Today, more and more nonprofits rely on third-party vendors for technology solutions to provide a range of services and operational support, including donor outreach and management, web platforms, payment processing solutions, and data storage. This past May, Blackbaud, a prominent service technology provider to nonprofits, announced that it suffered a major data breach. Whether or not your organization was affected, the recent Blackbaud breach – and their very-delayed and by many accounts lackluster response – is a wake-up call for organizations to consider the terms of their relationship with all third-party vendors.
The reality is that most of the “default” third-party terms are invariably one-sided in favor of the vendor. Should things go awry as they did with the Blackbaud incident, it is vital to have the appropriate legal terms in the contract to protect your interests. While it is impossible to provide an exhaustive list of issues to be considered in negotiating a contract, I recommend that the following five points should always be addressed prior to signing a third-party technology contract.
1. Adjust the Limitation of Liability Cap
Vendors routinely attempt to limit any claims for loss or damage that might be incurred. Typically, they try to limit the recovery period to six months, or even less, of fees paid. I suggest that the “cap” be set at some multiple of the contract value, and not be tied to monies paid to date. This avoids having limited recompense for claims that occur early on in the contract term.
2. Draft Exclusions to the Limitation of Liability Cap
Related to the first provision, most types of damage are “capped” at some pre-agreed dollar amount. However, certain damage, because it poses a greater risk to your organization and its reputation, should be excluded. As an example, damage that results from a data breach, indemnified claims and breaches of your confidential information should never be capped. In the case of the Blackbaud breach, such an exclusion would have allowed your organization to fully recover all losses and expenses.
3. Require Breach Notification and Credit Monitoring Expenses
The Blackbaud incident illustrates that breaches happen. Although unfortunate, the reality is that no system or platform is “breach proof.” Even if your vendors maintain all the various physical, logical and administrative security precautions that have been reasonably requested, breaches can occur.
If a breach occurs and notification is required, your vendor is obligated to notify you alone, not your end-user donors. For this reason, I strongly recommend that you require any vendor that has access to personally identifiable information on your behalf, to agree to pay for all fines, expenses and costs related to the breach, including notification to your donors, regulatory fines, and credit monitoring services for the potentially affected individuals. They should also be required to promptly notify you of any breach or suspected breach – my recommendation is within 48-72 hours. Blackbaud took over two months to provide notification! This is reprehensible – but they are now the exception that proves the rule: contractually obligate your vendors to timely notice.
4. Insist on Specific Cyber/Privacy Representations and Warranties
During the sales pitch, prospective clients are presented with polished and detailed marketing materials that exhaustively detail the various aspects of the vendor’s product, including the various cyber-security precautions they have in place. However, most contracts provide scant details of the actual precautions to be undertaken. Bottomline, if a vendor is getting access to any personally identifiable information, you should have specific and detailed cyber-security and privacy requirements spelled out in the contract.
5. Request Transition Services
Vendor relationships do not last forever. When the time comes to change a vendor, the transition can be a lengthy and arduous process. When the existing vendor is reluctant to assist with the facilitation of the transition, the client gets stuck with the logjam. To mitigate this issue, I always insist on including a provision in the contract that requires the vendor to provide ongoing services and specific transition support at their current standard rates for a specified period of time.
In the sentiments of Robert Frost, good contracts make good vendors. As the Blackbaud data breach illustrates, “stuff” happens. While this is one of many third-party providers to suffer a data breach, the attack on Blackbaud serves as a stark example of why organizations need to take the time to carefully evaluate third-party vendor privacy and cyber security practices, as well as insist on specific contractual terms that define accountability and responsibilities in the event of an incident. (And FYI, the NY SHIELD Act requires all organizations that collect information on NY residents to review all such contracts with third-party vendors to endure that such contracts impose specific technological, administrative and physical safeguards). Failure to do so could leave your organization with limited recourse and remedies when the worst happens.