Strategies for Managing Privacy and Data Security Risk in Vendor Engagements
May 15, 2017 | Raleigh, NC
Alex M. Pearce
Corporate counsel who negotiate agreements with vendors know that privacy and data security provisions can present formidable obstacles to reaching agreement. After all, these terms carry high stakes and can have major consequences. Many recent high-profile data breaches, including the Target and Home Depot breaches, began with vendors.
Privacy and data security risk is present in any vendor engagement that involves access to corporate computer systems or data. That is certainly the case when the engagement requires sharing sensitive data with the vendor. But it can also be true in simple service engagements that require only incidental access to the company’s systems and data.
These risks can make privacy and data security terms difficult to negotiate in any vendor engagement. This article discusses five strategies corporate counsel can use to overcome some common obstacles to reaching agreement on those terms. Its aim is to provide a framework for approaching negotiations rather than detailed or comprehensive guidance on specific risks and contract provisions—which can vary widely depending on the situation. But put into practice, these high-level strategies can help counsel overcome some of the more common—and frustrating—barriers to reaching agreement with vendors on these challenging subjects.
Collect—at the outset—reliable and complete information on the systems, data, and regulations in play.
One source of risk to companies is the failure to understand the legal requirements associated with the shared data. Privacy and data security regulations typically require organizations to ensure that vendors use and protect sensitive information appropriately.
To understand which regulations apply, counsel must first obtain reliable and complete information about the data to which the vendor will, and will not, have access. While obtaining it can be a challenge, counsel can help collect this information from in-house clients by:
- educating clients about the regulatory obligations that apply to different categories of company data, including carefully defining terms that have particular regulatory significance and might be misunderstood or misinterpreted (terms such “personal data” or “health information,” for instance, can be much defined more broadly in regulations than in clients’ common understanding); and
- gaining an understanding of the company’s information technology architecture, data repositories, and security controls that is sufficient to enable a basic evaluation of the legally-relevant implications of different vendor engagement models (for example, whether providing a vendor access to a particular system will allow that vendor to access sensitive data that is not in scope for the engagement).
By taking these steps to gain a complete picture of the systems and data at issue, counsel can assess applicable regulations and prevent surprises from arising during—or worse, after—the negotiation of vendor agreements. Failing to do so can have substantial consequences, even in the absence of a finding that the vendor has lost or misused the data.
For example, last year, an orthopedic practice that operates clinics and a surgery center in Raleigh agreed to pay $750,000 to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The violation was a failure to execute a HIPAA-mandated “business associate agreement” with a vendor to whom the practice provided patients’ protected health information. $750,000 settlement highlights the need for HIPAA business associate agreements, Office for Civil Rights, Department of Health and Human Services (Apr. 19, 2016), https://www.hhs. gov/hipaa/for-professionals/compliance-enforcement/agreements/ raleigh-orthopaedic-clinic-bulletin/index.html.
Help build and support reliable pre-contract due diligence processes.
Another common obstacle is a mismatch between the company’s expectations and the vendor’s practices. This difficulty often stems from a failure to properly vet vendors’ privacy and security practices at the outset of the procurement process. When the company does not learn that there are significant gaps between the company’s expectations and the vendor’s practices until the contracting phase, overcoming those gaps can be particularly difficult.
Counsel can address this problem by educating and empowering in-house clients to identify privacy and data security issues before deciding to engage a vendor. The strategic objectives here are twofold: (1) to communicate the company’s expectations to the vendor and thereby avoid learning about gaps for the first time during negotiations; and (2) to disqualify as early as possible vendors whose offerings cannot meet the company’s requirements.
Steps that counsel can take to achieve these sometimes elusive goals include:
- providing guidelines to help clients quickly identify engagements that present heightened privacy and data security risk and require enhanced scrutiny (for example, engagements in which the company will transmit personal data to a vendor, or will provide network access to vendor personnel);
- providing self-service tools, such as privacy and data security questionnaires, for clients to perform initial due diligence on vendors identified as performing high-risk services; and
- ensuring an organized process for meaningful evaluation of information gathered during due diligence activities.
In companies with centralized procurement functions, these steps may already be part of the vendor selection process, or be reasonably simple to implement. In companies with decentralized, business-unit-driven processes for engaging vendors, implementing them may be more challenging.
Either way, counsel who make an effort to help build and support these front-end processes can find the downstream benefits to be substantial.
Focus on the substance—not the form—of the company’s security and privacy requirements.
Another common stumbling block in vendor negotiations is the “battle of forms” between the parties’ standard privacy and data security terms. This problem often arises when companies insist that a vendor agree to comply in full with the company’s own internal privacy and security policies.
Confronted with these requests, vendors often respond that they cannot reasonably adjust their policies on a customer and engagement-specific basis. In some cases that argument has merit. In those cases, counsel can focus on the substance, rather than the form, of the company’s requirements to ensure vendors satisfy them.
