URLs in Contracts? Time to push back

[This article is primarily for cybersecurity professionals at vendors who have to deal with client security requirements. But if you work for a client in this scenario, perhaps you can work with your legal team to educate them so this whole mess can be avoided]

Imagine a world where 5 pages of a 50 page contract is kept by only one party. The other party has seen those 5 pages once, and while they have the other 45 pages, they do not have a signed copy of those 5 pages. If you are the side with only 45 pages, would you enter into a contract like this? If your answer is "no" then read on.

Supply chain security (also known as third-party risk management or vendor security) is a very important issue, and rightfully so. There have been a number of major breaches, from Target to the NSA, caused via a vendor or vendor personnel. So companies need to protect themselves from that risk, and one way is to specify security requirements that the vendor will have to meet or exceed.

Some of those requirements may or may not apply. For example, if there are no credit card transactions, obviously PCI-DSS does not apply, and that section should be deleted or at the very least, an "if applicable" should be added.

But this article is about a bizarre trend I am seeing these days while reviewing the security requirements in client contracts. Check out this paragraph:

Vendor agrees to handle data and other information (“Data”) with a standard of care at least as rigorous as that specified in Buyer's guidelines for Risk Classifications (“Guidelines”), located at https://<redacted>/, and Buyer's policies concerning information security, which can be found at https://<redacted> and which are hereby incorporated by reference into the Agreement. 

Seriously? I am being asked to sign off on contract language that can change any day without any notice to me? What if it says tomorrow that the security staff at the Vendor shall devote 80% of their time exclusively to this client? How will I be able to prove that this language is new and did not exist when the contract was signed without dragging the client into a legal discovery process?

In case you think I am being paranoid, check this out:

You have a contract with Oracle that you signed. In that contract are a bunch of URLs pointing to different Oracle policies. (Now remember, these direct ULAs are usually incorporated into your Oracle agreement by the entire agreement clause you and Oracle signed up to.)

One of these URLs is Oracle’s Technical Support Policies

Oracle Technical Support Policies have URLs in them as well. One URL points to the Oracle Support Portal where you log into Oracle support and use the service you are paying for.

The Oracle Support Portal has a series of links on it. One of these links is their Terms of Service policies.  It’s in this link that Oracle made a change.

In summary, Oracle changed text in a URL, contained in a URL, contained in a URL, contained in your contract. And now Oracle is sending letters to customers who they say are violating that link.

In situations like this, I ask for the content of the URLs to be provided as text to become part of the contract (after our review, of course)

Another client provided a PDF of their security requirements, but the main agreement simply said:

“SISR” means the Buyer's Supplier Information Security Requirements a copy of which has been made available to Supplier. Vendor (again, that is us) shall have in place and maintain an information security program that encompasses administrative, technical, and physical safeguards that meet or exceed the requirements specified in the current SISR 

Again, this is easy enough to solve. Stick the document in the agreement, so the language gets frozen in time. Any changes will require an amendment. In this case they had provided a PDF, so I offered:

“SISR” means the Buyer's Supplier Information Security Requirements a copy of which has been made available to Supplier on 1/25/2019 and which has a SHA-256 hash value of 23C79884264BD084BD4FB5E618F5B68E71...

As the hash uniquely identifies the PDF file that was provided to the vendor, in case a version dispute arises in the future either side will be able to prove if the PDF was changed or not. If the Buyer in this contract doesn’t want to include the hash in the agreement, then the actual SISR has to be enclosed as an exhibit.

Bottom line: You would not sign a contract where some pages are held only by the other party. Similarly, do not sign a contract that incorporates webpages managed by only one party "by reference" (meaning only the URL is included in the contract.)

[Disclaimer: I am not a lawyer. I don't even play one on TV. The contract reviews I conduct are limited strictly to the information security and privacy requirements specified by clients to see if we can meet them or not. This is not legal advice. My recommended changes are always reviewed by an attorney, and you should follow the same process]