The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

Data Privacy and Security Agreements:

Defining, Allocating and Mitigating

Risks From Data Security Breaches

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

THURSDAY, NOVEMBER 2, 2017

Steven C. Bennett, Partner, Park Jensen Bennett, New York

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-755-4350 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Data Privacy and Security Agreements: Defining, Allocating and Mitigating Risks

From Data Security Breaches

Steven C. Bennett

(Park Jensen Bennett LLP– New York)

sbennett@parkjensen.com

2017

5

Presenter Background

• Partner, Park Jensen Bennett LLP (New York)

• 25 years commercial litigation experience

• Adjunct Professor, Hofstra Law School, Manhattan College

• Member, New York State Bar Association E-Discovery Committee

• Member, Sedona Conference Working Group on E-Discovery

6

Disclaimers

• The views expressed are solely those of the presenter, and should not be attributed to the presenter’s firm or its clients.

• This presentation does not constitute legal advice; nor does it constitute solicitation of an attorney/client relationship.

• Examples of contract terms are for illustration purposes only. Please consult counsel for advice on terms that may be appropriate for your particular circumstances.

7

Outline of Presentation

•Risk management concepts in contracting

•Data security risks

•Contracting as a tool for data risk management

•Common terms

•Drafting tips

•Resources

8

Risk Management

9

Contracts Are About: Rights, Obligations And Risk

•Performance

•Remedies

•Problems/dispute resolution

10

Well-Drafted Contract Helps

•Guide party behavior

•Avoid misunderstandings

•Adapt to changing circumstances

•Avoid/reduce litigation

11

Risk Management Concepts

•What is the risk?

•What is the likelihood of occurrence?

•What are the potential effects?

•What can be done to mitigate / avoid the risk?

•Who should be responsible for solving the problem?

•Who pays if something goes wrong?

12

Forms Of Risk

•Strategic

•Financial

•Reputation

•Operational

•Legal / regulatory

13

Risk Management Methods

•Risk assessment

•Due diligence

•Contract structure and review

•Monitoring / audit / enforcement / revision

14

Risk Management Tools

•People

•Process

•Technology

•Mistake to assume that ONE of these tools will suffice

•No “set it and forget it”—risk management is a dynamic system

15

Overview Of Data Privacy and Data Security Risks

16

Threats

• Adversaries:

--Rogue and disgruntled employees

--Criminals/organized crime

--Competitors

--Nation states/terrorists

--Social activists

• Motives:

--Money/competitive advantage

--Sabotage/espionage

--Political points/reputation damage

--Thrill seekers

17

Data At Risk

•Customer / employee information: name, address, telephone, social security number, credit card number, driver’s license numbers

•Sensitive personal information: race, religion, health status, political affiliation, sexual orientation

•Operational / proprietary information: customer lists, formulas, bank account information, trade secrets

18

Common Forms of Threat

•System penetration / unauthorized access

•Sabotage

•Theft of proprietary information

•Denial of service / loss of access to critical data

•Malware: viruses / worms

19

Common Sources of Breach

•Negligence

•System glitch/vulnerability

•Malicious/criminal attack

20

Increasing Risks

• Increasing volumes of data and storage

• Increasing array of devices / entry points

•Casual attitudes toward information sharing / privacy

• “Big data” analytics permit sophisticated misuse forms

21

Zero Risk Is Not An Option

•Businesses “fight the last war,” as new (often unpredictable) risks arise

• “Impossible to perform” contract introduces its own risk:

--Vendor cannot meet requirements

--Vendor has incentive not to reveal deficiencies

•Goal is a candid discussion of risks, and joint efforts to combat known (and unknown) problems

22

Regulatory Environment

•No comprehensive U.S. privacy framework

•Patchwork of regulatory regimes: HIPPA, Gramm-Leach-Bliley

•General trade / consumer protection laws: FTC and state equivalents

•Data breach notification laws

•Foreign regulatory regimes: EU General Data Protection Regulation

23

Data Breach Costs

Average cost: $7-10 million for large scale breach; $200-300 per compromised record

• Investigation

•Notification

•Regulatory response

•Litigation

•Free credit monitoring

•Public relations damage

24

Data Life-Cycle Protection

Data protection important at all stages of the data life-cycle

•Collection

•Use / access / transmission

•Storage

•Retention / disposal

25

Fair Information Practices

Basic principles for treatment of data: Developed and refined over the past 30 years: OECD, FTC, NIST, EU

•Notice/Awareness: Data subjects given notice of an entity's information practices

•Choice/Consent: Data subjects given options to control how their data is used

• Access/Participation: Data subjects given ability to view the data collected, and to verify and contest its accuracy.

