TAL Global’s General Counsel, Lawrence Dietz, Esq. was selected to present a Vendor Contract Workshop at the prestigious RSA Security Conference (www.rsaconference.com) held annually in San Francisco. This conference is the major information security event in the US. Competition for presenting slots is quite keen and normally only 1 in 11 are selected.
Mr. Dietz’s Peer to Peer session focused on vendor contracts and how customers can best position themselves during the negotiation. Neither than session or these notes are intended as legal advice. Legal advice can only be rendered by competent, licensed professionals.
The following comments and tips should be helpful to customers as they prepare to negotiate with IT vendors, especially with cloud services vendors. TAL Global does not provide legal advice, but we are delighted to work with your General Counsel to assist in the process or help with vendor contract problems.
- The process is just as important as the substance.
- Legal Perspective
- Customer Perspective
- Just about everything is negotiable.
- You want to apply the law of your State and have any legal matters adjudicated in your home court. (no pun intended)
- Know the authority level of the person or people on the other side. Just how much can they decide before going to someone else.
- Does the penalty fit the crime? Merely refunding your monthly payment may not be enough compensation in many cases.
- Cloud, shmoud – you need to know who are the subcontractors and where they are located. It is vitally important to know where the servers containing your data reside.
- Legal reasons
- Security Reasons
- Benchmark/Milestone payments are a good approach as long as they are quantifiable.
- Make sure you understand the escalation procedure.
- Talk to at least three references – preferably about the same size you are, ideally same business, but not competitors.
- Need to insure the honesty of vendor (and subcontractor) personnel working with your data. Vendors must certify that they have done a background check.
- Bonding is probably only a remedy in the event of a reported crime.
- If hardware or software is being supplied, make sure you have documentation of what it is and assurance of legal ownership.
- Vendor should describe the physical and information security controls.
- Primary contact needs to be vetted for technical and customer support skills.
- Third parties: As with any third party, the vendor must identify the third party, describe what services the third party will be performing, and the qualifications of the third party. You should have the right to approve or disapprove. Disapproval should also include the right to terminate the contract without any of the stated penalties for early termination.
- As with any third party, the vendor must identify the third party, describe what services the third party will be performing, and the qualifications of the third party. You should have the right to approve or disapprove. Disapproval should also include the right to terminate the contract without any of the stated penalties for early termination.
- Document how or if your information will be used.
- Decide if you want an automatic renewal or not.
- Make certain all legal terms are defined to your satisfaction – especially key ones like material breach.
- Prohibit the use of your organization’s name, logo, etc. without your written permission.