Breach Response Clause

Written by: Patrick Shaunessy

24 minute read

What is a breach response clause?

When a business (a controller) enters into a contract with another (a vendor) to obtain products or services, it may need to share certain data pertaining to its customers, employees, contractors, etc. (each a data subject) with the vendor for the purposes of that contract.¹ Often, this data includes information of a personal or sensitive nature, and applicable data protection laws² may impose certain obligations on these businesses with respect thereto. To comply with these data protection laws, vendors and controllers generally need to add specific terms to their contracts regarding the protection of data subjects’ data. This includes terms like the breach response clause, which addresses the parties’ obligations in circumstances where a data subjects’ data is (or is at risk of being) compromised. This clause helps ensure that the parties are aligned in their response to any such circumstance and that appropriate action is taken in a timely manner. Actions taken by the vendor pursuant to this clause may include investigating the breach, providing support to the controller and others, containing and resolving the breach, and preventing its recurrence.

As the examples below illustrate, breach response clauses can be found in a variety of contracts. They are perhaps most common, however, in contracts that by their nature involve the collection, processing, use, and/or storage of data, such as data processing agreements, SaaS agreements, and business associate agreements as well as any schedules, addendums or policies relating to data protection that may supplement these agreements.


¹ In this article, the terms “controller”, “vendor” and “data subject” are used to differentiate among the following: (i) businesses that have the authority to direct how and when data in their possession may be used by others, including third parties (controllers); (ii) third party businesses that provide products or services to businesses described in (i) (vendors); and (iii) individuals (natural persons) that provide data to (or whose data is collected by) businesses described in (i) (data subjects). Certain data protection laws also contain similar defined terms - for example, GDPR uses “data controller”, “data processor” and “data subject”, respectively. While these legal terms may overlap with the terms “controller”, “vendor” and “data subject” as used in this article, they are not necessarily an exact match. For example, a “vendor” for the purposes of this article could also be a “data controller” (or its equivalent) under applicable law.

² In this article, the term “data protection law” means any law, regulation, etc. pertaining to privacy and/or data security.

Why does the breach response clause matter?

As technology has developed in recent years to allow more data to be available or accessible either online or in digital form, privacy and data security have become increasingly important, and governments all over the world - including those at the state, provincial and local level - have enacted comprehensive legislation to address these matters. Some well-known examples include the European Union’s General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the United States’ Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA).

While these laws may have similar objectives and some may even apply to similar kinds of data, they all have different requirements for effecting compliance. Fulfilling these compliance obligations can, therefore, be both expensive and time-consuming for many businesses - especially given that privacy and data security are areas of law that are constantly evolving. Many of these laws require controllers to notify the relevant authorities and/or certain data subjects in the event of a data breach, including any breach that involves a vendor with whom they do business. These communications (particularly those provided to any relevant authority) typically must also include details about the measures taken by the controller to address the issue. In other words, the controller’s responsibility does not stop at providing notice. It also has to demonstrate that appropriate action is being taken to contain and resolve the breach. Similarly, vendors may be legally required to assist controllers in these response efforts. As noted above, to ensure compliance with applicable data protection laws, controllers and their vendors may be required to include breach response clauses in their contracts. The challenge some of these businesses face is that they may have hundreds or even thousands of contracts with these clauses in them, which adds to the complexity of the compliance framework. When the unexpected happens and data subjects’ data is (or is at risk of being) compromised, businesses that are unprepared may find themselves scrambling to figure out what they need to do to prevent adverse legal, financial and even reputational consequences. To avoid being caught off guard, these businesses would be well advised to review their contracts proactively for data protection clauses, including breach response clauses, to familiarize themselves with their terms and ensure ongoing compliance with applicable law.

How do you review the breach response clause in contracts?

After locating all the breach response language in each agreement, key things to focus on when reviewing these provisions include:

  1. What data the clause applies to. As the examples below illustrate, breach response clauses often include a defined term such as “Personal Data”, “Customer Data”, “Confidential Information”, or “Personally Identifiable Information”, in which case it will be necessary to review the definition of any such term(s) to ascertain the full scope of the data to which the provision applies. Sometimes, however, the clause may refer to “personal data”, “personal information”, etc. without defining the precise meaning of those terms (see, for instance, example 12 below). Some of these terms are defined under various data protection laws - e.g., “personal data” (GDPR) and “personal information” (CCPA and PIPEDA). And while these terms may seem similar, they are generally not interchangeable. Accordingly, when encountering one of these undefined terms in a breach response clause - or even a defined term in the clause that contains a legislative reference (e.g., “Personal Data” may reference the definition of that term under GDPR) - be sure to check any applicable data protection laws to confirm how those statutes or regulations define them and, by extension, how they should be interpreted for the purposes of that clause. In addition, pay particular attention to any undefined terms in breach response clauses that do not have corresponding definitions in applicable data protection laws, as the ambiguity this introduces could have problematic consequences - especially if it gives the vendor sufficient interpretive latitude to exclude certain types of data from the scope of this provision.

