We have been involved in several situations lately with security incidents where we ask our clients for the final executed contract with the vendor that we believe caused the incident, but the contract that we receive has not been fully executed by both parties. Without getting into the legal implications of not having a fully executed contract in place between the parties, on a practical level it is always better to have a contract that has been signed by both parties when you are trying to use it to assert that the other party has not met its obligations under the contract or is responsible for costs associated with a security incident.
It is easier to use contractual provisions to request that the other party take responsibility for its actions when the contract has been signed than when it hasn’t. If it is a particularly contentious issue, sometimes we will hear from the other side—“try to enforce it.” We probably can enforce the contract, but it is usually a waste of time and money to have to go to court to do so.
From an operations standpoint, when you are finished negotiating a contract, make sure that it is signed and dated by both parties and that someone is responsible for maintaining the final contract and that it is archived in a way that makes it easily accessible When an issue arises, the first thing we will ask is to see the contract. If it is signed and dated, we can go straight to the contractual provisions and make our argument that the other party is responsible for the security incident and/or the costs associated with it, instead of getting hung up on whether the contract is enforceable.