In the previous blog update (Part 1), I promised to continue decoding densely worded End User License Agreements (EULA). As discussed in the prior blog, the EULA is the agreement containing the terms the user of a software program agrees to abide by in using the software. In this blog, I address security. First, an excerpt from a standard form cloud services agreement:
“Company X shall notify Customer of any Unauthorized Access as soon as reasonably practical. In the event that any applicable law requires that any notice be given to Customer’s Service Users or clients, Company X acknowledges and agrees that Customer shall have control over the timing, content, and method of any required notification.”
Many companies have moved to cloud based software programs to store their data or a company may provide access to their internal systems to outside vendors to maintain the internal systems. Remember the Target hack from six years ago. The hackers gained access to Target’s network by stealing the credentials of a third-party HVAC contractor hired to monitor the Target network. The HVAC contractor was compromised by a spear phishing attack months prior. The hackers used the HVAC contractor’s stolen credentials to install malware on the Target devices.
Determining what security measures the software provider, specifically a cloud based or third-party vendor with external access, has in place is important. The EULA may provide some safeguards or it may be silent on the issue. It is important to know: What security measure(s) does the cloud based provider or vendor have in place to protect from hacking attacks? What kind of reimbursement does the software provider give if it is hacked and it shuts down your company’s access to data for 2, 10, or 20 days? What kind of mitigation damages, if any, are provided for unauthorized access to your client’s or employee data? Will the software provider reimburse you for the cost to notify your customers of an unauthorized access event?
A company needs to ask the right questions before simply agreeing to the standard terms in a EULA. Mismanaging risk can cost a company in the end, not only in lost time but lost reputation with its clients.
Up next: Part 3 Continuing to Decode Software Agreements – Support AKA Updates/Modifications