• Integrity/Security: Information collection / processing should ensure that data collected is accurate and secure

•Enforcement/Redress: Complaint and dispute resolution, plus measures of enforcement, which may include self-regulation, trusted third party review, private remedies, and/or government enforcement[

26

Overview Of Contracting As A Tool To Reduce Data Security Risks

27

Risk Assessment Methods (Pre-Contract)

• Identify key information assets

•Locate assets and their distribution

•Classify (public, internal, sensitive, critical, regulated)

•Threat experience / prediction

•Security planning / revision

28

Request For Proposal Process

• Identify data security needs (including obligations to customers and business partners)

•Match needs to RFP

•Due diligence

•Pre-contract discussion

•Customer / business partner must understand and accept your needs, and must have the practical ability to do what the contract requires

29

Red Flags

•Standard form terms:

--Read carefully

--Contracts written with an “angle”

--”Battle of the forms:” what terms apply?

--Vague / generic terms

•No established data security program

•Unwillingness to discuss needs / capabilities match

30

Beware Inadvertent Agreement To Terms

• Internet sites often indicate that mere use of the site constitutes agreement to terms.

•Contract proffered by vendor may refer to “standard terms”

•Standard terms often subject to revision / update without negotiation

31

Separate Document

•Data security provisions may be incorporated into main contract, or treated as a separate appendix

• Separate appendix advantages:

--Can be modified without change to the overall contract

--Can be provided, separately, to government entities, business contacts, without revealing commercial terms

• Incorporation by reference: Data security terms may be based on Third Party standards (e.g., International Standards Organization)

• Strive for consistent usage of terms

32

Common Terms

33

Definitions

•Authorized employee / user: Who may have access to protected data

•Personal information: Forms of protected data, such as social security numbers, financial information

•Sensitive personal information: Forms of information requiring special protection, such as health information

34

Security Breach Definition

• Preference for broad definition, to require alerts of problems, and trigger appropriate responses

•Example:

“Security Breach” means (i) any act or omission that [materially] compromises either the security, confidentiality or integrity of Personal Information or Sensitive Personal Information, or the physical, technical, administrative or organizational safeguards put in place by Vendor [(or any Authorized Persons)] that relate to the protection of the security, confidentiality or integrity of Personal Information or Sensitive Personal Information, or (ii) receipt of a complaint in relation to the privacy practices of Service Provider [(or any Authorized Persons)] or a breach or alleged breach of this Agreement relating to such privacy practices].

35

Standard of Care

Setting forth general expectations as to data security practices, and binding party to agreement terms regarding practices. Specific standards (e.g., ISO) may be incorporated as representations and warranties.

•Example: Vendor acknowledges and agrees that, in the course of its engagement by Customer, Vendor may receive or have access to Personal Information. Vendor shall comply with the terms and conditions set forth in this Agreement in its collection, receipt, transmission, storage, disposal, use and disclosure of such Personal Information and be responsible for the unauthorized collection, receipt, transmission, access, storage, disposal, use and disclosure of Personal Information under its control or in its possession by all [Authorized Employees/Authorized Persons].

36

General Obligation Of Confidentiality

Confirmation that use of protected data is solely for specified purposes. May include obligation to supervise Third Parties.

