Skip to content
  • Certify™
  • Platform

    The largest Verified™ contract database.

    We've built the world's most robust repository of contracts and contract clauses with one thing in mind; to simplify contracting and fuel your sales.



    Quickly identify which contracts need surgery, and which can go straight to signature.

    Explore Triage


    Benchmark your contracts against competitors to ensure your paper is market.

    Explore Benchmark


    Quickly search and select multiple contracts and conduct side-by-side analysis.

    Explore Compare

  • Solutions

    Customer Story

    “These changes have allowed our company to close business faster, speeding our time to revenue and allowing us to develop better relationships with our customers.”

    Case Study CTA


    Skip negotiations and close deals faster.

    Learn More


    First pass contract reviews on your playbook.

    Learn More


    Execute more deals on your paper.

    Learn More

  • Resources

    About TermScout

    We believe in a world where contracting happens with zero friction, with both parties fully informed about what they’re signing.

    About TermScout



    Our contract experts provide deep expertise and insights into industry trends and updates.

    Read More


    TermScout has implemented best-in-class security practices to keep customer data safe.

    Full Security Profile


    Looking for support within our platform? No problem, our team is here to help.

    Contact Us

  • Pricing

    Solutions designed to supercharge sales and legal teams.

    Calculate ROI CTA


    Review, compare, benchmark and analyze contracts in just a few clicks.

    Compare Plans


    Show your counter-party your contract is great and do more deals on your paper.

    See Pricing

    Enterprise Triage

    Human-backed contract reviews on your playbook. 

  • Sign In

What’s Market? A look into Data Breach Notifications

TermScout Aug 9, 2021 12:59:40 AM

The What’s Market Series

What’s Market is a new series that seeks to delve into the multitude of provisions that exist within a contract and identify their importance, as well as how common they are within vendor, customer and negotiated contracts. All data is gathered by TermScout, which uses attorneys assisted by AI to accurately review and score contracts.

In this article, we look at how common data breach notification provisions are in contracts for IT services, namely software, SaaS, and PaaS contracts. In other words, how often do vendors of IT services contractually promise to notify their customers of a data breach.

What is a Data Breach?

A data breach is typically defined as the loss, theft, or unauthorized access of sensitive or proprietary data. A more robust definition from USLegal can be found here.

Data breaches are serious issues, as the loss of sensitive or proprietary data can cause public embarrassment, significant mitigation expenses, and loss of customer goodwill. In order for affected businesses to mitigate the impacts of a data breach, it is essential for vendors to notify their customers as quickly as possible after a breach event. While most jurisdictions have legislation in place that requires private or government entities to notify individuals of data breaches, these laws do vary from state to state, as do the requirements for notification, making it hard to predict what legal requirements will apply to your situation. For this reason, buyers of IT often prefer to contractually agree to data breach notification policies, which in some cases may be stricter than the legal requirements.

Vendor v. Negotiated Agreements

So, how common are data breach notification provisions in IT contracts?  We took a look at 471 standard vendor click through agreements and 60 negotiated contracts to bring you the answer.

There is a split between businesses who must notify a customer of a security breach, and those who are not strictly required to do so. In this section we will explore the differences in the data found between vendor and negotiated contracts.


As seen above, most vendor forms either do not contain language that pertains to data breach notification, or state that they are not required to notify the customer when a security incident occurs. Only a small percentage, 34%, contain specific provisions in regard to notification. However, there is a striking contrast when looking at the data for negotiated forms, as seen below.


Here we clearly see that over 50% of negotiated forms contain specific language in regard to notifying the customer when a security incident occurs, with an additional 15% requiring notification under limited circumstances. Given the difference in data, it is clear that customers want predictability and assurance as to how and when they will be notified.

Representative Provisions

We’ve included sample provisions for each answer as to whether a business must notify the customer when a security incident impacting the customer’s data occurs. The answers are as follows: No, Yes and Yes, but only under limited circumstances. If you are interested in learning more, you can find all of the data and information presented here and more by visiting TermScout’s Market Insights.

Example #1 – No

[…] In the unlikely event that we believe the security of your Personal Information in our possession or control may have been compromised, we may seek to notify you of that development. If notification is appropriate, we shall endeavor to do so as promptly as possible under the circumstances, and (insofar as we have your e-mail address) we may notify you by e-mail. You consent to our use of e-mail as a means of such notification. If you would prefer us to use another method to notify you in this situation, please e-mail us at with the alternative contact information you would like us to use.
Cornerstone Learning: Security, Privacy Policy

Example #2 – Yes

To the extent Abacus becomes aware and determines that an Incident qualifies as a breach of security leading to misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed on Abacus systems or the applicable cloud environment that compromises the security, confidentiality or integrity of such Personal Data (“Personal Data Breach”), Abacus will inform Client of such Personal Data Breach without undue delay but at the latest within 72 hours.
AbacusNext: 11.3, Data Processing Addendum

Example #3 – Yes, but only under limited circumstances

Sub-processor Accountability Algolia is responsible for the processing of personal information it receives, and subsequently transfers to a third-party acting as an agent on its behalf in accordance with our subscription agreements. Algolia may use from time to time third-party service providers, contractors, and sub-processors to assist in providing the Services on our behalf. Algolia maintains contracts with these third-parties restricting their access, use, and disclosure of personal information
Algolia: 3.2.1, Data Processing Addendum

Final Thoughts

34% of vendors provide unambiguous language about how and when they will notify the customer when a data breach occurs. However, as seen in the data for negotiated forms, this issue is important to customers, with 55% of negotiated contracts containing such a clause. We can draw from this that customers want assurance and predictability when and if a data breach occurs, so that both parties can take the necessary steps to minimize the damage and protect any sensitive information. Before signing a contract, read through it in its entirety and ensure that the provisions relating to data breaches are clear, so that if the worst were to come, you and your business will be prepared.


The What’s Market series will be published regularly, so keep an eye out for the next article on Vendor’s Right to Use Anonymized Data, coming soon.