•

CLE Seminar for In-House Counsel
October 11, 2013
Washington, DC

Privacy and Security
Language in Vendor Contracts
Saf...
Vendor Contracts: Negotiating Strategy

“The fellow who says he'll meet you halfway usually
thinks he's standing on the di...
Vendor Contracts: Sharing Data
Sharing Personally Identifiable Information (PII)
with Vendors is a core business activity,...
Vendor Contracts: Extensive Legal Requirements

Investigations,
Consent decrees,
Advertising and Apps

EU Data Directive,
...
Vendor Contracts: Contract vs. MSA vs. SOW
Privacy and Security language can be included in Contract with a Service Provid...
Vendor Contracts: Unauthorized Disclosure
The contract must restrict the Vendor from disclosing any confidential
informati...
Vendor Contracts: Data Minimization

Data minimization is a key principle of the EU Data Directive as implemented
through ...
Vendor Contracts: Authorized Access


Vendor must maintain strong access controls to restrict access to only
those employ...
Vendor Contracts: Technical Safeguards
Vendor must meet or exceed requirements set by standards
bodies and self-regulatory...
Vendor Contracts: Data Breach


Data Breach can be one of the most damaging issues a company can
face, both in terms of e...
Vendor Contracts: Audit Rights
 It is extremely important to maintain audit and supervisory rights over
your Vendors.
 A...
Vendor Contracts: Insurance and Indemnification


Vendor must obtain sufficient insurance coverage to satisfy state legal...
Vendor Contracts: Checklist for Getting Started


Is data being collected from users/employees who reside in the U.S. or ...
Vendor Contracts: Questions and Answers

14
Thank you!

Andy Roth
Partner
Dentons US LLP
212-768-6804
andy.roth@dentons.com

© 2013 Dentons
Dentons is an internationa...
Upcoming SlideShare
Loading in...5
×

Privacy and Security Language in Vendor Agreements

764

Published on

Privacy and Security Language in Vendor Agreements

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
764
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Privacy and Security Language in Vendor Agreements"

