This website uses cookies

Read our Privacy policy and Terms of use for more information.

Most of the work in data security contracting goes into the front end, the safeguards a vendor promises and the long lists of controls it agrees to maintain. The language that takes over once an incident actually happens gets far less attention, and that is exactly where the real exposure lives. AI has made the gap wider by blurring where data sits and who can reach it, so the words that govern incident response, cost, and notice now carry more weight than ever.

Laura Frederick hosted this How to Contract webinar with two speakers who see these provisions from opposite seats. Aparna Williams, Chief Legal Officer at Sophos, brought the customer perspective, and Annmarie Giblin, Deputy General Counsel at Cloaked, brought the vendor perspective. Both have spent years in cybersecurity, which let them move past theory and talk about how this language actually behaves in the middle of a real incident.

Laura ran the session in her drafting format, putting AI-generated sample provisions on screen so the group could read the actual words and pull them apart. The conversation worked through three provisions that decide how an incident plays out, incident response obligations, remediation and cost allocation, and regulatory notification, along with practical points on proof, insurance, and where these disputes tend to land.

Here are our top ten takeaways from the speakers' comments during the webinar:

  1. Treat the language after an incident as carefully as the language before one. Most of us spend our drafting energy on safeguards and front-end promises. The provisions that actually decide your outcome are the ones that govern what happens once something goes wrong. Aparna has spent 25 years in cyber and framed the whole job as predicting the future, and the after-incident language is where that prediction gets tested.

  2. Don't lean on "reasonable" and "sole discretion" to do your work for you. Soft language used to feel flexible and safe. In a world where systems and threats move fast, that openness leaves you exposed when emotions and uncertainty run high. A vendor reserving the right to decide what counts as a security incident is now a warning sign, not a convenience. Define the incident, define the timelines, and decide in advance what gets disclosed.

  3. Decide for yourself when you actually need to know. An incident at the vendor running your cafeteria menus does not move you, but one at your cloud provider or the holder of your customer data does. Set that baseline before you negotiate and make sure your contracting team knows it. You also do not want hourly updates on day one, because nobody knows anything useful in the first few days, and you want the vendor focused on the incident.

  4. Build in "breach bombs" so you can get your data and your facts back. Annmarie has watched vendors refuse to hand over a copy of the data or say what was compromised even when the contract required it. Put provisions in place that give you real recourse when the vendor goes quiet. The point is not to punish, it is to make sure you can meet your own obligations when the vendor controls the facts.

  5. Be careful how you handle written updates during an incident. Prescriptive cadence helps the business team avoid guessing, like a daily check-in plus a substantive update every two to three days. The risk is that overly prescriptive written updates hand the other side free discovery, since anything in writing can become exhibit A in a lawsuit. The workable middle is meaningful updates on an agreed cadence, often delivered by phone or video rather than email.

  6. Allocate remediation costs around what the forensics actually show. It is tempting to assume the vendor is at fault, but a customer configuration can be the real cause even when the vendor's tool worked as designed. Write the provision so responsibility follows the findings, with room for shared fault. Aparna's "quick lawyer math" on a $40 million super cap is a good habit, tying the number to the records and customers actually at risk rather than to a figure that just sounds protective.

  7. Don't promise to prevent the next incident. Language requiring remediation reasonably designed to prevent recurrence of substantially similar incidents is impossible to deliver. A zero-day vulnerability can hit even when you have a patching schedule, vendor notices, and active CVE monitoring. Promising prevention you cannot guarantee just creates a breach you will be sued over later. Commit to concrete, realistic steps instead.

  8. Keep your regulators to yourself, but make the vendor sit with you. Never let a vendor talk to a regulator that has audit authority over you, though you can let the vendor handle the individual notices it caused. The line that each party handles its own notifications is technically correct but ignores how dependent you are on the vendor for the facts. Ask for reasonable assistance with your own submission, and remember that a short buffer, like five business days, can keep you off a larger breach and out of someone else's headline.

  9. Make the vendor prove it, not just claim it. The common mistake is reading a data security exhibit, confirming it lists the right safeguards, and forgetting to say show me. A certification is not the same as security, and AI can draft one of those too. Ask about real incidents, tabletop exercises, and what the vendor actually did. The protection lives in what they can document, not in what the clause says.

  10. Set your insurance floor and plan for the fight you might have. Push for a meaningful cyber policy, at least $5 million, when a vendor holds a lot of your individuals' data, and treat a vendor playing cute with caps mid-incident as a red flag. A provision making the responsible party reimburse your necessary and reasonable costs gives you real leverage. The bigger litigation risk is the consumer class action, since plaintiffs' lawyers watch the leak sites, while business-to-business disputes tend to land in arbitration that can be slow and expensive.

Subscribe to Stay in the Loop

Our weekly newsletter rounds up recaps like this one and the contract negotiation insights we share between webinars. Subscribe now so the next round of takeaways reaches you, whether or not you catch the next session live.