Such brevity is understandable – but it is also unacceptable.
It is understandable because the words come straight from the UK's Data Protection Act. They make good sense in a law that has to generalise to apply to myriad circumstances. But such pithiness has no place in a commercial contract, where the parties know what information they have and what will happen to it.
It's unacceptable in a commercial contract because it's ambiguous. In the absence of detail, what is appropriate becomes a subjective test and the only certainty is that each party's interpretation will differ. That leads to trouble.
If your supplier presents you with such a vague term, do not accept it. You need to prepare a project-specific security plan and you do that by thinking of all the things that might go wrong and then you address them one by one.
Don't be afraid to score a red pen through the Zen-like security platitudes in a supplier's standard contract and replace them with a schedule that spans several pages. If your contract involves high-risk or high-value data, you have to be specific about security and the measures must be tailored to your project.
So let's say your contract puts your data in a third party's data centre. Here are some things to consider: How will your data be transferred to the data centre? Where is that data centre, and does the supplier have the right to move your data to another location? What happens in the event of a natural disaster? (You can expect more than a force majeure clause). Are there data backup procedures? Is there CCTV throughout the data centre? Is there a plan for penetration testing? Think about what you will need to audit and how often - be specific - and write that down too. Can the third party hire sub-contractors? If so, will you have the right to approve them?
These are just some of the questions a customer should ask.
Nobody would sign a contract that defined the price as "quite a lot of money" yet many contracts contain security provisions that range from vague to meaningless.
Many organisations are alive to this risk today and they will fight for effective security provisions in new contracts. But some will overlook their existing contracts, the contracts that are routinely renewed without amendment. So consider reviewing your existing contracts, too, or at least the high-risk and high-value ones.
It's prudent for any organisation to check the security obligations in both new and existing contracts. It may find that they're simply not appropriate.
By Struan Robertson, editor of OUT-LAW.COM. The views expressed are the author's own and do not necessarily represent the views of Pinsent Masons.