  1. 1. • CLE Seminar for In-House Counsel October 11, 2013 Washington, DC Privacy and Security Language in Vendor Contracts Safeguarding Customer and Employee Data Andy Roth Partner Dentons US LLP andy.roth@dentons.com +1 212 768 6804 © 2013 Dentons. All rights reserved.
  2. 2. Vendor Contracts: Negotiating Strategy “The fellow who says he'll meet you halfway usually thinks he's standing on the dividing line.” Orlando A. Battista 2
  3. 3. Vendor Contracts: Sharing Data Sharing Personally Identifiable Information (PII) with Vendors is a core business activity, but there is inherent risk that the Vendor could fail to adequately safeguard data or the systems that process data. Personal data is a much broader definition in the EU. Sensitive information, included Protected Health Information are also important classes of data. Strong contractual protections help mitigate this risk by requiring Vendors to meet specified requirements as well as indemnifying you if there is a breach of those requirements. 3
  4. 4. Vendor Contracts: Extensive Legal Requirements Investigations, Consent decrees, Advertising and Apps EU Data Directive, Model Contracts, Cookie Directive Business Associate Agreements Cybersecurity Order, Privacy Bill of Rights, Support for CISPA State Breach Notification and Cybersecurity Laws 4
  5. 5. Vendor Contracts: Contract vs. MSA vs. SOW Privacy and Security language can be included in Contract with a Service Provider, Master Services Agreement (MSA) or Statement of Work (SOW) Drafting note: These terms can be in the body of the Agreement or an Addendum. When initiating a new Vendor relationship Privacy and Security can be baked into the Contract or MSA. However, for existing Vendor relationships it may make the most sense to include this language in a SOW. Paramount consideration is that there are strong contractual obligations binding the Vendor’s behavior and imposing strict liability for any breach of these terms. 5
  6. 6. Vendor Contracts: Unauthorized Disclosure The contract must restrict the Vendor from disclosing any confidential information, including PII! Suggested Language: “Vendor agrees and covenants that it shall: Keep and maintain all PII in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use or disclosure; Use and disclose PII solely and exclusively for the purpose for which the PII, or access to it, is provided pursuant to the terms and conditions of this Agreement; Not use, sell, rent, transfer, distribute, or otherwise disclose or make available PII for Vendor's own purposes or for the benefit of anyone other than Company and Not transfer any PII to or from different countries without the express prior written consent of Company.” 6
  7. 7. Vendor Contracts: Data Minimization Data minimization is a key principle of the EU Data Directive as implemented through the FTC Safe Harbour Program.  The Vendor should be limited to collecting and processing only the confidential and personal data that it needs to perform its contractual obligations.  Vendor should be required to return or destroy all personal and confidential data upon termination of the Agreement. Suggested Language: “At any time during the term of this Agreement at Company’s written request, or upon the termination of expiration of this Agreement for any reason, Vendor shall, and shall instruct all Authorized Persons to, promptly and securely return or destroy any and all PII, whether in written, electronic or other form of media.” 7
  8. 8. Vendor Contracts: Authorized Access  Vendor must maintain strong access controls to restrict access to only those employees who need it to perform contractual obligations.  Subcontractors only allowed with express written consent of Company  Lack of access controls is a leading contributor to data breaches involving both internal and external bad actors. Suggested Language: “At a minimum, Vendor's safeguards for the protection of PII shall include: (1) Limiting access of PII to Authorized Employees and Authorized Persons; (2) securing business facilities, data centers, paper files, servers, back-up systems and computing equipment, including but not limited to all mobile devices and other equipment with information storage capability; (3) implementing network, device, application, database and platform security; (4) securing information transmission, storage and disposal; (5) implementing authentication and access controls within media, applications, operating systems and equipment; (6) Encrypting PII transmitted over public or wireless networks; (7) strictly segregating PII from information from Vendor or its other customers so data is not comingled; (8) implementing appropriate personnel security and integrity procedures and practices, including but not limited to, conducting background checks consistent with applicable law; and (9) providing privacy and information security training to Vendor’s employees and subcontractors.” 8
  9. 9. Vendor Contracts: Technical Safeguards Vendor must meet or exceed requirements set by standards bodies and self-regulatory organizations Suggested Language: “Vendor agrees and covenants that it will implement administrative, physical and technical safeguards to protect PII that are no less rigorous than accepted industry practices, including the International Organizational Standardization's standards: ISO 27001 and ISO 27002 or other applicable established industry standards fir information security and shall ensure that all such safeguards comply with applicable laws, as well as the terms and conditions of this Agreement. Compliance with Payment Card Industry Standards. If Vendor has access to or will collect, access, use, store, process, dispose of or disclose credit, debit or other payment cardholder information, Vendor shall at all times be in compliance with the Payment Card Industry Data Security Standard ("PCI DSS") requirements, including promptly implementing all procedures and practices to remain compliant with PCI DSS at Vendor's sole cost and expense.” 9
  10. 10. Vendor Contracts: Data Breach  Data Breach can be one of the most damaging issues a company can face, both in terms of economic harm and damage to the brand.  Contracts should require Vendors to notify you in case of a breach or potential breach within a very short specified time (anywhere from immediately to as soon as practicable but no later than “X” many hours or days). Suggested Language: “Vendor agrees and covenants that it shall: 1) provide Company with the name and contact information for an employee of Vendor who shall serve as Company's primary security contact and shall be available to assist Company twenty-four hours per day, seven days per week as a contact in resolving obligations associated with an actual or potential Security Breach; 2) notify Company of an actual or potential Security Breach as soon as practicable, but no later than four hours after Vendor becomes aware of an actual or potential Security Breach; 3) notify Company of an actual or potential Security Breach by contacting the primary business contact at Company by both telephone and email as agreed upon.” 10
  11. 11. Vendor Contracts: Audit Rights  It is extremely important to maintain audit and supervisory rights over your Vendors.  Audit is an integral part of an effective Vendor Security Management Program  It is even more important to exercise these rights when appropriate! Suggested Language: “Upon Company’s written request and no less than 10 business days following such written request, Vendor shall permit Company to conduct or oversee an audit of Vendor's facilities and practices to confirm compliance with this Agreement as well as any applicable laws and industry standards. Vendor is not required to permit Company to conduct or oversee more than one audit per calendar year, unless there has been an actual or potential Security Breach.” 11
  12. 12. Vendor Contracts: Insurance and Indemnification  Vendor must obtain sufficient insurance coverage to satisfy state legal requirements such as Worker’s Compensation Insurance.  Vendor and Company must indemnify each other in the event of a breach or alleged breach.  Spelling out the process for Insurance and Indemnification in the Contract is an helps ensure that situations that arise are handled in a way that protects the interests of Company. Suggested Language: Insurance Process: Vendor shall: (i) name Company as an additional insured and loss payee on each insurance policy, (ii) ensure that each insurance policy contains an endorsement deleting the condition thereof entitled "Other Insurance" as to any insurance in force for or in the name of Company, (iii) ensure that each insurance policy includes a provision requiring the insurance company issuing such insurance policy to give Company prompt notice of any revision or modification to any insurance policy affecting Company's rights or any cancellation of any such insurance policy and (iv) upon request, provide Company with a certificate of insurance evidencing that the requirements of this Section have been satisfied. Indemnification Process: The indemnified party shall provide the indemnifying party with prompt notice of any such claim for defense and indemnification and shall cooperate reasonably with the indemnifying party in the defense, settlement or compromise of any such action, at the indemnifying party's cost and expense. The indemnifying party shall have sole control of the defense of any such action and all negotiations for its settlement or compromise, but shall not settle any claim that involves a remedy other than the payment of money by the indemnifying party without the prior written consent of the indemnified party. 12
  13. 13. Vendor Contracts: Checklist for Getting Started  Is data being collected from users/employees who reside in the U.S. or abroad?  What type of data is being collected (PII/Sensitive information/location/anonymized or aggregated data)? (Personal Information: Name, street address, phone number, email address, zip code, date of birth, user name, password, gender, or IP address. Sensitive Information: Health, medical, financial, race, religion, sexual orientation, or political affiliation.  How is the information being collected (directly from the user or through a tag, cookie, pixel, etc…)?  Is it being collected for Company or for a third party (advertisers, agencies, etc…)?  Where is the information being stored (Vendor/Service Provider or Company’s servers, or the cloud)? If information is stored outside Company it should always be partitioned and not co-mingled with another vendor/service provider client’s data.  Will the data be encrypted? Depending on type of data, this should be required.  Who owns the data collected?  Is the collection of data targeted towards children under 13? If so, must comply with Children’s Online Privacy Protection Act (COPPA), including new rules that go into effect July 2013.  How is the data being used? Is there a legitimate business reason for collecting the data (especially PII, sensitive information and precise location)? We should not collect just to collect.  Will there be a transfer of information (Vendor/Service Provider to Company, or cross-border)? Consents may need to be in place before such transfer of data can occur.  Has due diligence been done on the 3rd party vendor/service provider (review of data flow, security audit)? 13
  14. 14. Vendor Contracts: Questions and Answers 14
  15. 15. Thank you! Andy Roth Partner Dentons US LLP 212-768-6804 andy.roth@dentons.com © 2013 Dentons Dentons is an international legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. Please see dentons.com for Legal Notices.

×