woman in blue jacket looking at tablet

Navigating data privacy risks
in vendor contracting

A guide to legal and insurance-based tools, provided by
Willis Towers Watson and Norton Rose Fulbright

Companies face an ever-growing risk that they will suffer monetary and reputational loss caused by a data breach. Studies have shown that this risk is heightened when companies contract with vendors to access, process, store, or transmit their sensitive data, such as personal or protected health information.

This risk can be mitigated at the outset of a vendor relationship. Proper attention to the terms of the contract and the insurance coverage to be carried by the vendor can go a long way toward transferring financial risks to the vendor, who is often in the best position to prevent or promptly remediate a data breach.

General framework for vendor information security and contract terms

While contracting parties may vary in their approaches to addressing information security in a vendor contract, common elements do exist when it comes to information security contract terms.

Required security standards and data handling limitations

These terms identify the security measures or standards a vendor is required to adhere to in order to protect the confidentiality, integrity and availability of personal information or other sensitive data.

Security assessment rights

Even when a vendor has agreed to certain security measures, it may be legally necessary or advisable from a risk perspective to assess the vendor’s compliance with the vendor agreement and the required security standard.

Incident response

Many companies view vendors as an extension of their own internal environment and security. This is especially true for incident response. These terms set forth the vendor’s obligations to cooperate with and support its customer’s response to a security incident suffered by the vendor.

Risk transfer

If a vendor suffers or causes a security incident, which party is financially liable for losses suffered by the company? These terms address the limitation and expansion of a vendor’s liability to its customers if the vendor suffers a security incident or otherwise breaches the data security and privacy contract terms of its agreement.


Increasingly, insurance is being used as a tool to help companies address vendor risk and to transfer risk to insurers where it cannot be fully addressed via contract. Insurance clauses address the type of insurance a vendor is required to maintain and set forth the scope of coverage that is expected under a vendor agreement.

Why Willis Towers Watson?

Cybersecurity is not just a technology problem. More than half of all cyber incidents begin with employees, so it’s a people problem. And the average breach costs $4 million, so it’s a capital problem too. No one decodes this complexity better than Willis Towers Watson. As a global leader in human capital solutions, risk advisory and broking, we are well-prepared to assess your cyber vulnerabilities, protect you through best-in-class solutions and radically improve your ability to successfully recover from future attacks.

An integrated process that brings critical insights, best-in-class protections and uncompromising recovery resources to a businesses' cyber risk profile.

CyFly Airline Product

Why Norton Rose Fulbright?

During a time when data security and privacy risks are rapidly evolving, Norton Rose Fulbright provides clients with a comprehensive strategy to tackle the full range of privacy and data security legal issues worldwide. Our dedicated global practice is composed of experienced lawyers from around the world who specialize in the complex issues associated with proprietary data. We concentrate on the legal issues related to privacy, data security, new media, information technology, e-commerce and intellectual property. Our practice is comprised of four “pillars,” including compliance and risk management, transactions, breach response and preparedness, and disputes, including government investigations and litigation.

Download interactive brochure

For further information, please contact:

Joe DePaul
Cyber/E&O Practice Leader
FINEX North America
Willis Towers Watson
+1 973 829 2972

Jason Krauss
Cyber/E&O Thought & Product Leader
FINEX North America
Willis Towers Watson
+1 212 915 8374

David Navetta
Partner, Norton Rose Fulbright
+1 303 801 2732

Matt Spohn
Senior Counsel, Norton Rose Fulbright
+1 303 801 2732