InfoLawGroup Attorneys Co-Author Social Media Risk Whitepaper
Building on the InfoLawGroup's depth of experience in social networking and social media, Attorneys David Navetta and Richard Santalesa have co-authored a new whitepaper with the ACE Group, a global leader in insurance and reinsurance with a physical presence in 53 countries.
The new whitepaper, entitled Social Media: The Business Benefits May be Enormous, But Can the Risks – Reputational, Legal, Operational – be Mitigated?, is available for download from the ACE Group website and examines the risks of social media in business and corporate use. (See ACE press release on the white paper for additional details).
The whitepaper has already been recognized by the insurance industry press, observing that a cost/benefit analysis of social media use finds it carries inherent risk, a complete understanding of which being the first step to effective mitigation. (See Insurance Networking News, Social Media, A Gamble Worth Taking?, Aug. 2, 2011).
To discuss the whitepaper or your own company's use of social networking and social media, feel free to contact Navetta, Santalesa or any of the attorneys at the InfoLawGroup.
As California Goes, so Goes the Nation? Part One
Many of you probably read earlier this month that California's Office of Administrative Law ("OAL") approved the California Department of Insurance's ("DOI") proposal to repeal certain privacy regulations. And you yawned. Or you quickly skimmed over, confident in the knowledge that this is just, well, those crazy Californians (we'll eventually fall into the ocean so no need to worry). The California changes actually have greater significance than may be apparent on a quick glance. Although rarely noted in the media coverage, State insurance privacy regulations across the country (not just in California) find their roots in the federal Gramm Leach Bliley Act (GLBA), so California's decision to make such changes provides a helpful illustration of the extraordinarily complex and confusing web of privacy regulation that governs even small organizations in this country. Also, California's move with respect to these changes contravenes the conventional wisdom that California is a renegade pro-consumer state when it comes to privacy regulation. While California was the first "mavericky" state to pass data breach legislation (SB 1386) back in the early part of the last decade, many states long ago blew past California in passing and enforcing strict privacy and security regulations (e.g., Massachusetts and Connecticut). While other states have been taking steps over the last few years to galvanize privacy and security regulations, California has moved in the opposite direction - Governor Schwarzenegger has, on numerous occasions, vetoed legislation that would have enhanced California's breach notification law (to require, for example, notice to California regulators) and now the California DOI has repealed what some might consider to be standard notice and opt-out requirements for insurance agents and brokers. (Query whether this general trend will change when the Brown administration takes office in January, and/or depending on the ultimate results of the California Attorney General race. But that's fodder for a future post, maybe Part Two of this series.) Many of our followers have asked me to break down this newest California development, so here goes. (The DOI's proposed regulation text is here; the DOI's "Statement Supporting Change Without Regulatory Effect” is here.)
For privacy purposes, California insurance brokers and agents are subject to numerous regulations:
- GLBA (which regulates financial institutions, including organizations that insure, guarantee, or indemnify against loss, harm, damage, illness, disability or death, or provide and issue annuities, and act as principal, agent, or broker for purposes of the foregoing, in any State);
- California's Financial Information Privacy Act (or CalFIPA, as I like to call it, Cal. Fin. Code sections 4050-4060);
- California's Insurance Information and Privacy Protection Act, Section 791 et seq. (let's call it CalIIPPA, just for fun), promulgated pursuant to GLBA (although GLBA is a federal law, state insurance authorities are responsible for the enforcement of the financial institution safeguards and disclosure/opt-out procedures required by GLBA as applied to “any person engaged in providing insurance," see 15 U.S.C. § 6805(a)(6)); and
- California's Code of Regulations ("CCRs") promulgated pursuant to CalIIPPA.
With me so far? OK.
CalFIPA section 4056.5(b), which took effect more than six years ago in 2004, permits broker-agents to use nonpublic personal information without obtaining prior customer consent to shop for new policies on renewal. However, the older CCRs resulting from GLBA and CalIIPPA (specifically, Section 2689.8(c)(3)) were inconsistent and required agents and brokers to annually mail privacy policies to all customers and to provide an opt-out that, if returned by the customer, prevented the broker-agents from using nonpublic personal information to obtain information to respond to a customer request for policy rate quote information.
