Indemnification as a Result of Security Breach

#Why is this Important
#Reference
#Criticality
#Sample RFP Language
#Sample Contract Clauses

Why is this Important:
As many states now have breach notification laws, the originating institution of higher education would bear the cost of notifying affected persons in the event of a security breach involving that institution's data. These types of provisions allow the institution to recoup some of that cost in the event of a security breach of the third party's system. It is important to note that an indemnification clause likely needs to be broad enough to cover all risks that are allocated in the agreement, not solely limited to security breaches.

Reference:
Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(r); (s)

Criticality: Category 2 and Category 4.

Sample RFP Language:

  • Not Applicable. Theme best addressed with contract clauses.

#Top

Sample Contract Clauses:

  1. [Vendor] shall defend and hold Institution harmless from all claims, liabilities, damages, or judgments involving a third party, including Institution's costs and attorney fees, which arise as a result of [Vendor]'s failure to meet any of its obligations under this contract.
  2. [Vendor] shall indemnify, defend and hold Institution harmless from all lawsuits, claims, liabilities, damages, settlements, or judgments, including Institution's costs and attorney fees, which arise as a result of [Vendor]'s negligent acts or omissions or willful misconduct.

#Top

special conditions

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).

  • No labels