  2. What obligations are specified. As the examples below illustrate, the degree of specificity when it comes to describing the vendor’s obligations in the event of a breach varies. As noted above, common obligations include (i) the duty to investigate and report the findings to the controller; (ii) the duty to assist the controller in addressing the breach, including taking steps to protect the data subjects affected by it; and (iii) the duty to take remedial action to resolve the breach and prevent it from happening again. In some agreements, the breach response clause may also require the vendor to notify the controller should a breach occur (see, for instance, example 1 below). Other agreements might have a separate breach notification clause that addresses this particular obligation. When reviewing these obligations, be sure to confirm that they are consistent with the requirements of applicable law.

  3. What triggers these obligations. The breach response clause is, of course, designed to require action when an actual breach occurs. In some cases, however, even an attempted or suspected breach may trigger it (see, for instance, examples 1, 7 and 9 below) as well as incidents in which data is lost, damaged or altered in a way not specifically contemplated by the contract. To clarify the range of incidents to which the clause applies, parties may include defined terms such as “Security Breach”, “Security Incident” or “Personal Data Breach”, in which case it will be necessary to review the definition of any such term(s) to ascertain the full scope of circumstances under which the obligations outlined in the clause are triggered. This includes checking the relevant provisions of any data protection laws referenced in these definitions or in the clause itself. In addition, as with the obligations specified in the clause, when reviewing the circumstances in which these obligations are triggered, be sure to confirm that these terms are consistent with the requirements of applicable law.

  4. Cost implications. The breach response clause may require the vendor to cover all of the controller’s costs associated with the breach, including those associated with notifying data subjects and fulfilling its own compliance obligations (see, for instance, example 5 below). In addition, the indemnification and limitation of liability clauses may contain important details regarding the vendor’s liability exposure in the event of a data breach.

As with the review of any contractual provision, it’s also important to be aware of other provisions that may affect the interpretation of breach response clauses. Defined terms, for example, were mentioned in points 1 and 3 above, and the indemnification and limitation of liability clauses were mentioned in point 4. The breach notification clause (if separate from the breach response clause) establishes the vendor’s obligation to notify the controller in the event of a breach. Finally, although they are not contractual terms, the provisions of applicable data protection laws can help parties interpret these clauses and evaluate the rights, duties and restrictions they establish. Note that the governing law section, which establishes which jurisdiction’s laws apply to an agreement, will generally be insufficient for the purposes of determining what data protection laws apply to both the contract and each party. Vendors and controllers need to consider all the facts and circumstances of their contractual relationship as well as their respective business operations more generally to ascertain all applicable data protection laws.

Software that uses AI to identify and extract breach response clauses (as well as other terms that may affect their interpretation) can accelerate the work of finding these provisions and enable a more comprehensive review than can otherwise be done manually.

Examples of the breach response clause

Below are some examples of breach response clauses from different kinds of agreements. While these examples do not necessarily cover the full range of breach response clauses one may encounter, they are meant to illustrate the degree to which these provisions can vary from contract to contract. Where an example includes broader contextual language, the breach response clause is highlighted in bold.

