Eight Data-Related Provisions That Might be Missing from Your Professional Services Agreement
Modern business requires the engagement of professional services providers, such as IT services, marketing, software, data hosting, or other needed services. Far too often, though, the agreements governing these relationships are completely silent on key provisions that relate to the transfer, protection, and use of data. Here are a few key provisions that are often missing from professional services agreements:
1. Data Use. Service providers should have restrictions on how data provided to them for the performance of their services can be used, retained, and stored. While most parties think it is implied and understood that a service provider can use the business’s data only for the sole purpose of performing the services, businesses might get burned if they do not explicitly include contract language on that subject. Privacy laws like the California Consumer Privacy Act explicitly address the misuse of data by service providers and make businesses responsible for how service providers use data collected or stored by the business. Service providers will generally be amenable to contract provisions stating that any data, confidential information, or other materials transferred as part of the engagement shall be used only to carry out the service provider’s obligations to the client under the contract.
2. Ownership of data. As between the business and the professional services provider, the business should own all data provided to the service provider for the performance of the services to the business. Conversely, most service provider agreements provide that the service provider owns any intellectual property, methodology, know-how, or other confidential information that it brings to the engagement. Generally speaking, how these rights are defined is up to the parties, but there should be a clear description of how the ownership rights are determined and allocated.
3. Destruction/Return of Data. Upon the termination or expiration of an agreement, or upon the reasonable request of the party disclosing the data, the receiving party should not have an issue returning data to the rightful owner (or destroying it if that’s what the disclosing party prefers). Having said that, there may be a legitimate reason to retain certain data. This could be in accordance with a data retention policy, for audit or compliance purposes, or for other legal or administrative reasons. In that case, it would be reasonable to require the receiving party to maintain the confidentiality of the data, to notify the other party if an unauthorized disclosure of the data occurs, and for relevant provisions on confidentiality and data security to survive the termination or expiration of the agreement.
4. Data Security Obligations. Unless the agreement is with a large organization or a cloud software provider, data security obligations are rarely explicitly addressed in professional services agreements. Without data security language, customers must rely on confidentiality provisions to protect their data. If a customer submits a security questionnaire, asks about security assessments or audits, or requests contractual commitments regarding data security and the service provider is unable or unwilling to play ball, then that’s a cause for concern. In 2021, service providers should be capable of responding to data security questions and contractually committing to maintaining certain data security controls.
5. Data Breach Notice and Costs. While most such professional services agreements contain confidentiality provisions, the corresponding obligation to notify a customer about breaches, unauthorized access to, or acquisition of confidential information is frequently absent from the agreement. What happens if a data breach occurs? Is the service provider obligated to tell the customer about it? Is the service provider obligated to hire forensics or pay for costs arising from the breach and take other steps to ameliorate the breach? If forensics experts are retained, does the agreement provide a specific obligation to notify the business customer? Sector-specific agreements, such as business associate agreements under HIPAA, may explicitly address these items, but such provisions and duties are commonly missing from standard professional services engagements.
6. Warranties. Service providers tend to include an eye-catching, blatantly obvious disclaimer of warranties in their agreements; however, the assurances or warranties a customer is hoping to see, such as performance warranties, data security warranties, and compliance warranties, tend to be missing. If there is a warranty, then it’s usually quite narrow and the remedies are limited to re-performance of the services or a refund limited to fees paid if the service provider is unable to re-perform. While those remedies are less than ideal, especially when they are labeled as the sole and exclusive remedies, having a warranty and the option to require re-performance or a refund is better than no warranty.
7. Indemnification. In many technology-related agreements, a service provider’s indemnity is either absent or limited to intellectual property infringement. Alternatively, service providers frequently ask customers to indemnify them for any breach of the agreement or for any claim related to the customer’s data. The service provider tends to justify this risk allocation in its “one to many” professional services model. That argument is over-used, especially in the indemnification context. There are many ways for a customer to narrow its indemnity obligations and seek additional indemnification obligations from the service provider to seek to distribute the risk of the engagement more evenly.
8. Limitation of Liability Exclusions. As of late, many professional services agreements cap the service provider’s liability at two, three, or six months of fees paid. First, that is less than industry standard. Second, these provisions almost always completely disclaim or limit liability for consequential or indirect damages. And third, these one-sided limitations of liability shift almost all the risk to the customer and rarely include carve-outs for key concerns, such as data security and confidentiality, gross negligence, willful misconduct, or fraud by the service provider, or the indemnification obligations elsewhere in the agreement.
Service providers enjoy a significant home-court advantage when using their standard professional services contract. These agreements were likely drafted with the primary goal of protecting the service provider’s interests. Many service providers often refuse to negotiate or deviate from their standard form despite entirely reasonable requests from their prospective customers. Clark Hill’s Data Privacy and Cybersecurity Practice Group has years of experience negotiating various technology-related transactions. We know what buttons to push, what’s industry standard, and, unlike the party that drafted the form contract, our goal is always protecting the interests of our clients.