One simple approach is to ask the vendor to warrant compliance with equivalent policies or standards that are within the vendor’s control. The vendor’s own internal security and privacy policies may serve this purpose if they are consistent with the company’s requirements. Similarly, where a vendor has provided acceptable responses to the company’s pre-contract privacy and security due diligence questionnaire, the company can ask the vendor to warrant the accuracy of, and continuing compliance with, those responses.
Another common solution is to rely on third-party audit reports or compliance certifications that meet the organization’s requirements. Those materials provide independent validation that the vendor has implemented and maintains acceptable practices. Where they are available, those materials can give the company even more comfort than would a contractual commitment alone.
For technology vendors, common certifications and audit reports upon which customers often rely include:
- International Standard ISO/IEC 27001 (“ISO 27001”) certification, which demonstrates that an organization’s information security management system meets specified best practice requirements; and
- Service Organization Controls (SOC) reports, such as the SOC 2 Type 2 report, which reflects an independent auditor’s attestation about a vendor’s controls that affect the security, availability, and processing integrity of the systems the vendor uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
Counsel should be careful, however, to evaluate whether a certification or audit report propounded by a vendor matches the services the vendor will provide to the company in the engagement at issue. A certification that applies only to a specific service should not be relied upon to demonstrate compliance beyond that service.
Define the scope of engagement, and contract for that scope.
Another problem that commonly arises is a failure to align a company’s proposed privacy and data security terms with the scope of a given vendor engagement. Companies often seek to manage risk in vendor engagements by creating “standard” privacy and data security terms for inclusion in vendor agreements. Those terms often are extensive, highly prescriptive, and contained in lengthy addenda that the company demands be attached to all vendor agreements.
When the scope of the engagement justifies this approach, it can be entirely appropriate. But too often it is used with all vendors without regard for the work to be performed in a given engagement. When used in that manner, “one-size-fits-all” provisions unnecessarily burden negotiations and can obscure truly important risks.
Companies often justify this approach as being necessary because vendors “might” access sensitive systems or data, even though that is not the parties’ intention. But a more effective way to address that risk can be to expressly define the relevant parameters of the engagement in the agreement. Those parameters can include, for example:
- the data to which the vendor will (and will not) have access;
- acceptable methods of access to, and transmission of, company data; and
- where appropriate, limitations on the vendor’s removal of data and information from the company’s environment.
Having defined those parameters, counsel can then tailor the privacy and data security provisions of the agreement to address those—and only those—parameters.
If customizing agreements on an engagement-specific basis is not feasible or desirable, creating different “flavors” of provisions or addenda for common scenarios can still achieve many of the same benefits. For example, counsel might create different sets of terms for: (a) services performed on-site, (b) services that require remote connections to the company’s systems, and (c) services that require a vendor to receive and store the company’s data.
In any case, avoiding the need to discuss and negotiate requirements that clearly do not apply to a given engagement can facilitate more efficient review and negotiation of an agreement by both parties.
Understand the consequences if things go wrong, and approach liability allocation accordingly.
Unsurprisingly, the most contentious provisions in vendor agreements are usually those that allocate responsibility for costs associated with privacy and data security breaches. In some cases the company may enjoy disproportionate bargaining power and shift most or all responsibility for these costs to the vendor. In other cases it’s the vendor who has the leverage, and the company is faced with “take it or leave it” terms that disclaim or strictly limit the vendor’s liability. Most engagements, though, fall somewhere between those two extremes.
Whatever the power dynamic, counsel should first determine the most likely sources of damages exposure if a breach were to occur. Depending on the amount, nature and sensitivity of the data involved, these can include some or all of the following:
- direct costs of investigating and remediating the incident;
- direct costs to provide notification and related services to affected individuals;
- business-to-business claims and litigation;
- consumer litigation, including class actions; and
- government investigation and enforcement.
Carefully identifying and quantifying the potential liability associated with these risks can help counsel find strategies to resolve otherwise intractable differences.
For example, if the company knows that a breach involving particular data will implicate regulations that require notification of a breach to individuals, the parties can specify “pre-defined” categories of known costs for which the vendor agrees to be responsible and limit liability for other damages. These categories can include the costs of breach notification, remediation services such as free credit monitoring, and government fines and penalties.
Another common tactic to resolve an impasse over liability allocation is to separate liability for privacy and data security breaches from the general limitation of liability in the agreement. In this way parties can negotiate separate—and usually increased—liability limits for this category of damages.
The negotiation of privacy and data security provisions does not have to be a major barrier to agreement. Corporate counsel can streamline these negotiations through deliberate and considered focus on the data, the associated legal requirements, and the security risks associated with specific engagements. While these strategies will not eliminate all the difficulty associated with these terms, they can make handling this complex area of risk more manageable.
This article originally appeared in the April 2017 edition of The Inside Scoop, a newsletter published by the Corporate Counsel Section of the North Carolina Bar Association.
About Ellis & Winters LLP
Ellis & Winters LLP is a North Carolina based law firm with more than 30 attorneys and offices located in Raleigh and Greensboro. Visit www.elliswinters.com and connect with us on Facebook, Twitter, and LinkedIn.
For more information, contact Brent C. Aikman, Marketing Coordinator, at 919.865.7000 or by email: firstname.lastname@example.org.