When two businesses sign a contract, most of the focus goes to payment terms, deliverables, and timelines. Cybersecurity rarely gets the same attention, and that is a problem.
A single data breach can cost a U.S. company an average of $9.36 million, according to IBM’s 2024 Cost of a Data Breach Report.
If your contracts do not define who is responsible for protecting data, you may end up absorbing costs that should have been shared, or you may be disputed entirely in court.
Here is what every business contract in the U.S. should include from a cybersecurity standpoint.
Define What Data Is Covered Under The Contract.
Before anything else, the contract must spell out what type of data will be shared or handled. This includes:
- Personally identifiable information (PII)
- Payment or financial records
- Proprietary business data
- Health information (if HIPAA applies)
Vague language like “sensitive information” leaves too much room for interpretation. Be specific.
Include A Data Security Standard Clause.
This clause tells both parties what level of security is expected. Reference a recognized framework, such as NIST, ISO 27001, or SOC 2, so there is an objective standard to measure against.
Without this, one party may consider basic password protection “sufficient,” while the other expects full encryption and multi-factor authentication. That gap can become a legal dispute.
Breach Notification Timelines Must Be Written In.
In the U.S., 50 states have their own breach notification laws. Some require businesses to notify affected parties within 30 days; others allow up to 90 days.
A 2023 report from the Identity Theft Resource Center found that over 3,200 data compromises were reported in the U.S. in a single year. Your contract should define the following:
- How quickly must a breach be reported to the other party?
- What information must be included in the notification?
- Who is responsible for notifying regulators or customers?
Do not rely on state law defaults. Set your own timeline and make it faster than the legal minimum if you can.
Limit Third-Party Access In The Contract.
Many breaches do not come from direct attacks. They come through vendors. The 2020 SolarWinds breach, for example, compromised thousands of organizations through a single software supplier. Your contract should require that:
- Third-party vendors used by either party meet the same security standards.
- Both parties disclose when a subcontractor will have access to shared data.
- Vendors are subject to audit rights if needed.
Add A Liability And Indemnification Clause For Breaches.
If a breach happens because of one party’s negligence, who pays? This needs to be written clearly. A well-drafted indemnification clause should cover:
| Scenario | Who Bears Liability |
| Breach caused by the vendor’s negligence | Vendor indemnifies client |
| Breach due to the client’s system failure | Client assumes responsibility |
| Shared system breach | Liability split by contribution |
Without this, both parties will point fingers, and litigation becomes expensive for everyone.
Require Regular Security Assessments During The Contract Term.
A security standard that was solid in Year 1 may be outdated by Year 3. Contracts that run more than 12 months should include a requirement for periodic security reviews or audits.
According to Verizon’s 2024 DBIR, 68% of breaches involved a human element, meaning processes, not just technology, need to be assessed regularly.
Termination Rights Should Include Cybersecurity Triggers.
Most contracts allow termination for non-payment or missed deliverables. Add cybersecurity events to that list. If a vendor suffers a major breach and fails to meet remediation timelines, you should have the right to exit the contract without penalty.
Getting these provisions right is not just about legal protection. It is about building business relationships where both parties take data security seriously from day one.