• Example:

Vendor agrees and covenants that it shall: (i) keep and maintain all Personal Information in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use or disclosure; (ii) use and disclose Personal Information solely and exclusively for the purposes for which the Personal Information, or access to it, is provided pursuant to the terms and conditions of this Agreement, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Personal Information for Vendor’s own purposes or for the benefit of anyone other than Customer, in each case, without Customer’s prior written consent; and (iii) not, directly or indirectly, disclose Personal Information to any person other than [its Authorized Employees/Authorized Persons][, including any,] [subcontractors,] [agents,] [outsourcers] [or] [auditors] (an “Unauthorized Third Party”), without express written consent from Customer [unless and to the extent required by Government Authorities or as otherwise, to the extent expressly required, by applicable law [, in which case, Vendor shall (i) [use best efforts to] notify Customer before such disclosure or as soon thereafter as reasonably possible]; (ii) be responsible for and remain liable to Customer for the actions and omissions of such Unauthorized Third Party concerning the treatment of such Personal Information as if they were Service Provider’s own actions and omissions; and (iii) require the Unauthorized Third Party that has access to Personal Information to execute a written agreement agreeing to comply with the terms and conditions of this Agreement [relating to the treatment of Personal Information]].

37

Specific Prohibitions

•Categories of information that Party is prohibited from duplicating or transferring.

•Categories for which specific consent is required.

•Categories for which special protections (e.g., encryption) are required.

38

Responsibilities Regarding Sub-Contractors And Other Third Parties

•Duty to obtain same assurances from sub-contractors (i.e., signature on data security protections)

Example: Vendor shall notify all of its agents, employees and subcontractors who will come into contact with Customer’s Personal Information that they are subject to the confidentiality and data security requirements set forth herein.

•Duty to supervise sub-contractors.

•Liability for actions of sub-contractors.

39

Compliance With Law

Confirmation that use of protected data shall conform to applicable legal obligations.

•Example: Vendor shall implement administrative, physical and technical safeguards to protect Personal Information that are no less rigorous than accepted industry practices, and shall ensure that all such safeguards, including the manner in which Personal Information is collected, accessed, used, stored, processed, disposed of and disclosed, comply with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.

40

Compliance With Specific Standards

Reference to specific industry standards.

•Example:

Vendor shall implement administrative, physical and technical safeguards to protect Personal Information that are no less rigorous than the International Standards Organization standards in ISO/IEC 27001:2005 – Information Security Management Systems – Requirements and ISO-IEC 27002:2005 – Code of Practice for International Security Management.

• ISO Standard includes specific requirements regarding security, training, disaster planning and recovery, and other issues

41

Particularized / Listed Functions

Agreement may list specific data security measures that must be adopted (e.g., for specific sensitive data).

•Data encryption methods.

•Network security (firewall) protection.

•Background checks of personnel.

•Training / certification of personnel.

•Protection against copying / removal of data.

42

Matching Risks And Protections

•Do warranties / obligations of vendors match warranties to the Company’s customers?

•Does responsibility for a problem rest in the appropriate institution?

43

Changes In Functionality

Dealing with changes in operations and technology.

•Notice of any adverse effects on data security as a result of structure (e.g., mergers) or technology.

•Right of additional audit / assurance.

•Right to terminate.

44

Location Of Data

Data location may affect legal obligations of users.

•Specification of location of data (or specific categories of data)

•Limits on change of location: e.g., notice and specific consent

•BEWARE: Some jurisdictions claim right to regulate based on location of the data subject, even if the data is located elsewhere

45

Security Breach Contact

Specification of contact person responsible for data security breach response.

•Example:

Vendor shall provide Customer with the name and contact information for an employee of Vendor who shall serve as Customer’s primary security contact and shall be available to assist Customer twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with a Security Breach.

46

Security Breach Notification

Requirement for notification and appropriate actions, in the event of breach.

• Example: Vendor shall (a) notify Customer of any Security Breach as soon as

practicable, but no later than [twenty-four (24)] hours after Vendor becomes aware of it; (b) notify Customer of any Security Breaches by [telephone at the following number: [TELEPHONE NUMBER]/e-mailing Customer with a read receipt at [E-MAIL ADDRESSES]] and with a copy by e-mail to Vendor’s primary business contact within Customer. (c) [Immediately following Service Provider’s notification to Customer of a Security Breach, the parties shall coordinate with each other to investigate the Security Breach. Vendor agrees to [fully/reasonably] cooperate with Customer in Customer’s handling of the matter, including, without limitation: (i) assisting with any investigation; (ii) providing Customer with physical access to the facilities and operations affected; (iii) facilitating interviews with Vendor’s employees and others involved in the matter; and (iv) making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise [reasonably] required by Customer.

