You reviewed the scope of work. You checked the payment terms. Then you signed.
What you may not have read closely were the data security and confidentiality clauses in the middle of the agreement—the ones that now legally bind you to specific technical controls. This happens routinely at small firms. The obligations are real, the contracts are signed, and the tools to meet most of them are already sitting in your Microsoft 365 subscription, unused or misconfigured.
The short version: Client and vendor contracts increasingly include specific security obligations—multi-factor authentication, encryption, breach notification timelines, and employee training records. Most can be met using tools already included in Microsoft 365 Business Premium. The problem is almost never cost. It is configuration and documentation.
Why this is urgent for small firms right now
A data breach is damaging on its own. It becomes substantially worse when opposing counsel opens your signed services agreement to section 8 and shows that you agreed to maintain encrypted storage and did not. Courts and regulators treat contractual security commitments as binding regardless of how many employees you have. Being small is not a defense.
The checklist: what your contracts are likely already requiring
Pull your three to five most active client and vendor agreements. Read the data security, confidentiality, and incident notification sections. Here is what to look for—and what to do about each item.
Multi-factor authentication
Contracts from law firms, insurers, healthcare clients, and financial institutions increasingly require MFA on any system that stores or accesses their data. Microsoft 365 Business Premium includes this through Microsoft Entra ID.
Action: Enable Security Defaults or configure Conditional Access in your Microsoft 365 admin center. Require MFA for every user account, no exceptions.
Encryption of data at rest and in transit
This phrase appears in vendor agreements, client services contracts, and business associate agreements. It means stored data and data moving over networks must be encrypted—not just password-protected.
Action: Enable BitLocker on all Windows devices through Microsoft Intune for Business, which is included in Business Premium. Confirm SharePoint and OneDrive encryption settings have not been altered from their secure defaults. Microsoft 365 encrypts email in transit by default; verify it is active in your tenant.
Written breach notification timelines
Many contracts now specify exactly how quickly you must notify the client after discovering a security incident—sometimes in hours, not days. This timeline is separate from, and often shorter than, state breach notification law deadlines. Without a written response plan, you cannot reliably meet a short notification window.
Action: Write a one-page incident response plan. It should name who gets notified, in what order, within what timeframe, and who has authority to send the notification. It does not need to be long. It needs to exist and be dated.
Employee security training records
Healthcare and financial services agreements frequently require annual security awareness training for all staff with access to client data—and documentation that it happened.
Action: Run a training session and keep a log: who attended, the date, and the topic. A signed attendance record or email confirmation is the evidence a client audit would expect. Low-cost phishing simulation tools are widely available if you need to show hands-on training.
A written information security policy
Some contracts require that you maintain a written information security policy. This is not a 40-page document. It is a short, signed statement covering how you protect data, who is responsible for it, and what happens when something goes wrong.
Action: Create a brief policy document—two to three pages is enough for a firm of your size. Date it, sign it, and review it annually.
Endpoint protection on all devices
Contracts that include data protection language often require antivirus or endpoint detection tools on every device used to access client systems. Microsoft Defender for Business is included in Microsoft 365 Business Premium and satisfies this requirement when properly deployed.
Action: Confirm Defender for Business is active on all enrolled devices through the Microsoft Defender portal. Devices not enrolled through Intune are not protected, even if the license is active.
Access control and offboarding
Data protection clauses often require limiting access to client data to only those who need it, and revoking that access promptly when someone leaves.
Action: Use Microsoft Entra ID to assign role-based permissions. Build a written offboarding checklist with immediate account deactivation as step one. A 48-hour gap between an employee's last day and account removal is the kind of detail that appears in breach investigations.
Business associate agreements
If any client handles protected health information and shares it with you, HIPAA requires a signed business associate agreement between you and that client, and between you and your cloud vendors—including Microsoft. Microsoft will sign a BAA for Microsoft 365 Business Premium. Many small firms that do any healthcare-adjacent work have never requested one.
Action: Identify any clients in or adjacent to healthcare. Confirm BAAs are signed on both ends. Request Microsoft's BAA through the Microsoft 365 admin center.