Legal Review

Legal Review Contact: For assistance in reviewing the legal implications of a contract, please contact the University's legal counsel.
Summary: You should always have a Contract with the Vendor and you should compare it to what the Vendor has promised you.  A good contract provides a description of responsibilities, binds the parties to their duties and provides recourse in the event a party fails to live up to its obligations.

Contract

Is there a proposed Contract for the license or service

Recommendation:

The Vendors obligations should be set out in a Contract.

Term

What is the term of the Contract?
Recommendation:
You should know the length of the Contract and when it will terminate or automatically renew, and when you can cancel it without penalty.

Ownership of Information

Under the Contract, who owns your information?
Recommendation:
When supplying sensitive information to a vendor, the Contract should expressly state that the information is owned by the University.

Confidentiality

Does the Contract have a confidentiality clause?
Recommendation:
A detailed confidentiality clause should outline how the vendor will collect, use and disclose your information. Pay specific attention to the definition of "Confidential Information" or such similar term to ensure that your sensitive data falls within the definition.

Assignment and Subcontracting

Does the Contract mention whether the Vendor can assign the Agreement and/or subcontract the services?
Recommendation:
Although the Vendor may be reputable, make sure that the vendor cannot assign the contract to another Vendor who is not as diligent at protecting your information.  Care should also be taken as some Vendors subcontract the storage of your information to a third party host without your knowledge.

Audit

Does the Contract permit a privacy audit?
Recommendation:
Its great that a Vendor agrees to protect your data but how do you know that the vendor is actually living up to its obligations? The best means to do so would be to include a privacy audit clause in the agreement allowing you to investigate whether the vendor is complying with its contractual obligations for maintaining information privacy.

Insurance

Does the Contract require the vendor to provide insurance?
Recommendation:
The Vendor should be obligated to have cyber insurance when dealing with sensitive information. Traditional insurance policies do not typically address cyber risk and internet and network exposures are increasingly subject to exclusion from such policies. Cyber insurance on the other hand is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.

Limitation of Liability

Does the Contract have a limitation of liability clause?
Recommendation:
A limitation of liability clause permits the vendor to reduce or eliminate its potential responsibility for direct and other types of damages related to a breach of contract or other claims. In a typical software contract, a Vendor may limit its liability to the amount paid by you in the preceding 3 or 12 month period or even to zero. The clause may also expressly exclude responsibility for privacy breaches. You should try to negotiate an increase in the cap if possible and try to ensure that the limitation of liability clause is not applicable to privacy breaches, breaches of confidentiality and/or the vendor's indemnification obligations.

Indemnity

Does the Contract contain an indemnity clause?
Recommendation:
If the Vendor fails to protect to your information or breaches a third party's intellectual property, should you be sued and have to pay legal fees?  One way to avoid this issue is to have the vendor indemnify you for all costs and damages resulting from such claims.

Termination

Are you permitted to terminate the Contract or Services?
Recommendation:
If the Vendor is not living up to its privacy or other obligations, should you be in the contract for the next five years?  The best way to protect yourself is to ensure that you can terminate the contract, either at any time or if certain circumstances occur. The Broader Public Sector Accountability Act, Procurement Directive, requires you to include appropriate cancellation or termination clauses in your Contract.

Governing Law

What is the governing law of the Contract?
Recommendation:
In every Contract, the Vendor will include a clause on the law which governs the contract and a clause which limits where the Vendor can be sued (i.e. you are required to sue the vendor in Washington State for any breaches of the contract and the laws of Washington state govern the interpretation and enforceability of the Contract).  Wherever possible, try to ensure that the laws of the Province of Ontario govern the contract and ensure that the Vendor can be sued in Ontario.




Published on  and maintained in Cascade CMS.