Scotland

• All Agreements
• Obligations on data controllers under the DPA and GDPR as stated above
IT Service contracts
• Contractual obligations relating to security frequently used in IT service contracts include (i) Ensuring other parties are compliant with appropriate cybersecurity standards (such as ISO 270001 or PCI DSS), with right to audit; (ii) Implementing security and data protection policies for sub-contractors; (iii) clauses requiring compliance with applicable cybersecurity regulations; (iv) rights to vet sub-contractor personnel, or see copies of background checks/ability to remove individuals from projects (v) obligations to provide software and materials free of malware and known flaws, faults or vulnerabilities, promptly remedy flaws, faults or vulnerabilities that later become apparent.
• It is standard practice in all IT contracts to include an IPR indemnity if a third party makes a claim that the use of IT products by the customer infringes the third party's IPR.
Cloud agreements
• Often contain indemnities from customers to suppliers covering third party claims, breach of acceptable use policies and use of the services in breach of data protection legislation.
• Service providers usually exclude liability for content stored or posted on its services and normally include a right to remove data from its servers. Under both the Copyright Directive (Directive 2001/29/EC) and Directive 2000/31/EC, internet service providers can be liable for failing to take down offensive, defamatory or IPR-infringing content and cloud computing applications often blur the line between public and private networks. In such circumstances, corporate customers often seek an indemnity for any loss suffered as a result of material being unnecessarily deleted or moved and impose a requirement to be notified in advance if any content is to be removed.
• UK-based financial institutions subject to the regulations set out by the Financial Conduct Authority (FCA) will also have to comply with FCA security requirements when contracting for IT outsourcing services. The European Banking Authority’s (EBA) recently issued final “Recommendations on outsourcing to cloud service providers” which includes a number of obligations on financial institutions when contracting with cloud service providers.
IT outsourcing agreements
• Usually include warranties in relation to data security and data protection issues. These will vary by sector but there are no specific contractual standards required or adhered to in the UK.
Others
• Obligations on public communications networks (PECN) and publicly available electronic communications networks (PECS)
• Under the Framework Directive (2002/21/EC) there are cyber-security obligations affecting providers of PECN or PECs including (i) ensuring a level of security appropriate to the risk presented. In particular, measures shall be taken to prevent and minimise the impact of security incidents on users and interconnected networks; and (ii) notifying the competent national regulatory authority of a breach of security or loss of integrity that has had a significant impact on the operation of networks or services. (Article 13a, Framework Directive, as amended by the Better Regulation Directive.)