Security Services Agreement Defined
The definition of a security services agreement is quite broad and can encompass many different types of security services, including: electronic monitoring of premises or assets within premises (i.e., video surveillance); manned security services (i.e., property protection or executive protection); and the sale of electronic security monitoring systems. The purpose of a security services agreement is to contractually define and limit the obligations and liabilities of each party and the services that will be provided. Security services agreements are often used by physical security companies and electronic monitoring companies.
Depending on the scope of the work , a security services agreement should include provisions addressing the specifications for the security services, establishing limitations of liability, establishing limitations on the use of data collected in the provision of security services, and providing for termination rights. Limitation of liability provisions that limit a party’s liability for either ordinary negligence or even grossly negligent acts can be found in many security services agreements.
Components of Security Services Agreements
The body of your agreement will set out the parameters of the services that are being provided. This will include the scope of the security services to be performed, as well as setting out the general obligations of the company providing the security services and the Customer. It is important that the specific services that are being provided by the security company are set out clearly in the agreement. The body of the agreement will also set out the payment schedule. The ongoing payments or retainer to be paid by the Customer to the company will have to be drafted clearly to reflect what is being provided. There may be clauses regarding a minimum payment for a specified period of time or a continued retainer, even if the services are not provided for that entire time period. The agreement will also address the confidentiality obligations of each of the parties, which is important, particularly in the context of termination of the agreement, where the sensitivity of information used or obtained by the security company may be at risk. Exclusivity, liability, indemnity and termination provisions will be included to protect both of the parties.
Legal Aspects of Security Agreements
A number of legal issues should be considered when designing a security services agreement. The agreement should be compliant with federal and state regulations, and should also contain provisions that cover liability, insurance and dispute resolution.
It is important that the service provider comply with relevant industry standards. Federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) provide minimum standards for safeguards of protected health information. Other laws, including the requirements of the GLBA, the Privacy Act and Gramm-Leach-Bliley Act (GLBA) may impact contracting decisions.
One topic to be considered is liability. Security services agreements typically include limits on liability. For software as a service(SaaS) deployments, many cloud service providers include standard indemnities and warranty disclaimers. However, as discussed in a recent K&L Gates article, "The Special Risks of Software or Cloud Computing in the Healthcare Sector", healthcare providers should carefully consider any limit on liability clauses and disclaimers of warranties.
Contractors may have a threshold amount of liability. This amount may be capped at the fees paid in the preceding 12 months, while some may cap liability at the total fees paid under the contract between the parties. Another common approach is to limit liability to general or consequential damages (e.g,, not including "lost profits").
Liability for theft or loss of client information, especially if the data is protected information under relevant state and federal data protection laws, must be clearly addressed. Some states, for example California, have mandatory data breach notification laws. Healthcare organizations should also consider compliance with HIPPA’s privacy and security standards, to the extent applicable.
Deciding what lies beyond liability caps is another important issue that should be dealt with in the terms of service or security services agreement. Third party claims and claims for bodily injury are two areas that frequently fall outside liability caps. Professional malpractice laws set minimum liability standards for those providing security and privacy services. There are also risks where the contractor is not covered despite the type of services being provided (e.g., healthcare providers may not be covered despite processing or storing protected health information).
Indemnification agreements may be used to protect healthcare providers for possible losses that arise in connection with their providers’ actions or omissions. Under an indemnity provision, the provider agrees to indemnify the healthcare provider(s) against certain specified types of financial liability, for example, arising out of the unauthorized disclosure of personal information.
Insurance coverage is another critical issue. Coverage details, such as specialty coverage for privacy and data protection, should be included in the agreement.
Dispute resolution issues should be discussed in advance. Dispute resolution clauses provide notice to the provider regarding which states will be involved with any proceedings. A corporate or government provider should not put itself in the position of being subject to civil or criminal investigations in multiple states, most likely each state adopting differing theories of liability.
Finally, most security services agreements include time limits on claims or disputes. Such limitations usually require that claims should be brought within a certain period of time after a cause of action occurs. Parties should agree in advance how and where to meet to settle claims by formal or informal negotiation.
Mistakes to Avoid
While it’s important for an organization to ensure their security services agreement covers all elements necessary to protect their rights, it is equally important that an organization avoids the following common mistakes:
Failure to adequately define the services and deliverables:
- The clearer the parties can be in describing the scope of services and deliverables in the agreement, the better protected their interests will be.
- Be specific about the services that the service provider will perform and articulate the measurement criteria. If possible, it is helpful to cite to appendices, schedules or other documents that the parties may incorporate by reference to further explain the scope.
- Depending on the specific nature of the security services being provided, geographical restrictions may need to be included in the agreement so that the independent contractor is not working in another area that your organization deems to be a breach of the agreement .
- Ensure that enough time and specificity is given to describe the deliverables, as it will be difficult to claim that a security services provider has failed to meet its obligations if they are not specific enough.
- Careful consideration must also be taken to ensure that the facility or location at which the security services are to be performed are adequately defined.
Failure to include but not limited to the following in the agreement:
- While it is not uncommon for parties to omit the selection process for service providers from the agreement, it is critical for providers to include a selection clause that outlines how potential security service providers will be selected. In addition, such clause should set out the disclosure requirements for potential service providers.
- A well-drafted agreement will contain enough detail regarding the services and the service providers’ obligations in order to clearly demonstrate the nature of the relationship.
- A information sharing clause should be included that permits the exchange of confidential information and sets out the permitted use of confidential information by the parties.
Best Practices when Drafting and Negotiating
When preparing and negotiating an agreement for security services, it is common for the parties to simply use an existing template and modify it as appropriate. Such a template may contain particular provisions or other language that is ambiguous or simply does not apply to the particular situation that is being contemplated. When relying on templates, instead of having custom tailored agreements, the parties should be particularly sensitive to certain ambiguous terms so that the parties do not have a dispute about what the obligations of the parties are under the agreement. Many of the provisions in security services agreements are ambiguous and therefore allow for a variety of interpretations. The parties should work with experienced counsel to craft the agreement that will serve its intended purpose.
Reviewing and Revising Your Agreement
Regular reviews and updates of your security services agreement are crucial to ensure that it adequately protects your assets and interests in an environment where regulatory requirements, the market, and your needs can change frequently. As a practical matter: Your current security services agreement or guide contract, service level agreement or solicitation (RFX) may provide periodic terms of reference for a review of the agreement, and an opportunity to update them or to engage your bidder / supplier in a further negotiation process. Failing to take advantage of these opportunities can be a false economy and greatly increases your risk exposure and potential contract disputes. Otherwise, your responsibility to instigate a consultative process and engage your service provider on areas in your security services agreement or outsource contract that may require clarification or renegotiation, rests with you. There are many reasons to review your security services agreement and to raise issues, change terms, renegotiate, or simply update them. Some examples: Depending on developments , circumstances, or changing requirements, these may prove to be reasons to edit your security services agreement and revise them or your program. At a minimum, you should ensure that the security services agreement has an update or review clause, referring to COTS or in house software that’s periodically refreshed, and a clause dealing with service levels standards and the process for reviewing or updating them. Ongoing risk awareness and due diligence are also critical to understand issues with a security services agreement and to ensure it complies with applicable laws, industry standards, and realizes new technologies. Thus, a Security Information Provider may also consider whether to conduct industry and legal overviews, assessments, or audits of the agreement and assets as necessary to ensure compliance. Identifying issues with the agreement, where it could be improved, where it needs revising, or where it requires renegotiation are critical to eliminating risks to your assets and ensuring compliance with requirements.