On November 4, OAL approved changes to the CCRs that repealed Section 2689.8(c)(3). OAL also clarified that all brokers and agents are exempt from sending out their own privacy policies provided that the insurance company issuing the policy has complied with the notification requirements. The amendments took effect immediately.
The insurance industry noted that the changes make the CCRs consistent with CalFIPA and "prevent [consumers] from being bombarded with multiple, identical privacy policies on every insurance product they purchase." Setting aside the question of whether those privacy policies are or should be "identical," there is a legitimate issue, noted on numerous recent occasions by the FTC and privacy advocates in a more general context, as to whether more fine print and pages in privacy policies result in more transparency or just more confusion.
Because the changes to CCRs were, as reported by the Insurance Journal, "the verbatim result of changes to previously enacted statutory law," the CA DOI was not required by the California Administrative Procedures Act to hold public hearings or otherwise initiate a new rulemaking hearing. However, the OAL was required to approve the DOI action in order for the changes to take effect.
It is not clear from the limited press reports whether other states like California that have adopted the 1982/1992 Model Act of the National Association of Insurance Commissioners for privacy purposes (Arizona, Connecticut, Georgia, Illinois, Kansas to some extent, Maine, Massachusetts, Minnesota, Montana, Nevada, New Jersey, North Carolina, Ohio, Oregon, and Virginia) have confronted similar inconsistencies as between their privacy regulations promulgated pursuant to GLBA, on the one hand, and their other state privacy laws, or whether they will follow California's lead in resolving any such conflicts.
It is also not clear that the changes will have any real impact on brokers and agents to the extent they serve customers in other states that still require notice and opt-out. But, for those few California brokers and agents that serve only California customers, the amendments are likely to result in significant savings with respect to preparation of privacy notices and effectuating opt-outs.
My primary takeaway from all this - there is a real need for some consistency and predictability in the privacy and security regulatory scheme(s) in this country, as between and among states and industries. Having said that, I don't think the proposed federal legislation currently under consideration gets us there (at least, not beyond some of the proposed breach notification requirements). In the meantime, the business and technology worlds are moving forward.
The Connecticut Insurance Department Bulletin on Breach Notification
Think there's nothing new in the world of state breach notification laws and regulations? Think again. On a Wednesday in August, the State of Connecticut Insurance Department issued Bulletin IC-25 to all regulated entities in Connecticut, including insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants, casualty claim adjusters, property and casualty insurers, life and health insurers, health care centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers, and medical discount plans, requiring that ALL licensees and registrants notify the Department of any information security incident which affects any Connecticut residents. This is in addition to, and goes beyond, the existing breach notification requirements under Conn. Gen Stat. 36a-701(b). The procedural requirements set forth in the Bulletin are extensive, detailed, and will require covered organizations to act VERY quickly when they learn of a potential incident. Following are the basics:
- How does the Connecticut Insurance Department define "information security incident"?
The Bulletin defines "information security incident" very broadly to include
any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.
The requirement that covered organizations provide notice, even where the information is encrypted, is contrary to Connecticut's existing breach notification law and to most of the 46 state breach notification statutes, the majority of which provide a safe harbor from notice to organizations that encrypt covered information (according to the definitions of encryption set forth in each particular statute). These safe harbors for encrypted data in most state laws are designed to incentivize organizations to put in place safeguards such as encryption to protect data such that it cannot be read or reconstructed in the event of an incident. As the Connecticut Insurance Department itself recognizes in the Bulletin, "with the overwhelming amount of information obtained and maintained by all businesses[, . . .] there will be at times information security incidents which are beyond the control of the best management practices." Thus, it is strange that the the Department does not exempt organizations from notification requirements when the organization has taken steps to implement best practices and appropriate controls such as encryption.
- When do I have to provide notice to the Insurance Commissioner?
Immediately. Really. Covered organizations must notify the Department of an information security incident which affects any Connecticut residents as soon as the incident is identified, but no later than five (5) calendar days after the incident is identified.
You read that correctly - five (5) calendar days. This is one of the shortest (if not THE shortest) notification timeframes on the books, outdoing even California's statutory five business day breach notice requirement for clinics, health facilities, home health agencies, and hospices reporting to the State Department of Public Health and to affected individuals (California Health & Safety Code section 1280.15).
