Facebook Twitter Linkedin Rss

Strategies for Managing Privacy and Data Security Risk in Vendor Engagements

May 15, 2017 | Raleigh, NC
Elliswinter sean headshot resize 2?1476806379

Sean Fernandes

Alex pearce vertical

Alex M. Pearce

Corporate counsel who negotiate agreements with vendors know that privacy and data security provisions can present for­midable obstacles to reaching agreement. After all, these terms carry high stakes and can have major consequences. Many recent high-profile data breaches, including the Target and Home Depot breaches, began with vendors.

Privacy and data security risk is present in any vendor engage­ment that involves access to corporate computer systems or data. That is certainly the case when the engagement requires sharing sensitive data with the vendor. But it can also be true in simple ser­vice engagements that require only incidental access to the com­pany’s systems and data.

These risks can make privacy and data security terms diffi­cult to negotiate in any vendor engagement. This article discusses five strategies corporate counsel can use to overcome some com­mon obstacles to reaching agreement on those terms. Its aim is to provide a framework for approaching negotiations rather than detailed or comprehensive guidance on specific risks and contract provisions—which can vary widely depending on the situation. But put into practice, these high-level strategies can help counsel overcome some of the more common—and frustrating—barriers to reaching agreement with vendors on these challenging subjects.

Collect—at the outset—reliable and complete information on the systems, data, and regulations in play.

One source of risk to companies is the failure to understand the legal requirements associated with the shared data. Privacy and data security regulations typically require organizations to ensure that vendors use and protect sensitive information appropriately.

To understand which regulations apply, counsel must first ob­tain reliable and complete information about the data to which the vendor will, and will not, have access. While obtaining it can be a challenge, counsel can help collect this information from in-house clients by:

  • educating clients about the regulatory obligations that apply to different categories of company data, including carefully defining terms that have particular regulatory significance and might be misunderstood or misinter­preted (terms such “personal data” or “health informa­tion,” for instance, can be much defined more broadly in regulations than in clients’ common understanding); and
  • gaining an understanding of the company’s information technology architecture, data repositories, and security controls that is sufficient to enable a basic evaluation of the legally-relevant implications of different vendor engage­ment models (for example, whether providing a vendor ac­cess to a particular system will allow that vendor to access sensitive data that is not in scope for the engagement).

By taking these steps to gain a complete picture of the systems and data at issue, counsel can assess applicable regulations and pre­vent surprises from arising during—or worse, after—the negotia­tion of vendor agreements. Failing to do so can have substantial consequences, even in the absence of a finding that the vendor has lost or misused the data.

For example, last year, an orthopedic practice that operates clinics and a surgery center in Raleigh agreed to pay $750,000 to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The violation was a failure to execute a HIPAA-mandated “business associate agreement” with a vendor to whom the practice provided patients’ protected health information. $750,000 settlement highlights the need for HIPAA business associate agreements, Office for Civil Rights, Department of Health and Human Services (Apr. 19, 2016), https://www.hhs. gov/hipaa/for-professionals/compliance-enforcement/agree­ments/ raleigh-orthopaedic-clinic-bulletin/index.html.

Help build and support reliable pre-contract due diligence pro­cesses.

Another common obstacle is a mismatch between the com­pany’s expectations and the vendor’s practices. This difficulty often stems from a failure to properly vet vendors’ privacy and security practices at the outset of the procurement process. When the com­pany does not learn that there are significant gaps between the company’s expectations and the vendor’s practices until the con­tracting phase, overcoming those gaps can be particularly difficult.

Counsel can address this problem by educating and empow­ering in-house clients to identify privacy and data security issues before deciding to engage a vendor. The strategic objectives here are twofold: (1) to communicate the company’s expectations to the vendor and thereby avoid learning about gaps for the first time during negotiations; and (2) to disqualify as early as possible ven­dors whose offerings cannot meet the company’s requirements.

Steps that counsel can take to achieve these sometimes elusive goals include:

  • providing guidelines to help clients quickly identify en­gagements that present heightened privacy and data secu­rity risk and require enhanced scrutiny (for example, en­gagements in which the company will transmit personal data to a vendor, or will provide network access to vendor personnel);
  • providing self-service tools, such as privacy and data se­curity questionnaires, for clients to perform initial due diligence on vendors identified as performing high-risk services; and
  • ensuring an organized process for meaningful evaluation of information gathered during due diligence activities.

In companies with centralized procurement functions, these steps may already be part of the vendor selection process, or be reasonably simple to implement. In companies with decentralized, business-unit-driven processes for engaging vendors, implement­ing them may be more challenging.

Either way, counsel who make an effort to help build and sup­port these front-end processes can find the downstream benefits to be substantial.

Focus on the substance—not the form—of the company’s secu­rity and privacy requirements.

Another common stumbling block in vendor negotiations is the “battle of forms” between the parties’ standard privacy and data security terms. This problem often arises when companies insist that a vendor agree to comply in full with the company’s own in­ternal privacy and security policies.

Confronted with these requests, vendors often respond that they cannot reasonably adjust their policies on a customer and engagement-specific basis. In some cases that argument has merit. In those cases, counsel can focus on the substance, rather than the form, of the company’s requirements to ensure vendors satisfy them.