47

Duty To Remedy

Requirement to take steps to remedy any data breach.

•Example:

Vendor shall [take reasonable steps to/use best efforts to] immediately remedy any Security Breach and prevent any further Security Breach at Vendor’s expense in accordance with applicable privacy rights, laws, regulations and standards. [Vendor shall reimburse Customer for actual [reasonable] costs incurred by Customer in responding to, and mitigating damages caused by, any Security Breach, including all costs of notice and/or remediation.

48

Specific Steps And Expenses

Specification of particular steps that may be required, and obligation to pay expenses.

•Example:

Vendor shall reimburse Customer for actual [reasonable] costs incurred in providing individuals affected by a Security Breach with notice of the breach, reissued payment cards, complimentary access for one (1) year credit monitoring services, credit protection services, credit fraud alerts and/or similar services, which Customer [in its sole discretion deems necessary to protect such affected individuals/in consultation with Service Provider, shall determine is reasonable to protect such affected individuals in light of the risks posed by the Security Breach].

49

Disaster Preparedness

Denial of service / malware attacks may prevent use of the system. Contract may specify:

•Specific disaster recovery plan.

•Back-up systems / standby systems.

•Specification of critical content / special treatment.

•Business interruption insurance.

50

Disclosure Of Breach To Third Parties

Reservation of rights to disclose the breach in an organized manner.

• Example: Vendor reserves the right, in its sole discretion, to report acts

relating to the use and disclosure of Personal Information to applicable Government Authorities. With respect to instances in which Vendor is considering notifying Government Authorities concerning civil, but not criminal, acts, Vendor shall notify Customer in writing and consult with Customer prior to making any such notification. The parties shall immediately endeavor in good faith to reach agreement on the need for and nature of such notification. If such agreement cannot be reached within [seventy-two (72)] hours after Vendor has provided Customer with written notice, Vendor shall have the right to inform Government Authorities solely to the extent required by applicable law.]]

51

Procedure For Response To Law Enforcement Requests

•Notification

•Duty to cooperate (plus, support where objections made)

52

Prevention Of Future Breach

Obligation to take steps to avoid future problems.

•Example:

In the event of any Security Breach, Vendor shall promptly use its [reasonable/best] efforts to prevent a recurrence of any such Security Breach.

53

Right To Audit

Right of customer to confirm compliance with data security obligations

• Example: Upon Customer’s [written] request, to confirm Vendor’s

compliance with this Agreement, as well as any applicable laws, regulations and industry standards, Vendor grants Customer or, upon Customer’s election, a third party on Customer’s behalf, permission to perform an assessment, audit, examination or review of all controls in Vendor’s physical and/or technical environment in relation to all Personal Information being handled and/or services being provided to Customer pursuant to this Agreement. Vendor shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure and application software that processes, stores or transports Personal Information for Customer pursuant to this Agreement. In addition, upon Customer’s [written] request, Vendor shall provide Customer with the results of any audit by or on behalf of Vendor performed that assesses the effectiveness of Vendor’s information security program.

54

Monitoring / Improvements

•Vulnerability testing.

•Technical reports on unusual activity.

•Reports on time to resolution.

•Periodic reviews / training / best practice development sessions.

•Prompt application of “patches” to data security systems

55

Information Security Questionnaire

Lower-cost alternative to data security audit.

•Example: Upon Customer’s written request [annually], to confirm compliance with this Agreement, as well as any applicable laws and industry standards, Vendor shall promptly and accurately complete a written information security questionnaire provided by Customer or a third party on the Customer’s behalf regarding Vendor’s business practices and information technology environment in relation to all Personal Information being handled and/or services being provided by Vendor pursuant to this Agreement.

56

Disposal Of Information

Return or destruction of information.

•Example: At any time during the term of this Agreement at the

Customer’s [written] request or upon the termination or expiration of this Agreement for any reason, Vendor shall, and shall instruct all Authorized Persons to, promptly return to the Customer all copies, whether in written, electronic or other form or media, of Personal Information in its possession or the possession of such Authorized Persons, or securely dispose of all such copies, and certify in writing to the Customer that such Personal Information has been returned to Customer or disposed of securely. Vendor shall comply with all [reasonable] directions provided by Customer with respect to the return or disposal of Personal Information.