- What should be included in the notice to the Insurance Commissioner?
Once again, the Connecticut Insurance Department goes beyond existing state laws, stating that notification should include as much the following as is known:
- Date of the incident;
- Description of incident (how information was lost, stolen, breached);
- How discovered?;
- Has lost, stolen, or breached information been recovered? If so, how?;
- Have individuals involved in the incident (both internal and external) been identified?;
- Has a police report been filed?;
- Type of information lost, stolen, or breached (equipment, paper, electronic, claims, applications, underwriting forms, medical records etc);
- Was information encrypted?;
- Lost, stolen or breached information covers what period of time?;
- How many Connecticut residents affected?;
- Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed;
- Identification of remedial efforts being undertaken to cure the situation which permitted the information security incident to occur;
- Copies of the licensee's/registrant's Privacy Policies and Data Breach Policy;
- Regulated entity contact person for the Department to contact regarding the incident (someone who is both familiar with the details and able to authorize actions for the licensee or registrant); and
- Other regulatory or law enforcement agencies notified (who, when).
- How should notice be sent?
Notice must be sent to the Insurance Commissioner via first class mail, overnight delivery service or electronic mail. (Given the five calendar day notice requirement, organizations should strongly consider electronic mail as a first step to ensure notice arrives in time).
- Can I notify the affected individuals first?
No. The Connecticut Insurance Department wants to review the draft notices to individuals before they go out. the Bulletin states as follows:
The Department will want to review, in draft form, any communications proposed to be made to affected insureds, members, subscribers, policyholders or providers advising them of the incident. Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time.
The Department Market Conduct Division has the responsibility for monitoring the activities associated with any information security incident and will contact the designated licensee or registrant contact for additional information as necessary and to set up a monitoring process. . . .
- Do I have to notify the Connecticut Insurance Department if one of my vendors is responsible for a breach?
Yes. The Bulletin provides that an information security incident at or by a vendor or business associate of a licensee or registrant, which has the potential of affecting personal health, financial, or personal information of a Connecticut insured, member, subscriber, policyholder or provider of a licensee or registrant, should be reported by the licensee or registrant to the Department. The Department also states that it will want to be kept informed of how the licensee or registrant is managing the vendor's activities and what protections and remedies are being put in place by the vendor for the Connecticut consumers.
- Does the Insurance Commissioner intend to enforce these requirements?
Yes. The Bulletin states that "some situations may warrant imposition of administrative penalties by the Department."
- How can I avoid an enforcement action?
The Bulletin urges licensees and registrants to follow the procedures set forth in the Bulletin (and described above) to minimize the potential for administrative penalties being imposed.
- Does the Connecticut Insurance Department have authority to impose these requirements?
The Bulletin states that the authority to compel this notification to the Department is provided to the Commissioner under Conn. Gen. Stat. §38a-8 which provides the Commissioner with "all powers specifically granted, and all further powers that are reasonable and necessary to enable the Commissioner to protect the public interest" in accordance with the duties imposed on the Commissioner by the insurance statutes. The Bulletin also states that, in order to maintain licenses to do business in Connecticut, insurers and health care centers are required to exhibit evidence of good management as required by Conn. Gen. Stat. §38a-41 and that the other licensee and registrant entities have similar requirements to do business in Connecticut. The Bulletin also cites Conn. Gen. Stat. §38a-4780 as requiring that each managed care organization conform to all applicable state and federal antidiscrimination and confidentiality statutes and that it ensure that the confidentiality of specified enrollee patient information and records in its custody is protected. Finally, the Bulletin notes that, under the insurance laws, the Commissioner has been given additional authority to protect the personal information of insurance consumers pursuant to the relevant portions of Conn. Gen. Stat. §42-471.