One simple approach is to ask the vendor to warrant compli­ance with equivalent policies or standards that are within the ven­dor’s control. The vendor’s own internal security and privacy poli­cies may serve this purpose if they are consistent with the company’s requirements. Similarly, where a vendor has provided acceptable responses to the company’s pre-contract privacy and security due diligence questionnaire, the company can ask the vendor to warrant the accuracy of, and continuing compliance with, those responses.

Another common solution is to rely on third-party audit re­ports or compliance certifications that meet the organization’s re­quirements. Those materials provide independent validation that the vendor has implemented and maintains acceptable practices. Where they are available, those materials can give the company even more comfort than would a contractual commitment alone.

For technology vendors, common certifications and audit re­ports upon which customers often rely include:

  • International Standard ISO/IEC 27001 (“ISO 27001”) certification, which demonstrates that an organization’s information security management system meets specified best practice requirements; and
  • Service Organization Controls (SOC) reports, such as the SOC 2 Type 2 report, which reflects an independent audi­tor’s attestation about a vendor’s controls that affect the security, availability, and processing integrity of the sys­tems the vendor uses to process users’ data and the con­fidentiality and privacy of the information processed by these systems.

Counsel should be careful, however, to evaluate whether a certification or audit report propounded by a vendor matches the services the vendor will provide to the company in the engagement at issue. A certification that applies only to a specific service should not be relied upon to demonstrate compliance beyond that service.

Define the scope of engagement, and contract for that scope.

Another problem that commonly arises is a failure to align a company’s proposed privacy and data security terms with the scope of a given vendor engagement. Companies often seek to manage risk in vendor engagements by creating “standard” pri­vacy and data security terms for inclusion in vendor agreements. Those terms often are extensive, highly prescriptive, and contained in lengthy addenda that the company demands be attached to all vendor agreements.

When the scope of the engagement justifies this approach, it can be entirely appropriate. But too often it is used with all vendors without regard for the work to be performed in a given engagement. When used in that manner, “one-size-fits-all” provisions unneces­sarily burden negotiations and can obscure truly important risks.

Companies often justify this approach as being necessary because vendors “might” access sensitive systems or data, even though that is not the parties’ intention. But a more effective way to address that risk can be to expressly define the relevant param­eters of the engagement in the agreement. Those parameters can include, for example:

  • the data to which the vendor will (and will not) have ac­cess;
  • acceptable methods of access to, and transmission of, company data; and
  • where appropriate, limitations on the vendor’s removal of data and information from the company’s environment.

Having defined those parameters, counsel can then tailor the privacy and data security provisions of the agreement to address those—and only those—parameters.

If customizing agreements on an engagement-specific basis is not feasible or desirable, creating different “flavors” of provisions or addenda for common scenarios can still achieve many of the same benefits. For example, counsel might create different sets of terms for: (a) services performed on-site, (b) services that require remote connections to the company’s systems, and (c) services that require a vendor to receive and store the company’s data.

In any case, avoiding the need to discuss and negotiate re­quirements that clearly do not apply to a given engagement can facilitate more efficient review and negotiation of an agreement by both parties.

Understand the consequences if things go wrong, and approach liability allocation accordingly.

Unsurprisingly, the most contentious provisions in vendor agreements are usually those that allocate responsibility for costs associated with privacy and data security breaches. In some cases the company may enjoy disproportionate bargaining power and shift most or all responsibility for these costs to the vendor. In oth­er cases it’s the vendor who has the leverage, and the company is faced with “take it or leave it” terms that disclaim or strictly limit the vendor’s liability. Most engagements, though, fall somewhere between those two extremes.

Whatever the power dynamic, counsel should first determine the most likely sources of damages exposure if a breach were to oc­cur. Depending on the amount, nature and sensitivity of the data involved, these can include some or all of the following:

  • direct costs of investigating and remediating the incident;
  • direct costs to provide notification and related services to affected individuals;
  • business-to-business claims and litigation;
  • consumer litigation, including class actions; and
  • government investigation and enforcement.

Carefully identifying and quantifying the potential liability as­sociated with these risks can help counsel find strategies to resolve otherwise intractable differences.

For example, if the company knows that a breach involving particular data will implicate regulations that require notification of a breach to individuals, the parties can specify “pre-defined” cat­egories of known costs for which the vendor agrees to be respon­sible and limit liability for other damages. These categories can in­clude the costs of breach notification, remediation services such as free credit monitoring, and government fines and penalties.

Another common tactic to resolve an impasse over liability al­location is to separate liability for privacy and data security breach­es from the general limitation of liability in the agreement. In this way parties can negotiate separate—and usually increased—liabil­ity limits for this category of damages.

Conclusion

The negotiation of privacy and data security provisions does not have to be a major barrier to agreement. Corporate counsel can streamline these negotiations through deliberate and considered fo­cus on the data, the associated legal requirements, and the security risks associated with specific engagements. While these strategies will not eliminate all the difficulty associated with these terms, they can make handling this complex area of risk more manageable.

This article originally appeared in the April 2017 edition of The Inside Scoop, a newsletter published by the Corporate Counsel Section of the North Carolina Bar Association.

 

About Ellis & Winters LLP

Ellis & Winters LLP is a North Carolina based law firm with more than 30 attorneys and offices located in Raleigh and Greensboro.  Visit www.elliswinters.com and connect with us on Facebook, Twitter, and LinkedIn.

For more information, contact Brent C. Aikman, Marketing Coordinator, at 919.865.7000 or by email: marketing@elliswinters.com.