Example 1: From a Master Services Agreement

13.6 Breach or Potential Breach; Notification Requirements. In the event Supplier or Supplier Agents discovers or is notified of a breach or potential breach of security relating to Customer Data or any breach or potential breach of this Article 13 or any Data Protection Laws, Supplier shall (a) immediately notify the Customer Governance Executive of such breach or potential breach (including providing the Customer Governance Executive with an initial security risk assessment); (b) investigate such breach or potential breach and prepare a report of the breach or potential breach and corrective action taken; (c) coordinate with Customer with respect to any communication of such breach or potential breach; (d) take such steps as are deemed necessary by Customer to protect those individuals and/or Data Subjects affected or potentially affected by the breach or potential breach, whether due to actual or potential fraud, identity theft or otherwise; (e) provide full, prompt and good-faith cooperation as requested by Customer in investigating and addressing any such breach or potential breach, including making available personnel with sufficient knowledge to work with Customer to resolve any breach or potential breach and determine the scope of the breach or potential breach; and (f) in the case of an actual breach remediate the effects of the breach. In the event of a breach attributable to an act or omission of Supplier, as part of such remediation, Supplier shall: (w) pay all cost and expense of Customer’s compliance with any of Customer’s notification obligations, including Customer’s compliance with Laws relating to the notification of individuals and entities who information may have been disclosed in connection with the breach, as well as the costs of credit monitoring services for affected individuals; (x) provide Customer with a root cause analysis on the breach; (y) provide Customer with a corrective action plan acceptable to Customer; and (z) provide Customer with assurance satisfactory to Customer that such breach shall not recur. If any security breach or a breach of this Article 13 or of any Data Protection Laws requires Customer to make a disclosure to any third party, Customer shall be solely responsible for making that disclosure and Supplier and Supplier Agents shall cooperate with Customer in formulating the disclosure. Supplier and Supplier Agents shall not make any disclosure regarding a security breach, a breach of this Article 13 or of any Data Protection Laws without Customer’s prior consent, which may be withheld at Customer’s sole discretion. Supplier shall promptly provide to Customer any information or records that are requested by any Governmental Authority or otherwise required to answer any inquiries from any Governmental Authority.

Example 2: From a Software Application License

2.8 Security : Vendor agrees and warrants that it shall:…

(c) cooperate fully with Customer to investigate, remediate, and mitigate the effects of the Personal Data Security Breach, and take all appropriate corrective action including, at the request of Customer (and at the expense of Vendor where the Personal Data Security Breach is due to the fault of Vendor), providing notice to all persons whose Personal Data may have been affected by the Security Breach.

Example 3: From a Data Processing Addendum

  1. Processor obligations

3.1 With respect to all Personal Data, Processor warrants that it will:…

(g) promptly provide Customer with reasonable cooperation and assistance in respect of the Security Breach and all information in Processor’s possession concerning the Security Breach, including, to the extent known to Processor, the following:

(i) the possible cause and consequences of the Security Breach;

(ii) the categories of Personal Data involved (Customer acknowledges that since Customer selects the Personal Data processed with the Processor Platform, and since Processor does not typically have visibility into the scope and nature of such Personal Data, Customer is responsible for determining such categories);

(iii) a summary of the possible consequences for the relevant data subjects (Customer acknowledges that since Customer selects the Personal Data processed with the Processor Platform as described above, and the data subject to whom such personal data relates, and since Processor does not typically have visibility into the foregoing, Customer is primarily responsible for determining such consequences);

(iv) a summary of the unauthorised recipients of the Personal Data; and

(v) the measures taken by Processor to mitigate any damage;

Example 4: From a Services Agreement

  1. Notification of Security Breach and Incident Response. Each Party shall advise the other Party promptly in the event that it learns that there has been or may have been unauthorized access to or use of, or any security breach relating to or affecting, Sensitive Personal Information, or that any Person who has had access to Sensitive Personal Information has violated or intends to violate the terms of this Agreement. In such an event, each Party, at its own expense, shall cooperate with the other Party in investigating and responding to the foregoing, notifying customers or other affected services, call center services and forensics services, fines imposed by credit card associations, merchant banks or financial account institutions, and costs passed on by individual card companies, banks and other financial institutions, such as the costs of issuing replacement cards, fraud liability, chargebacks, compromise fees and other remediation costs). The remedies set forth herein shall be in addition to any other remedies available at law or in equity, including but not limited to the indemnification obligations set forth in Section 7 below. Notwithstanding the foregoing, no Party shall have the obligation to pay for the other Party‘s costs or expenses of any kind to the extent a breach of this Exhibit AA by such other Party or its agents is a proximate cause of the Security Breach.

Example 5: From a Data Protection Addendum

16.2 Security Incident Notification - Customer Content: Vendor shall, to the extent permitted by law, promptly notify Customer of any Security Incident of which Vendor becomes aware. To the extent such Security Incident is caused by a violation of the requirements of this Addendum by Vendor, Vendor shall make reasonable efforts to identify and remediate the cause of such Security Incident. Vendor shall provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a supervisory authority or any data subjects of the Security Incident.