Insurers Deny Coverage for Breach Notice Costs (and why companies should consider cyber insurance coverage and why brokers should offer it)
It was recently reported that an insurance carrier (Colorado Casualty Insurance Co.) denied coverage (and filed a lawsuit) for the $3.3 million in costs the University of Utah incurred to provide notice of a security breach involving the records of 1.7 million patients from the University’s hospitals. You can find a copy of Colorado Casualty's declaratory judgment action complaint here. The University also filed its own counter claim, cross-claim and third party claim. As discussed further below, the University's cross-claim is against Perpetual Storage (the service provider that allegedly lost the data) and its third party claim is against Perpetual Storage’s insurance broker (the broker that placed the insurance coverage with Colorado Casualty).
The parenthetical in the title of this blogpost may seem counter-intuitive perhaps, but it appears that this controversy and the pleadings that have been filed paint a picture of what can potentially go wrong when proper cyber or technology errors and omissions coverage is not in place. It will be interesting to see how this case shakes out (and I make no predictions on what will happen because I lack too much information to analyze the issue), but I guarantee that the players involved are probably wishing they purchased explicit cyber or technology errors and omissions coverage (again, it appears that they may not have, but I don’t have all the information to state that definitively). Instead, they will have to litigate with no guarantees of success (and large hurdles for the University). Ironically, the University may ultimately recover from insurance proceeds, but those proceeds may come from the insurer that provides errors and omissions coverage to Perpetual Storage's insurance broker.**
Background
The following background allegations were taken from the original compliant and the University’s complaint.
It appears that Perpetual Storage contracted with the University to provide data storage services. In June 2008, back-up tapes containing personal information of 1.7 million patients were stolen from a Perpetual Storage employee’s car. 1.1 million of the records included social security numbers. This employee allegedly parked his car while working at a second job, and later in his driveway at home overnight. The tapes were allegedly taken in the middle of the night approximately 8 to 12 hours after they had been picked up.
In response to this incident, as of May 25, 2010 the University had incurred about $3.35 million in costs broken down as follows: $2,483,057 related to credit monitoring expenses (one year for each impacted individual whose social security number had been exposed); $646,149 related to printing and mailing costs for notice to each of the 1.7 million impacted individuals; $81,389 related to phone bank costs (to field more than 11,000 phone calls); and an additional $144,158 in miscellaneous costs. In addition, the University allegedly expended 6,232 personnel hours responding to and mitigating the security breach (and it seeks compensation for that lost time as well).
Colorado Casualty appears to have issued two insurance policies to Perpetual Storage, one described as a “commercial package policy” and the other a “commercial liability umbrella policy.” None of the pleadings mention Perpetual Storage or the University having purchased cyber coverage (i.e. data security or privacy coverage) or errors or omissions coverage.
Procedurally, there is a fair amount going on with this case, including a motion to dismiss by Perpetual Motion. Most relevant, however is the University’s activity. It filed an answer and several claims against various players. First, it filed against Colorado Casualty and attempts to assert that coverage is available. It also filed against Perpetual Storage directly for its acts and errors, including allegations that Perpetual breached its contract with the University. Finally, it filed a claim against Perpetual Storage’s insurance broker, United Insurance Services, alleging that United failed to procure the insurance coverage needed by Perpetual.
Observations
This case is interesting for many reasons, some of them outlined below.
Do not rely on a commercial general liability policy or traditional property policy to get coverage for security or privacy breaches.
From experience, unless an endorsement was purchased, it would be unusual for a general commercial liability policy to provide first party coverage for breach notice costs (mailings, call center, credit monitoring) or professional liability coverage (coverage for liability due to an act, error or omission of a professional service provider like Perpetual). In fact, there are several cases that have found that commercial general liability policies and property policies do not cover certain data security and privacy risks. Of course, there may be arguments in favor of coverage under certain general commercial policies or property policies, but it may not be clear cut and it may require expensive litigation to obtain that coverage. It is also possible that these policies had endorsements providing more than the traditional coverage (and ultimately the specific wording is what will matter; for purposes of this blogpost I am assuming that the language is fairly similar to traditional policies I have worked with).
The moral of this story is that there is insurance out there, provided by many carriers (and more and more are providing it) that is specifically intended to provide coverage for information security and privacy breaches and technology professional liability. This insurance is specifically designed to provide coverage for damages and defense costs arising out of a data security breach or an act, error or omission in the rendering of professional technology services (like data storage services). Moreover, coverage now exists for direct costs incurred by an insured to provide notice to individuals in the event of a security breach, as well as expenses to set up a call center and provide credit monitoring. Having purchased coverage for this specific purpose, companies can have a much much higher level of certainty that the type of data breach described in this case will be covered.
