Vendor Contracts: What You Need, and What You May Be Missing

Dino Tsibouris(614) 360-3133

dino@tsibouris.com

Vendor Contracts: What You Need, and What You May Be Missing

Outline

• Importance of Definitions• Description of Services• Notice Provisions• Indemnification Clauses• Disclaimer of warranty Clauses• Limitation of Liability Clauses

Outline

• Responsibility for Compliance• Privacy and Security of Customer Data• Data Ownership• Service and Data Availability

Outline

• Termination Provisions and Retention and Access to Data

• Breach Notice Provisions• Compelled Disclosure of Data

Definition of Loan

Definition of Loan

Sample: Company offers a group of education loan programs in which the Bank ("Owner") participates as a lender, all of which are originated by Owner and guaranteed by Guarantor ("Loans").

Description of Services

Agreement Schedule

Description of Services

Description of Services

Agreement Schedule

In the event of conflict, Schedule governs.

Description of Services

Agreement Schedule

When Agreement terminates, some of the services in the schedule need not terminate.

Notices

Notice

• Abide by the Notice requirements of the Agreement.

Indemnification

Limitation of Liability

ACA v. C&BC

ACA v. C&BC

ACA v. C&BC

ACA v. C&BC

ACA v. C&BC

Lesson: Parties should ensure that the limitation of liability clause and the indemnification clause properly interact with one another.

Pertinent Laws and Compliance with Them

CompuCredit and CB&T

• CompuCredit enters into agreement with CB&T and other banks to market credit cards.

• CompuCredit assumes risk of compliance with TILA and other laws.

CompuCredit and CB&T

• Due to undisclosed fees, credit cards with $300 limits, end up with $115 in available credit.

CompuCredit and CB&T

• CompuCredit agrees to credit back to consumers $114 million.

CompuCredit and CB&T

• Both CompuCredit and CB&T agree to pay $2.4 million in civil penalties.

CompuCredit and CB&T

Lesson: The agreement must include detailed provisions regarding compliance with the law and the particular laws that apply. Lenders must follow up on compliance, conduct tests, audits, and spot checks, or face liability.

Shurland v. Bacci

Shurland v. Bacci

Shurland v. Bacci

Shurland v. Bacci

Shurland v. Bacci

Shurland v. Bacci

• Translink to "use due care in providing services covered by this Agreement" and to conduct its "performance of all services called for in this Agreement . . . consistent with industry standards.”

Shurland v. Bacci

• Merchant warrants and agrees that Merchant shall fully comply with all federal, state, and local laws, rules and regulations, as amended from time to time, including the Truth-in-Lending Act and Regulation Z of the Board of Governors of the Federal Reserve System.”

Shurland v. Bacci

Lesson: Parties should clearly and unambiguously assign the responsibility to comply with each law that is material to the transaction.

Privacy and Security of Customer Data

Source: Ponemon Institute

Privacy and Security of Customer Data

Source: Ponemon Institute

Privacy and Security of Customer Data

Privacy and Security of Customer Data

Privacy and Security of Customer Data

Privacy and Security of Customer Data

Privacy and Security of Customer Data

• Data stored in the cloud may be compromised due to a breach.

• Contract must take into consideration an obligation to immediately notify, cooperate, and bear the cost of sending out breach notifications and remedial actions.

• Consider insurance for breaches.

Service and Data Availability

Service and Data Availability

Service and Data Availability

• The cloud service may be subject to disruptions.

• Where possible, negotiate fines or reimbursement for outages above and beyond scheduled maintenance.

• Where possible, contract for greater availability and fault tolerance.

Termination Provisions and Retention and Access to Data

Termination Provisions and Retention and Access to Data

Termination Provisions and Retention and Access to Data

Termination Provisions and Retention and Access to Data

Termination Provisions and Retention and Access to Data

Lessons: • Ensure that ownership of information is clearly

defined. • Ensure that service provider agreement takes

into consideration your ability to access to your data and return of your data in the form that you want at the end of the relationship.

Breach Notice

• Prompt breach notification of confirmed breaches and suspected breaches is crucial.

Compelled Disclosure

Compelled Disclosure

Compelled Disclosure

Compelled Disclosure

Compelled Disclosure

• Data stored in the cloud is subject to compelled disclosure and possibly without your knowledge due to the Stored Communications Act and National Security Letters.

Outline

• Importance of Definitions• Description of Services• Notices• Indemnification Clauses• Limitation of Liability Clauses

Outline

• Important Laws, Responsibility for Complying with Them, and Substantial or Material Compliance

• Privacy and Security of Customer Data• Service and Data Availability

Outline

• Termination Provisions and Retention and Access to Data

• Breach Notice Provisions• Compelled Disclosure of Data

Questions & Answers

Dino Tsibouris(614) 360-1160dino@tsibouris.com