57

Material Breach

Breach of data security obligations shall constitute material breach.

•Example:

Vendor’s failure to comply with any of the provisions of this Agreement [this Section] regarding data security shall be deemed a material breach of this Agreement. In such event, Customer may terminate the Agreement effective immediately upon written notice to the Vendor without further liability or obligation to Customer.

58

Defense And Indemnity

Allocation of risk of expenses and liabilities attendant to a data security breach.

• Example: Vendor shall defend, indemnify and hold harmless Customer,

[and Customer’s [parent company] and [its/their] subsidiaries, affiliates, and [its/their] respective officers, directors, employees, agents, successors and permitted assigns] (each, a “Customer Indemnitee”) from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs or expenses of whatever kind, including reasonable attorneys’ fees, the cost of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers, arising out of or resulting from any third party claim arising out of or resulting from Vendor’s failure to comply with any of its obligations stated herein.

59

Additional Terms Re Defense And Indemnity

•Who controls defense?

•Who has settlement authority?

•Notice of claims?

60

Liability Limitations

BEWARE standard terms:

•Categorical limits: e.g., no responsibility for third party actions.

•Monetary limits: e.g., no liability in excess of payments received.

•Notice requirements

•Shortened statutes of limitations

61

Alternatives To Full Liability Limitations

Vendor may be willing to negotiate:

•Carve out regarding specific risk.

•Higher dollar cap for specific risks.

•Carve out for gross negligence and willful misconduct.

•Right to terminate for specific forms of incident (without pay-out).

• Insurance requirement.

62

Insurance

Obligation to obtain insurance sufficient to cover potential data security liabilities.

•Example:

Vendor shall provide [obtain] insurance in the minimum amounts set forth below. Such insurance shall cover [specify].

•Cyber-liability insurance available, but coverage varies; check carefully

63

Equitable Relief

Right to obtain injunctive relief in the event of breach of obligations.

•Example: Vendor acknowledges that any breach of its covenants or

obligations set forth in Agreement [or the Vendor’s standard policies and procedures] may cause Customer irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, Customer is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance and any other relief that may be available from any court, in addition to any other remedy to which Customer may be entitled at law or in equity. Such remedies shall not be deemed to be exclusive but shall be in addition to all other remedies available at law or in equity.

64

Venue And Choice Of Law

Law of the contract is not necessarily the same as applicable data protection law:

Example: “This agreement shall be interpreted under the laws of the State of New York. Any litigation under this Agreement shall be resolved in the state or federal trial courts of New York County, New York.”

• Contract laws vary from state to state

• Lawsuits generally filed in the jurisdiction of the defendant unless otherwise agreed.

65

Termination

• Right to terminate:

--For cause

--For convenience

--Change in control

--Bankruptcy / insolvency

• Transition obligations when relationship ends

• Period for transition

66

Contract Drafting Tips

67

Take Control

• “Who controls the document controls the outcome.”

• Nothing is “standard” or “not subject to negotiation.”

• “If you don’t understand it, don’t sign it.”

• Think ahead – contemplate and resolve future issues

• Raise issues while the parties have incentives to compromise

• Set deadlines for completion of the agreement

68

Drafting Mind-Set

• Think reciprocity (equality of treatment, fairness to both sides)

• Think specificity (what would someone unfamiliar with your situation understand from the words of the agreement)

• Think adaptation (forms/precedents are fine, but every contract is unique)

• Think like a perfectionist: edit/proof-read carefully, especially if multiple drafts (and multiple related documents) are exchanged

69

Learn By Doing

• Risk management / data security management committee should have involvement in ALL relationships that involve personal / confidential information: provides continuity of understanding of issues

• Comparison shop: available services and terms vary; negotiations may be enhanced by comparison

• Post-mortem on incidents: how did the vendor function; what additional protections may be required?

70

Resources

Drafting and Negotiating Commercial Contracts: Third Edition, Mark Anderson (2012)

An Introduction to Contract Drafting, William K. Sjostrom Jr. (2011)

Manual of Style for Contract Drafting, Kenneth A. Adams (2008)

71