PUBLICATION

Whether drafting or negotiating a vendor agreement or a merger or sale agreement, attorneys should consider for their clients cyber and privacy issues in the context of the agreement, whether in conjunction with confidentiality undertakings, legal mandates under sectoral or state privacy or cybersecurity laws, indemnities, warranties, caps on damages and data retention and destruction considerations. Without including these issues in drafting or negotiations, attorneys may not only be doing their clients a disservice but may also be causing their clients to accept or waive liability exposure and legal undertakings that the clients cannot shoulder financially. While clients may in fact choose to assume risk, as attorneys, we should advise our clients on potential exposure or recourse so they can make educated decisions.

The obvious agreements in which these considerations arise are technology agreements—whether for on-premises software, software as a service (SaaS) subscription or an enterprise license for a generative AI tool. As the licensor, subscriber or user of these tools, talk to your clients to understand what the program or tool will do: what data will it touch, and with what systems will it interact.

• Is the tool to be used only for internal needs, or will the client be using the tool to enable it to provide services for customers?
• Will the tool pull information from multiple internal systems that contain confidential and/or proprietary information?
• Will the tool be processing personally identifiable information (PII) and/or protected health information (PHI) for a covered entity under HIPAA?

Attorneys should take the time to educate themselves about their clients’ business, the information they control and process, and how the particular technology will interact with that data and systems so attorneys can guide the client on appropriate terms.

Such terms should address, by way of example:

• Vendor restrictions as to who will have access to the client’s systems and data
• Client’s access to its data at any time, and download the data into the client’s internal systems
• Vendor cannot hold client’s data hostage for non-payment
• Transition services to return the processing back to the client’s internal environment or to a new, replacement vendor
• Destruction of client’s data maintained by the tool and/or the vendor at the end of the relationship
• If the vendor insists that its archive systems are purged “periodically,” document contractually those practices, and how the data is secured pending destruction
• If your client is a covered entity under HIPAA, vendors should not be permitted to use aggregated and “allegedly” de-identified data
• While vendors may claim to properly de-identify data to meet HIPAA’s safeguards, your client has the obligation to vet the vendor to confirm this is truly the case
• If your client is a utility processing nuclear energy resources, data regarding the same cannot be processed off of US soil; while your client may be contracting for 24/7/365 support, that support cannot be provided from (e.g.) India
• Vendor should maintain and test at least annually disaster recovery protocols to be able to recover fully, including client’s data, within 24 to 48 hours after an event
• Require vendor to provide, no less than annually, evidence of third-party assessments, whether SOC 2, TYPE II audit, or industry certification, such as ISO 27001, etc.

Clients may not be directly subject to statutory frameworks (for example, the Gramm-Leach Blilely Act (GLBA)). If, however, they are processing customer data on behalf of an entity that is subject to the GLBA, your clients have likely been required to sign addenda to customer contracts under which they agree to comply with the safeguards rule. Note, however, that the safeguards rule does not mandate that vendors assume liability to their customers for failure to comply and/or to indemnify customers against such failures.

If you are representing such a vendor negotiating those addenda or agreements, where possible, avoid set carve outs from liability caps for:

• Breach of confidentiality
• Violation of laws
• A data breach exposing non-public customers’ personal data

If your client is prepared to accept a “super cap” for such liability (rather than unlimited liability), it is important for the client to “socialize” the contract with its insurance agent to confirm its insurance will stand behind the potential liability exposure.

As the attorney for the customers of these tools, press for:

• Warranties as to compliance with all applicable cyber and privacy laws, now in effect and hereafter adopted
• Warranties as to no malware or malicious code
• Restrictions on using aggregated data (whether that data contains PII, PHI or “merely” confidential information
• Restrictions on repurposing or reselling customer data
• Timely notification of a cyber security incident (not just a for a breach impacting your client’s data)
• If vendor breach results in a reportable breach under states’ breach notification laws, require the vendor to pay for credit monitoring services
• Note that if a vendor accepts this obligation, the vendor is likely to limit this to only where such services are mandated by law (at present neither New Jersey nor New York require such services).
• Mandate: (i) restrictions on the use of generative artificial intelligence tools in the delivery of services, and (ii) client data cannot be used to train the tool
• Client prompts should be kept confidential as should all outputs for your client
• In drafting and negotiating these agreements, also consider force majeure clauses and whether a third-party compromise is an excused event
• While there is no guarantee of security, if a data breach occurs due to a vendor’s failure to maintain its contractually agreed security protocols, then the fact that a third party exploited that failure to compromise your client’s data should not be an excused event

Proactive states’ privacy laws, including New Jersey’s Data Privacy Law. P.L. 2023, c. 266, requires companies that control and PII protected by those laws to afford to consumers privacy rights, including the right to be forgotten. If your client’s vendor is processing PII for clients’ individual customers, the contract should require the vendor to cooperate with timely responses to such requests and delete data in the timeframe mandated by the subject data privacy law. This and other mandates of various states’ privacy laws need to flow down from the customers to their vendors; and vendors need to contractually confirm that vendors similarly restrict their sub-processors.

Agreements with vendors processing PII should also require the vendor to submit to annual assessments—whether performed by the client or a third-party vendor to ensure the vendor’s ongoing compliance, technologically, administratively and operationally with the contract mandates for processing PII.

In the merger/acquisition context, seller’s counsel needs to understand to which privacy and/or cybersecurity laws their clients are subject and how the seller is complying (or not) with those laws. Your seller clients will be asked to represent that:

• They are in compliance with all applicable privacy laws
• They have had no data breaches
• They have maintained and made available privacy policies and comply with all privacy law mandates for the processing of personal data
• None of their privacy policies are misleading or deceptive as to the seller’s practices in controlling and processing personal data
• All privacy requests received have been responded to as required by applicable privacy laws
• Seller has written contracts with vendor/processors that requires those vendors to comply with all privacy and cybersecurity laws in processing personal data for seller
• Seller maintains a written information security program

Representing a buyer, attorneys will want to mandate these representations and warranties, and in due diligence work with subject matter experts retained by the client to identify potential vulnerabilities and shortcomings in the target’s data practices, technologically, administratively and operationally. Attorneys may counsel that clients require a target company to first have an external risk assessment so that your client is not the next company to acquire an undisclosed data breach.

As a final thought for attorneys drafting contracts with cyber and privacy implications is what insurance (if any) will stand behind your client in the event of a data incident. If your client uses a third party to process credit card payments, regardless of whether the vendor represents it is compliant with Payment Card Industry-Data Security Standards (PCI-DSS), if the vendor experiences a data breach your client will be one of many who will expect the vendor to stand behind them. In fact, the “click wrap” agreements from these vendors either disclaim or limit liability. If your client does not have insurance to protect itself from such events, your client will be without a safety net.

In summary, regardless of the type of agreement you are negotiating or drafting for your client, it likely has cyber and/or privacy implications. The examples provided in this discussion are not exhaustive but instead are intended to be illustrative of the myriad of laws and issues which need to be considered and addressed. Attorneys need to know the questions to ask, the laws that apply and then guide clients through the process to best protect clients, their data and their systems.

Reprinted with permission from the November 24, 2025 issue of the New Jersey Law Journal. © 2025. ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.