Insure your own company directly.
The University in this case does not appear to have its own cyber insurance coverage (if they did, I am assuming they would have tendered their expenses to their own carrier and this controversy would most likely not exist). Instead they are making the difficult argument that they should be the beneficiaries of insurance purchased by their service provider. All of this could have been avoided if the University had purchased a cyber policy directly insuring the University.
Most cyber insurance companies provide coverage for “breach notice costs,” including mailing costs, credit monitoring and call center expenses. In addition, most cyber policies provide coverage if the security breach happens to one of the insured’s service providers. That coverage would have addressed the vast majority of the expenses incurred by the University (most cyber policies, however, probably would not provide any coverage for the personnel hours expended internally to address the breach). The moral of this story is if you are an organization that handles a lot of personal information (or other sensitive information), regardless of how secure you think you are (and by now everybody knows that there is no such thing as perfect security; breaches are a matter of when and how bad at this point), you should seriously consider cyber insurance in your risk management mix.
Brokers beware.
It looks as if the University is exercising all its options to try to get reimbursed for the expenses it incurred to address this security breach – it even sued Perpetual Storage’s insurance broker. However, considering there is no direct contract between the University and that broker it may be difficult to recover. Rather, Perpetual Storage is likely in a better position to sue its own broker for breach of contract and/or negligence.
Nonetheless, there is also a moral here for brokers. Here is the reality in 2010: most companies of all shapes, sizes and wealth profiles use information technology and handle sensitive information including personal information and credit card numbers. That means they face potential direct losses due to a data breach (the biggest risk being having to provide notice under breach notice laws and provide credit monitoring/call centers). It also means that most organizations face potential lawsuits and liability arising out of data security and privacy breaches (e.g. consumer lawsuits, employee lawsuits, lawsuits by banks if credit cards are lost, and regulatory actions).
As such, brokers should be aware of the data security and privacy risk their clients face, understand where and how that risk might be covered. Where appropriate brokers should approach the market to obtain cyber insurance for their customers. Unfortunately, cyber policies (due to their technological nature) are often very complex and brokers dealing with general liability insurance may not have the training or expertise to understand where cyber insurance fits in and how it provides coverage. This problem needs to be overcome or we will see a lot more lawsuits against brokers after security breaches.
Last point to make, assuming the University does not have its own policy, I am wondering whether (or when) the University decides to name its own insurance broker as a defendant. I suppose it will depend on whether that broker raised the issue of cyber insurance, and whether the University turned it down or was unable to obtain coverage.
Conclusion
The bottom line is that practically every company in our modern economy has information security and privacy risk. There is no way to completely eliminate it (and it is not cost-effective in most cases to even try). That leaves residual risk that can either be internalized (like the University did) or transferred. Companies that want to transfer that risk would be well-served to get piece of mind and relative predictability by purchasing a cyber policy actually designed to address the risk. Relying on a general liability or property policy to provide the coverage is no longer a wise choice (if it ever was). Of course this does not mean that cyber insurance is the proper decision for every company, cost is always a factor. Nonetheless, with dozens of carriers now offering the coverage on some level competition is fierce both on price and coverage scope, so now is the right time to explore the market.
Final note, many of my observations and much of my analysis above is based on assumptions I am making concerning the nature of the policy and the facts of this case. Depending on what is in that policy, and what really happened in this matter, some of my predictions could be off or not applicable. If the policies are filed in court, we will revisit this matter and dig a little deeper.
**DISCLOSURE: I have several cyber insurance company clients and have assisted with drafting some of the top-selling forms in the marketplace; independent of those relationships, however, I am a huge proponent of risk transfer when it comes to security, privacy and technology risk, and believe that no data security and privacy risk management process is complete without considering cyber insurance.
Information Security Clauses and Certifications - Part 1
Outsourcing business and IT functions often means outsourcing compliance and liability risks as well. When a service contract involves protected categories of personal information, both parties need to understand the security requirements and risks. The contract should allocate responsibilities to prevent and respond to security breaches. The contract may also set expectations more precisely by incorporating a written security policy or referring to a widely accepted information security standard, sometimes accompanied by a requirement for a third-party security audit or assessment.