Example 6: From a Data Processing Agreement

(vii) Domain: information security incident management.

  1. Incident response process. Vendor maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data.

  2. Service Monitoring. Vendor security personnel verify logs at least every six months to propose remediation efforts if necessary.

Example 7: From a Master Service Agreement

Unauthorized Access. SERVICE PROVIDER also acknowledges the requirements of the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice issued by bank regulatory agencies on March 29, 2005, regarding implementing effective notification procedures in the event of unauthorized access to Customer Information. As such, the parties acknowledge and agree that SERVICE PROVIDER shall be responsible for the unauthorized or fraudulent application for, access to or use of the Customer Information by any entity caused by the negligent acts or omissions of SERVICE PROVIDER, its employees, subcontractors or agents. If SERVICE PROVIDER becomes aware of any actual or suspected security breach involving unauthorized access (i.e., physical trespass on a secure facility, computing systems intrusion/hacking, loss/theft of a PC (laptop or desktop), loss/theft of printed materials, etc.) to the Customer Information, that either compromises or in SERVICE PROVIDER’s reasonable judgment may have compromised the Customer Information, SERVICE PROVIDER shall report such incident within forty-eight (48) hours in writing to COMPANY, BANK, or one of their respective Subsidiaries, as applicable, and describe in reasonable detail the circumstances surrounding such unauthorized access (including, without limitation, a description of the causes of such breach). Any report under this Section shall include a brief summary of the steps being taken by SERVICE PROVIDER to remedy such breach. Except as may be strictly required by Legal Requirements, SERVICE PROVIDER agrees that it will not inform any Third Party of any such security breach without Popular’s, or its applicable Affiliate’s, prior written consent; however, if such disclosure is required by Legal Requirements, SERVICE PROVIDER agrees to reasonably cooperate with COMPANY, BANK, and their respective Subsidiaries regarding the content of such disclosure so as to minimize any potential adverse impact upon COMPANY, BANK, and their respective Subsidiaries and their clients and customers.

Example 8: From a Professional Services Agreement

(d) Service Provider’s Responsibilities Regarding Customer’s Network. To the extent any Equipment provided or used by Service Provider or Service Provider Personnel is connected directly to the network(s) of Customer or any Eligible Recipient, such Equipment (and all Software installed thereon) shall be (i) subject to review and approval in advance by Customer (Service Provider shall cooperate with Customer in the testing, evaluation and approval of such Equipment), (ii) in strict compliance with Customer’s then-current security policies, architectures, standards, rules and procedures, and (iii) in strict compliance with Customer’s then-current hardware and software specifications. Service Provider shall not install or permit the installation of any other software on such Equipment without Customer’s prior approval. Service Provider shall promptly investigate any security breach of Customer’s networks or Systems associated with Service Provider Personnel or the performance of the Services. Service Provider shall notify Customer and permit Customer to participate in any audit or investigation of any such security breach. Service Provider shall promptly report in reasonable detail the findings of any such audit or investigation to Customer and shall provide Customer with a summary of any written report prepared in connection therewith; provided that Service Provider has no obligation to disclose confidential or proprietary information of its other customers and any disclosure of Service Provider’s Proprietary Information shall be subject to the confidentiality requirements of Article 13. From within Customer Facilities, Service Provider will be allowed to connect to the Service Provider network through virtual private network connections authorized by Customer, and in compliance with Customer’s then-current security policies, architectures, standards, rules and procedures, so that Service Provider can provide resources supporting Customer with access to training, methodologies, tools, communication, collaboration and other valuable assets essential to providing the Services to Customer.

Example 9: From a Transition Services Agreement

Section 7.02. Security Incidents.

(a) In the event that either Party discovers a (i) any material breach of its security safeguards or measures or the Systems used to provide the Services or access to the Facilities including any incidents that are the subject of Section 2.17(g) or (ii) any breach or threatened breach of its security safeguards or measures that involves or may reasonably be expected to involve unauthorized access, disclosure or use of the other Party’s Confidential Information, including Personally Identifiable Information (each of (i) and (ii), a “Security Incident”), such Party shall, at its cost, (x) promptly (both orally, if practicable, and in any event in writing) notify the other Party of said Security Incident and (y) fully cooperate with the other Party (I) to take commercially reasonable measures necessary to control and contain the security of such Personally Identifiable Information, (II) to remedy any such Security Incident, including using commercially reasonable best efforts to identify and address any root causes for such Security Incident and (III) to keep such other Party advised of all material measures taken and other developments with respect to such Security Incident.

