• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Contracting for cybersecurity risks for customers

Cybersecurity is a business imperative, and the reason is simple: the impact of a security breach can be severe. Any approach to cybersecurity must address each group which has access to the systems and data of a business, such as its customers, providers, affiliates and employees. This article is focussed on the cybersecurity risks for a business when contracting with its service providers.

Factors which affect risk include the type of business the customer operates, the level of access the provider has to systems and data, the data involved (and the sensitivity of the data), the potential impact of security breaches (and data being lost or stolen), and compliance with the applicable regulatory regime.The risk profile may also differ through the phases of service provision, from transition to steady state and finally, exit. The following is a summary of the key cybersecurity issues to address in the contract for services, which can be tailored by the customer to the circumstances of each deal.

  1. What arose during the customer’s due diligence in relation to the services to be provided and the provider itself which should be covered in the contract?  For example, if the provider was chosen because of their compliance with certain security standards, ensure they have a contractual obligation to continue to comply with those standards.
  2. Who has a right to access systems and data?
  • Can access be limited (physically and logically) to provider personnel who have a strict need to access systems and data?  Have those personnel been background checked and trained in data security? 
  • What is the minimum amount of data that the provider needs to access?
  • How long is access required? 
  • Can access be monitored and logged to provide an audit trail? 
  • What other access controls can be put in place?
  1. How will systems and data be accessed, both physically and logically?  If remote access is to be provided or data is to be transmitted, what additional safeguards can be used?
  2. Be specific about how data can be used and equally explicit about any restrictions on use.  What data can be shared or disclosed to third parties and in what circumstances?  Ensure the confidentiality provisions in the contract are adequate and aligned to the provisions relating to data. 
  3. What data can or must be stored by the provider?  What data cannot be stored?
  4. Where will data be stored by the provider?  Does this cause any logical or physical security concerns, or regulatory compliance concerns?    
  5. How will data be stored? What security standards and controls will be in place?
  6. What protections must the provider comply with in relation to system security (e.g. anti-hacking software, anti-virus software, application of regular software updates, network security maintenance including firewalls) and storing, processing and transmitting data (e.g. encryption, especially on removable media or portable technology)?  Are the provider’s relevant standards, policies and procedures sufficient, given the harm that could result from a security breach? 
  7. Can the customer’s data be segregated from other data?  In addition, can a particular data subject’s data be segregated, processed in a certain manner, ported or deleted? 
  8. Can the provider introduce hardware or software into the customer’s IT environment, and how will the integration be managed to reduce risks?   The provider should be obliged to provide hardware and software free of defects, viruses and vulnerabilities, and to promptly remedy any such issues if they arise.
  9. Include an obligation for the provider to comply with applicable laws, industry standards and guidelines, and changes to the same (with any consequential impact on service delivery methods or other contractual provisions to be agreed by the parties).
  10. The customer should have its own comprehensive and current standards, policies and procedures to cover security and data protection, including policies relating to access, storage, usage and transmittal of data, document retention, employment and HR (including vetting and background checking), IT usage, privacy, and incident management.  These standards, policies and procedures must cater for the services being provided and the service delivery model offered by the provider. 
  • The provider should be required to comply with the customer standards, policies and procedures as they change from time to time (again, with any further contractual impact of the change to be agreed).  
  • Provider personnel should be fully trained in relation to the customer policies and the contract, including any notification and escalation provisions in the event of a breach or cyberattack.
  1. Consider the contractual consequences of a security breach.   
  • Ensure there is a requirement on the provider to notify the customer of a security breach within timescales which allow the customer to comply with its regulatory or contractual notification requirements. 
  • Consider also the controls the customer requires over any notification of a security breach to regulatory authorities or other third parties.   
  • Include express provisions relating to the cooperation and support to be provided by the provider in the event of a security breach in order to contain a breach and its impact, to recover or restore any data (e.g. roles and responsibilities of a security breach team that the provider will make available to support the customer), and to enable the customer to comply with its obligations under regulations.   
  • Require the provider to prepare an incident response plan which the parties can implement if a security breach occurs.    
  • Include rights to remove provider personnel for violations of the contract.  Consider also whether rebates or credits for a failure by the provider to comply with the contract terms may encourage compliance.
  1. Consider whether liability is capped or excluded in relation to a data security breach.  Are regulatory fines stated to be a direct loss and recoverable without limit?
  2. Ensure the customer has adequate rights to terminate the contract (including express rights to terminate for breach of the data security and confidentiality provisions, or more specific obligations where necessary) and claim damages.    
  3. How will data be returned or deleted?  Equally, is data retention a requirement in any circumstance, and if so, for what period?  How will equipment and materials be destroyed?  How will shared technology be disconnected?
  4. Allocate responsibility for cyber and privacy insurance with coverage and limits that are appropriate for the services provided, and the potential impact of breaches.
  5. Add provisions which require regular review of the provider’s compliance with the contract, including through reporting and governance meetings.  Ensure the contract and related policies and procedures are maintained to address new cyber threats, the available protections and changes to laws and industry standards. 
  6. Include rights to audit the provider’s compliance with the contract.  Audits and risk assessments should be carried out regularly and the robustness of policies and measures (both logical and physical) should be tested periodically.

In summary, the customer needs to assess and address the risks of each services arrangement independently so that the resulting contract provides adequate protection for the customer.  And as mentioned in the introduction, there are many constituent pieces of the cybersecurity jigsaw.  As one jigsaw piece changes, the customer must review all other moving parts to ensure the customer maintains a comprehensive and cohesive approach to cybersecurity.  

For more information, please contact Tania Williams.

 

Contact our experts for further advice

Tania Williams