Contracts like Professional Services Agreements (PSAs) can be confusing—especially for those outside the legal field. At ISC2 Security Congress, Mike Monahan, CISSP, discussed how to understand and deal with cybersecurity services and product contracts effectively.
Unless you’re a law professional, deciphering contract legalese can sometimes seem like too much effort. To keep processes moving along, it can be tempting to sign the document right away so you can get down to business.
In his Bright Ideas session at ISC2 Security Congress in Nashville—The Hateful Eight: Common “Malwords” to Avoid in a Professional Services Agreement—Mike Monahan, CISSP, offered clear, practical advice on how to spot potentially problematic language in PSAs to help avoid pitfalls down the road.
Familiarizing Yourself with Contracts
Monahan explained that while PSAs often look intimidating, anyone can learn to recognize language that might put a service provider at risk. He pointed out that a mentor of his could predict how the future relationships between his organization and the client would be based on the wording of their PSAs. Often, a service provider is presented with a one-size-fits-all PSA containing conflicting mandates, unrealistic demands, and irrelevant terms. Knowing when PSAs need to be amended and how to do it was the focus of the session.
Monahan set out to teach attendees how to recognize common language to avoid in contracts, consider alternative wording, and understand the underlying principles behind proposed changes. In a conversational session, he provided the tools for professionals to be better prepared for their next PSA review.
The Hateful Eight
Often, the terms in PSAs are impossible for a service provider to honor. Over the years, Monahan has developed the following list of red-flag words and phrases to watch for during the PSA review process. Although this does not constitute legal advice and professionals should consult with their own legal department for guidance, understanding these words and phrases provides a solid foundation for future conversations.
#8: “Make Logs Available”
This phrase introduces fixed time durations or unduly prescriptive means and methods, and the use of vague, subjective language is open to interpretation. It’s important to set realistic expectations, such as in this example:
Before: “Such logs shall be maintained for each access for a minimum of one (1) year following such access. During such one-year period, Contractor shall maintain such logs such that they can be promptly retrieved at the request of Owner and provided to Owner as raw Information logs in an Excel data file or text file.”
After: “Such logs shall be maintained for each access for a minimum of one (1) year following such access. During such one-year period, Contractor shall maintain such logs such that they can be promptly retrieved at the request of Owner and provided to Owner as raw Information logs in an Excel data file or text file.”
#7: “Immediately”
The problem with this word is that the timeframe to act is inconsistent or unreasonable. The instant a trigger action occurs, the service provider will be in breach of contract because it’s impossible to respond “immediately.” Instead, the PSA should be amended to use specific timeframes so that compliance is possible. For example:
Before: “…Engineer will immediately revoke access…”
After: “…Engineer will immediately revoke access within one business day…
#6: “Destruction”
Client mandates for data destruction can put service providers at odds with the law, making it impossible for them to comply. Amended terms should define what needs to legally be retained and why.
Before: “Unless otherwise authorized, on the earlier of termination or expiration of this Agreement or at any time on the request of [Client], except for any Data, which must be returned to [Client] and not destroyed as set out in subsection 1(b) of ARTICLE 34 –OBLIGATIONS ON TERMINATION AND TERMINATION ASSISTANCE, the Engineer shall promptly either, at [Client]’s option: (a) return such Confidential Information and provide certification to [Client] that all such Confidential Information has been returned; or (b) securely destroy such Confidential Information (and any documents which contain or reflect such Confidential Information) in accordance with [Client]’s instructions and security requirements and provide certification to [Client] that all such Confidential Information has been securely destroyed.”
After: Add this: “Notwithstanding the foregoing, the Parties hereto acknowledge that an Engineer and its Personnel’s' respective computer systems may automatically back-up Confidential Information and that the Engineer may: (a) retain copies of Confidential Information that are required to be retained by Law; (b) retain copies of work product that contain Confidential Information for archival purposes or to defend its work product; and (c) in accordance with legal, disaster recovery and records retention requirement, store such copies and derivative works in an archival format (e.g., tape backups), which may not be returned or destroyed, provided that such retained or stored copies of Confidential Information remain subject to the provisions of this agreement.”