(b) Each Provider shall take all reasonable and appropriate steps, in consultation with the applicable Recipient, to protect the Systems and Confidential Information and to remediate unauthorized access to, disclosure of or use of any Systems or Confidential Information arising from a Security Incident or otherwise. Each modification requested by a Recipient to protect its System and/or Confidential Information shall be deemed a Change subject to the provisions of Section 2.12; provided, however, that any such approved modification request implemented to remediate a Security Incident shall be implemented at the sole cost of the Provider that experienced the Security Incident.

Example 10: From a Cash Management Master Agreement

9.5 Customer agrees to adopt and implement commercially reasonable policies, procedures and systems to provide security to information being transmitted and to receive, store, transmit and destroy data or information in a secure manner to prevent loss, theft or unauthorized access to data or information (“Data Breaches”). Customer also agrees that it will promptly investigate any suspected Data Breaches and monitor its systems regularly for unauthorized intrusions. Customer will provide timely and accurate notification to Bank of any Data Breaches when known or reasonably suspected by Customer and will take all reasonable measures, including, without limitation, retaining competent forensic experts, to determine the scope of and data or transactions affected by any Data Breaches, and immediately providing all such information to Bank.

Example 11: From a Data Processing Addendum

  1. Personal Data Breach

7.1 Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Personal Data which may require a notification to be made to a supervisory authority or data subject under Data Protection Law or which Processor is required to notify to Company under Data Protection Law, providing Company with sufficient information to allow Company to meet any obligations to report or inform data subjects of the Personal Data Breach under Data Protection Law.

7.2 To the extent such Personal Data Breach is caused by a violation of this Addendum by Processor, Processor shall provide commercially reasonable cooperation and assistance in identifying the cause of such Personal Data Breach and take commercially reasonable steps to remediate the cause to the extent the remediation is within Processor’s control.

Example 12: From a Data Processing Addendum

  1. SECURITY BREACH MANAGEMENT AND NOTIFICATION

Vendor maintains security incident management policies and procedures, including detailed security incident escalation procedures. If Vendor becomes aware of any unauthorized disclosure of Customer Data in breach of Section 6.1 (a “Security Incident”), then Vendor will notify Customer within forty-eight (48) hours and provide Customer with relevant information about the Security Incident, including, to the extent then known, the type of Customer Data involved, the volume of Customer Data disclosed, the circumstances of the incident, mitigation steps taken, and remedial and preventative action taken.

Example 13: From a Master Services Agreement

15.1.6 Supplier Personnel will not attempt to access or allow access to Customer Information that is not required for the performance of the Services by such Supplier Personnel. The Supplier will promptly notify Customer of any breach or potential breach of security relating to Customer Information (including with respect to such information held or processed by subcontractors) and investigate and remediate the effects of such breach or potential breach.

Example 14: From a Master Services Agreement

17.7 Remediation

In the event Vendor becomes aware of any Security Breach, Vendor shall, at its own expense, (1) immediately notify Customer of such Security Breach and perform a root cause analysis thereon, (2) investigate such Security Breach, (3) provide Customer with a remediation plan, acceptable to Customer, to address the Security Breach and prevent any further incidents, (4) remediate such Security Breach if caused by the acts or omissions of Vendor or Vendor Personnel; otherwise assist Customer in mitigating the effects of such Security Breach in accordance with such remediation plan, and (5) cooperate with Customer and any law enforcement, regulatory official, credit reporting company, and credit card association investigating such Security Breach. Without limiting the foregoing, Customer shall make the final decision on notifying Customer customers, employees, service providers and/or the general public of such Security Breach, and the implementation of the remediation plan. If a notification to a customer is required under Applicable Law, then notifications to all customers who are affected by the same event (as reasonably determined by Customer) shall be considered legally required. Vendor shall reimburse Customer for all reasonable “Notification Related Costs” incurred by Customer arising out of or in connection with any such Security Breach resulting in a requirement for legally required notifications (as determined in accordance with the previous sentence).

Example 15: From a Data Processing Addendum

  1. Personal Data Breach Notification to Customer. Processor shall notify Customer without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by Processor and its Sub-Processors. Processor shall make reasonable efforts to identify the cause of such breach and take those steps as Processor deems necessary and reasonable in order to remediate the cause of such a breach to the extent the remediation is within Processor’s reasonable control.