During the past year, the dark web has evolved from a place known only to those working in cybersecurity and individuals seeking anonymity to a place known by the general public and discussed on the evening news. The raised awareness of the dark web within the general public means that organizations should review their security requirements and contract provisions to ensure they adequately address the risks posed by the dark web.
In technology contracts where a vendor will host buyer data, buyers must contemplate recovery in the event of a security breach. Buyers of technology should include express provisions on cost recovery in the event of a data breach. Without an express provision, the buyer risks that damages flowing from a security breach could be categorized as consequential damage and, therefore, unrecoverable. On the other hand, vendors are usually opposed to allowing recovery of any consequential damages arising from a data breach, arguing that such a broad carve-out opens the liability door too wide.
Over the years, the market has found middle ground by negotiating a list of “deemed direct” damages. This approach addresses the buyer’s need for certainty regarding cost recovery, without exposing the vendor to an unacceptable level of risk. The items on the deemed direct damages list vary depending on the industry, contract spend, and leverage of the negotiating parties. For buyers who have significant leverage, the list can include PR firms, forensic investigations, and government fines. For buyers with less leverage, the list is much smaller, but usually includes, at minimum, an obligation for the vendor to cover notification costs and credit monitoring of affected persons.
However, currently, these provisions rarely contemplate the effects of the dark web or ransomware and should be revisited in light of the current landscape. Specifically, to appropriately address the risks associated with ransomware and the sale of information on the dark web, a buyer of technology should endeavor to include the following in their technology contracts:
- A broad definition of security breach that covers situations where access or compromise cannot be definitively determined but can be deduced by the presence of the information on the dark web.
- A proactive obligation for a vendor to have dark web surveillance active and monitored at all times and an obligation to notify buyers if that surveillance shows that buyer data has been leaked.
- Inclusion of reactive dark web surveillance as a “deemed direct” damage of a security breach
- Understanding and documentation about insurance coverage or exclusions for paying ransom for ransomware or paying dark web actors to purchase the information being offered for sale on the dark web.