Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/616113
13 CANADIANLAWYERMAG.COM/INHOUSE JANUARY 2016 Q U I Z By Ralph Kroman, partner, WeirFoulds LLP GO TO CANADIANLAWYERMAG.COM TO WATCH A WEIRFOULDS LLP LAWYER TALK ABOUT THIS QUIZ. 1 You fl ip to the section of the agreement that deals with confi dentiality and you see that the "standard of care" is that the service provider must maintain the same degree of care regarding safeguarding the data and other confi dential information supplied to it by the company that it applies to its own confi dential information. You have seen this standard of care before and noticed that it is quite common. What is the best provision to add in order to help ensure that the service provider is responsible for all security breaches of the company's data? (A) The right to inspect the service provider and its facilities. (B) An additional standard of care. (C) Incident notifi cation and management procedures in the event of a security breach. (D) Tight restrictions upon the service provider's use of subcontractors. 2 Which one of the following items is relevant to contracts and cybersecurity? (A) ISFA Standard 6240. (B) CSA 683-41A. (C) INFA EEC Data Standards. (D) SSAE 16. 3 You are successful in negotiating robust confi dentiality obligations in order to ensure that the company will be able to recoup all of its losses in the event of a breach by the service provider of confi dentiality obligations. You negotiate an indemnity from the service provider regarding any breach of the obligations. You are happy because the indemnity is very broad — for example, it includes indemnifi cation of the company's affi liates, offi cers, directors, employees, etc., and covers all direct and indirect losses and damages suffered by the company and not merely indemnifi cation for third-party claims. Is your work done on the contract in order to ensure full recovery for breach of the confi dentiality provisions? (A) Yes. (B) No. (C) It depends on the contract. 4 What other provisions should a company insert in an IT service contract in order to manage cybersecurity risk where the service provider possesses the data of a company? (A) Restrictions on location of the company's data. (B) Traditional insurance must be maintained by the service provider. (C) Security schedules. (D) Some but not all of the above. Managing cybersecurity risk in contracts Many companies acquire IT services from third-party service providers where the service providers host or otherwise acquire data and other confi dential information of a company. In this context, software services "in the cloud" may involve hosting by the service provider of a company's data and other confi dential information. The service provider's standard form contract will typically seek to minimize its risk regarding breaches of a company's confi dential information. Take this quiz to fi nd out how prepared you are to deal with IT service contracts where the service provider will handle data and other confi dential information of a company.