What contractual information security provisions should you consider, as a customer or as a vendor or business partner, when the contract contemplates the exchange of protected information? What do security standards and audits entail for a vendor, and what do they offer for a customer?
With heightened liability and compliance risks associated with handling protected categories of data, it is becoming more common to see contractual requirements holding vendors accountable for information security or requiring them to conform to a specified information security standard. Formerly, certification requirements were largely confined to contracts procuring data processing services for government agencies, financial services firms, and healthcare providers. Now, such provisions are appearing in a wide variety of outsourcing, cloud computing, software as a service (SaaS), infrastructure as a service (IaaS), and consulting contracts where the vendor will be processing or storing Social Security Numbers (SSNs), payment card or bank account details, medical information, or virtually any personal data from Europe, Canada, or other jurisdictions with more comprehensive data protection laws.
Often, the contract requires a self-certification of conformance with a particular set of information security safeguards and control procedures, such as the Payment Card Industry Digital Security Standard (PCI DSS) for credit and debit card data, ISO 27001/27002 (formerly ISO 17799), or the US government’s NIST 800 series of Federal Information Processing Standards (FIPS). But many contracts go beyond representations, warranties, or conditions concerning information security and require the vendor to submit a third-party expert assessment or audit of the vendor’s security practices.
Security audits can be costly and time-consuming, and an audit requirement may or may not be reasonable given the type and amount of data at issue. On the other hand, a neglected or casually performed self-assessment can result in contract termination, denial of insurance claims, or the shifting of liability following a security breach incident.
How well do lawyers drafting or vetting contracts know what their clients need, or what they are committing to, when it comes to the clauses or annexes detailing the parties’ information security obligations? Despite the sometimes mind-numbing acronyms and technical content, lawyers and business managers need to have a basic understanding of what is entailed with the more common forms of information security clauses and certifications. This will also help them determine which are the most useful and appropriate standards, representations, and certifications for a particular services contract.
Common Information Security Clauses
Confidentiality and nondisclosure provisions typically include a definition of “Confidential Information” accompanied by nondisclosure obligations. The definition usually amounts to “proprietary,” nonpublic information that could be legally protected as trade secrets or confidential commercial information. Sometimes the definition specifically includes “personal information” shared between the parties, such as customer and employee data or marketing lists, which may be both proprietary and protected by privacy laws. Typically, the clause obliges the parties to protect each other’s Confidential Information in the same manner that they customarily protect their own Confidential Information (“the same care and discretion” is a common formulation).
A simple, reciprocal confidentiality obligation works well where the parties have similar interests and capabilities in information protection. However, if one of the parties is relatively inexperienced or lacks sufficient resources or motivation, it may not be satisfactory to rely on such a provision without naming (or attaching) any special security requirements that apply to some of the data, or referring contractually to a widely accepted security standard.
Personal Information Security Clauses
Many contracts involving the sharing of protected categories of nonpublic personal information now also include a Personal Information or Personal Data provision. This is typically designed to help ensure compliance with any applicable privacy laws or standards, such as the federal HIPAA and HITECH acts governing medical data in the US, state personal information security and breach notice laws, and data protection legislation outside the US. The clause will often require the parties to implement “reasonable and appropriate” security measures to protect either defined categories of personal data or, more broadly, any personally identified or identifiable information (“PII”) furnished in connection with contract fulfillment.
The clause may refer generally to compliance with “any applicable laws and standards,” but it is prudent to add a specific reference to any particular information security regimes that are known to apply, such as PCI DSS (payment cards), HIPAA and HITECH (medical records), GLBA (financial accounts), FCRA (consumer reports), national laws based on the EU Data Protection Directive, or the Massachusetts personal information security requirements contained in Massachusetts M.G.L. c. 93H and 201 CMR §§ 17.00-17.05. This helps ensure that the parties understand the operational security requirements and avoids disputes about precisely what was required of the vendor.
