Negotiating for Value In Vendor Contracts

Privacy and data security provisions are crucial.

Vendor contracting is often a very one-sided negotiation. The terms overwhelmingly favor the vendor and omit critical privacy and data security provisions that leave businesses vulnerable. With preparation, every business can improve its bargaining position and secure better terms to protect the business’ valuable and sensitive data.

Leveling the Playing Field: Careful preparation can significantly reduce the automatic imbalance in negotiating power. Start by defining the project’s requirements in detail. Research, define and collect the information that will accurately define the scope of the work being contracted for.

Include a proposed contract, prepared by counsel, with the most important terms. The vendor’s default contracts will overwhelmingly favor the vendor, and put the buyer at an automatic disadvantage.

Once the preferred vendor is identified, establish simple negotiations procedures and stick to them. Require that key decision makers participate to avoid delays, and limit the time spent negotiating to keep focused and on schedule.

Covering the Bases: Often, the contract negotiation is focused on only price and output. The inputs – often sensitive and valuable information that will be provided to the vendor – are also important. Preparation, particularly in defining the scope of the work, will identify what information the vendor needs for the project, and what contract terms are necessary to protect that information’s business value.

The contract should identify the information the vendor will need, and what can and cannot be done with that information. Identify what information the vendor may receive and access, and for what purpose it can be accessed. Everything else should be prohibited.

Address the risk the vendor will experience in a data breach. The contract should establish the security standard the vendor is required to maintain. In certain industries, this must comply with industry-standard minimum security measures.

If there is a breach, define what triggers the vendor’s duty to provide notice. Too often, this is omitted or is vague. The vendor should provide notice when it reasonably believes there has been a breach, not only after it is certain there has been a breach. The difference can provide a business with critical time to mitigate its loss, alert customers and minimize reputational damage.

Finally, the contract should address who pays if something goes wrong. Indemnification provisions should be standard, and should not be limited to only the value of the contract. Likewise, the vendor should be required to carry adequate insurance and provide proof.

About the Author: Ryan J. Cooper is counsel at Pashman Stein and head of the firm’s privacy and information governance practice. He can be reached at