#5: “Audit”
Simply put, an audit performed by a client on a service provider would violate their other client agreements. Instead, Monahan suggested asking these questions to arrive at language that satisfies both the client and the service provider: What business problem are you trying to solve? How would you like it if our other clients could audit us in the same way?
Before: “Oversight and Compliance. As evidence of compliance, Engineer shall allow [Owner] to conduct an assessment, audit, examination, or review of Engineer’s security controls related policies and procedures covering the scope of the Agreement, to confirm Engineer’s adherence to the terms of this ARTICLE 44, as well as any applicable Laws and industry standards, not more than once per year or after notification of any Security Incident or complaint regarding Engineer’s privacy and security practices. [Owner] may elect to obtain the services of a mutually agreeable third party to conduct this assessment, audit, examination, or review on behalf of [Owner] provided such third party is bound to confidentiality provisions to protect confidentiality of Engineer’s security controls.”
After: Add this: “Owner shall not have physical access to Engineer digital systems.”
#4: “Confidential”
Without defining which information is confidential, or deeming all client information confidential, the client sets up a no-win situation for the service provider. The solution is to seek a limited definition to lower risk and potential costs.
Before: “For purposes of this Contract, ‘confidential information’ means all information related to the Owner, the Services, the RFP, or this Contract that is or was received or accessed by Provider, whether before or during the term of this Contract, including but not limited to all communications between the Owner and Provider relating to the Owner, the Services, the RFP, or this Contract.”
After: Check for, or add this language: “These obligations do not apply to: 11.1.1 Information which, at the time of receipt by Provider, is in public domain; 11.1.2 Information which is published after receipt by Provider or otherwise becomes part of the public domain through no fault of Provider; 11.1.3 Information which Provider can demonstrate was in its possession at the time of receipt and was not acquired directly or indirectly from the Owner or other companies: 11.1.4 Information which Provider can demonstrate was received by It from a third party that did not require Provider to hold it in confidence; 11.1.5 Information which is subject to release under applicable law.“
#3: “Outside the U.S.”
Terms that indicate that work should not be performed nor data stored “outside the U.S.” are incompatible with modern technology. For example, someone who travels to South America and checks their client email would be in breach of contract.
Before: “May not store, process, manage, or transmit outside the U.S. unless authorized”
After: “May not store, process, manage, or transmit outside the U.S. unless authorized”
#2: “Assist client with security incident management”
This mandate creates undue liability for the service provider. Not only is it outside the scope of the contracted services, the definition of “security incident” varies depending on who you ask.
Before: “Provide [Client] with the name and contact information for any Personnel who shall serve as Engineer’s primary security contact and shall be available to assist [Client] with Security Incident management, response, and recovery associated with the Security Incident.”
After: “Provide [Client] with the name and contact information for any Personnel who shall serve as Engineer’s primary security contact and shall be available to assist [Client] with Security Incident management, response, and recovery associated with the Security Incident.”
#1: “Alleged” or “Reasonably Believes”
These are subjective terms. What is reasonable? Why would allegations be actionable before they’re proven? The language in any PSA must be crystal clear to avoid confusion, especially when it comes to crisis management. An example of this is: “A ‘Security Event’ means any circumstance when (i) Consultant knows or reasonably believes that [Client] Confidential Information has been subject to any circumstance where the security, integrity, or confidentiality of any [Client] Confidential Information has been compromised…”
This language is overly broad, ripe for multiple interpretations and in need of a rewrite.
A Nonstop Exchange of Ideas
The varying backgrounds of the audience members led to many impromptu discussions of the subject, with attendees sharing their own examples in a lively exchange of ideas. This type of open discussion could also be brought to the PSA review process—where individuals weigh in based on their knowledge and experiences—to assist an organization’s legal team to achieve the goal of producing a PSA that is fair and equitable to all involved.
By understanding these red-flag words and encouraging open, informed discussions during PSA reviews, professionals can help ensure agreements are clear, fair and enforceable, protecting both their organization and their clients from costly misunderstandings.