Related provisions that may appear in this clause or separately include those relating to indemnification in the event of a security breach or abuse of personal information, insurance to cover such events, notice obligations in the event of a suspected breach of security, and a duty to cooperate in the investigation and resolution of security incidents involving protected personal information. Depending on the sensitivity of their consumer, employee, or government relations, some customers insist on a provision that allows them, or their designated experts, to control the investigation and any notifications to affected individuals or to law enforcement or regulatory bodies, even if the vendor is responsible for some or all of the related costs. Occasionally, the personal information clause will expressly deny any intent to create third-party beneficiary rights for the individuals who are the subjects of the data. This is not possible, however, in the case of European personal data transferred abroad under EU-approved standard contract clauses, as mentioned below.
The personal information clause may also include reference to a specified information security standard and possibly to a required third-party certification. The more common forms of these will be discussed in the next posts in this series.
Clearly, the personal information provisions of the contract can involve substantial risks and costs. The vendor should be careful to understand the requirements and not commit to more than it can perform (or afford). The Customer needs to exercise due diligence in ascertaining that the vendor has the technical and financial capability to perform as required, since the customer may be held accountable in any event by courts, regulators, and the public.
Transborder Personal Data Transfer Agreements
Personal data from the European Union, European Economic Area (the EU plus Norway, Iceland, and Liechtenstein), and other jurisdictions (such as Switzerland and Russia) with laws based on the EU Data Protection Directive are usually covered as well by a transborder data transfer clause. This may refer to the receiving party’s obligations as a data “controller” under laws based on the EU Directive, including obligations to provide notice and access and to secure the data with appropriate “technical and organizational” measures proportionate to the privacy risks inherent in handling the data at issue. If the receiving party is a mere “processor” under EU law, it is mandatory for the contract to include an “Article 17” clause (usually under the heading “Personal Data” or “Data Protection”) to the effect that (a) the processor will handle the data only according to instructions from the data controller and (b) the processor will employ “technical and organizational” security measures equivalent to those required of controllers. (Note that Article 17 clauses are required in contracts between controllers and processors even if the personal data remain in the EU / EEA.)
Whether a party receiving European personal data outside the EU / EEA is a controller or a processor, it must have a legal basis for receiving the data. The data may be received in any of the handful of countries deemed by the EU to afford an “adequate” level of protection, such as Switzerland and Canada (to the extent that the data are protected by the Canadian federal PIPEDA act). Data from EU / EEA countries, Switzerland, and Israel may also be received lawfully in the United States by a company that participates in the International Safe Harbor program. Otherwise, the transfer of such data must be covered by informed consent or another of the accepted “derogations” under Article 26 of the EU Directive. The most common of these are EU-approved standard contract clauses (or “model contracts”) and, more recently, nationally approved binding corporate rules (BCRs).
The EU standard contract clauses typically appear in a separate document or annex, with mandatory terms and a description of the data transfers according to EU requirements. There are only a few approved options in the terms themselves, but the descriptive annex must be carefully drafted to cover all of the contemplated data categories, uses, and recipients. The current sets of EU-approved standard contract clauses do not require a detailed description of security measures, but they do require reference to any special measures that must be taken to safeguard “sensitive” data. (In the EU context, sensitive data refers to information concerning race or ethnicity, health or sex life, religious beliefs, political or trade union activity, and, depending on the country, criminal history, national ID numbers, civil judgments, and any other categories of data deemed especially risky under national law or regulations). In some countries, such as France and the Netherlands, the data transfer agreement and descriptive annex must be submitted for review by a national data protection authority (DPA). DPAs have been known in some instances to request more information about the security measures to be employed (such as encryption), particularly where sensitive data are involved, and they may require that these be included in the data transfer agreement. This information is not made public, however, lest it compromise the security measures.
Several other jurisdictions with comprehensive data protection laws (such as Argentina, Australia, Canada, Dubai, Israel, and Japan) require “reasonable” or “appropriate” security measures proportionate to the risks; they also require or recommend contractual safeguards when transferring personal data to the US, India, and other jurisdictions lacking similar data privacy laws. So far, these countries have not specified security standards or detailed requirements that must be reflected in the data transfer agreement.
***
In the following posts in this series, we will look at the more common information security standards and certifications that may be included in service contracts.
