Steven D. Tibbets is managing senior counsel at CA Technologies, Washington, DC, providing legal support to the company’s public sector business.
As with many individuals, businesses, and government agencies around the world these days, cybersecurity is a focus of U.S. state and local governments. These entities must follow both new data security laws and regulations and new dimensions of old cybersecurity laws and regulations. And they must impose these requirements on their vendors. In this rapidly changing environment, state and local procurement professionals frequently “play it safe” by insisting that vendors agree to standard contract terms that tend to be sweeping in scope, heavily weighted in favor of the agencies (or intended as a backstop in the event that agencies fail to uphold their data security obligations), and in excess of what is required by law. This approach is understandable and, on the surface, would appear to be a sound method for obtaining as much protection as possible for the institutions and individuals whose sensitive data is at stake.
Ultimately, though, the imposition of data security requirements that exceed both what is necessary to be reasonably prudent and what is required by law is likely to cause problems. Contractors may agree to meet security requirements they later determine they cannot meet — or can only meet by taking measures that make it difficult to maintain financial viability. Or contractors may agree to terms they do not understand or have no intention of complying with because they do not believe the terms actually apply. These effects of data security overreach could eventually harm the interests of government agencies and the constituencies they serve.
This article proposes ideas — some that have met with success in real-world contract negotiations and others that are novel — for overcoming the challenges posed by data security overreach in state and local procurements.
Premium Content For:
- Public Contract Law Section