Annmarie Giblin and Aparna Williams made some intriguing points on required notice for security incidents during our webinar yesterday on AI data security.
Annmarie pointed out that when customers demand 48-hour incident notice from their vendors, they may be negotiating against themselves. "You don't want to know in 48 hours," she said. "I'm not going to know anything for a few days, and then by that time I'll give you more meaningful updates."
The reason this matters is fast notice may mean your vendor is notifying you of a confirmed incident before they know the scope of what happened. That is a problem because that notice you received may trigger a short window for you to provide your regulator answers you do not yet have.
Aparna explained further. As a customer, we want to know immediately. But we need to be thinking about the dependency between receiving notice from our vendor and our own regulatory deadlines. We want notice when we can actually use it.
The problem compounds when vendor and customer share the same regulator. Annmarie asked what happens if the vendor notifies your shared regulator before you do. That could mean your own obligation may be triggered by someone else's timeline. You did not control when notice went out, but your clock is now running nonetheless.
So what's the best approach? Our speakers shared a few strategies to address this challenge. Annmarie suggested using a five-business-day provision rather than a fixed hour window. She uses business days specifically because incidents tend to start on Friday nights. Aparna highlighted another approach. Customers can structure notice in two stages. First, we require an initial confirmation that an incident is under investigation. The vendor then must follow up with substantive updates as the facts develop.
Both approaches do the same thing. They give the customer time to receive information when there’s enough details to take action.
This whole conversation was a great reminder that we should be negotiate for terms that match the situation's reality. Resist the “faster is better” instinct. In some cases, like this one, faster may be worse.
Click the article below to read the How to Contract team’s 10 most important takeaways from this session.
