your expectations. This makes subsequent disagreement cheaper to resolve, especially if it goes to court.
Defining boundaries is most important for expensive risks, and security issues can be expensive. A key part of efficiently reducing your security risk is setting clear expectations about where your security responsibilities end and where your partner’s responsibilities begin.
Written expectations come in two flavors: up-front expectations should go in a contract, and ongoing expectations should be integrated into standard messaging. Today, we will cover contracts and next week we will discuss how to integrate them into your messaging.
Most terms in a contract describe what should happen in rare and expensive situations. Consider the following examples typical of a B2B contract:
Payment Terms - How quickly does the customer need to pay? What happens if they do not?
Warranty - If the vendor delivered something that the customer does not like, who pays for the replacement or redo?
Force Majeure - If something crazy happens and one side cannot fulfill their side of the contract, they get to pause or cancel. Top examples include wars, floods, extended electrical outages, and industry-wide strikes.
Ownership - If deliverables are easily copied (design, source code, or consulting services), who owns them? Can the vendor also sell it to someone else? Can the customer?
Severability - If a judge rules that a part of the contract is illegal, what happens to the rest of the contract?
Jurisdiction – If you do have a legal argument, where does it happen? People generally want local courts to make legal costs lower.
Limited Liability – What is the maximum remedy if the contract is breached and one company suffers losses? In most Common Law jurisdictions, the default is the value of the contract.
A good contract does more than protect you in case of a high-cost argument, it demonstrates competence and business acumen. It builds trust with partners and discourage potential partners who intend to take advantage of you.
Security risks can be expensive, so are worth addressing in contracts. When creating or reviewing contracts, consider adding the following types of clauses:
When a business pays a vendor, add specifics to prevent redirection. Consider specifying:
The mechanism - credit card, wire transfer, check, or ACH.
How account details are set and changed - this should match how you designed your standard process. You could leverage registered mail, in-person meetings, or even letting partners make changes through a self-service portal.
Fault - what happens if fraud occurs because these terms are not followed.
Access to secrets
When a partner has access to a company’s secrets, it is usually worth specifying how rigorously they must protect those secrets. Consider adding the following clauses:
Data Use - How the vendor can use sensitive information entrusted to them. Explaining this builds trust with your client and avoids unwelcome surprises such as subcontractors and unexpected marketing. Done right, it can also provide defensibility for privacy law.
Transfer & Handling - How to move and share sensitive data. Protecting secrets on computers is a complicated topic and auditors spend a lot of time on it. Organizations solve this problem by focusing their attention on one system, then directing everyone to use it. Depending on the importance of protection and auditability, it may be worth defining acceptable systems, and how they should be used. This section can run into multiple pages between large companies.
Audit rights - If a vendor provides services that help meet a customer’s compliance, they may need to proactively provide evidence or paperwork. Sometimes, the customer even decides to audit them periodically. If audit rights are needed, describe the responsibilities of each partner, including advance notice for audits, scope of audits, specific documents needed, due dates, and what happens if they are unavailable.
Insurance - Often, customers believe that holding a cybersecurity policy indicates security strength and coverage. Recently, many companies have re-examined that assumption as cybersecurity premiums quadrupled and eligibility requirements and denial rates soared. For many large companies, a policy is still table-stakes. If you are contractually bound to have cyber insurance, ensure that the scope and key terms of the required policy are defined.
You can save yourself a lot of grief and cost by setting clear security expectations in contracts. Next week, we will cover how to mirror these expectations in the normal messages you send out.
If you need help with security terms in your contracts, give us a ring.