In these materials: Permitting Vendor Use of Customer Data (It’s Not About Data Privacy or Data Security)
In this issue: Contractual Data Destruction Clauses are a Hot Topic Cyber Insurance: No Lifeline for Enterprise Technology Customers Is Your Technology Non-Compete Enforceable?
In technology contracts between customers and vendors, it is common to obligate one or both parties to implement “reasonable security measures” to protect applicable data and information. Typically, the obligation is a function of risk allocation or legal requirements. The recently enacted (and more recently amended) California Consumer Privacy Act’s authorization of a private right of action against businesses that fail to implement reasonable security procedures and practices highlights the issue. But, what are “reasonable security measures?” And, which contracting party decides? The Market Speaks Often, technology contracts merely reference, but do not explain, reasonable security measures. A contract may require a party simply to “implement reasonable security measures” to safeguard applicable information. Alternatively, a contract may obligate the party to “implement reasonable security measures as required by applicable law” or to “comply with applicable data privacy and security laws, including those regarding security measures.” Both customers and vendors can find these examples appealing. Pushing the Envelope Less often, but frequently when the technology transaction involves financial services companies, the contract may impose more stringent requirements based on statute or regulation. For example, the vendor may be obligated to “implement administrative, technical, and physical safeguards to insure the security and confidentiality of customer records and information, to protect against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.” Similarly, technology contracts involving healthcare information can mirror applicable federal regulations and obligate a party to “implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the information.” For EU personal data, the Standard Contract Clauses (which will likely soon change) may be invoked. Although usually advocated by technology customers, because these more specifically stated obligations track legal requirements, they are often acceptable to the customers’ vendors. Breaking the Envelope In a few cases, customers or vendors may choose to sidestep the vagueness of the above options. For example, agreements with ties to California may explicitly reference the 2016 California Data Breach Report, which specifically states that an organization’s failure to implement all twenty controls in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security. When payment card information is in scope, the contracting vendor may be directed to comply with the PCI Data Security Standards. Increasingly more common, a technology customer – or vendor – may expressly set out detailed, bespoke security measures. The contractual statement of these measures can range from one, to three, to five or more pages. Clearly, there are many ways for contracting parties to reach agreement on applicable security measures to be implemented under a technology contract. Be sure that what you sign up for works best for your company – all costs, risks, and consequences considered.
In this issue: Post-COVID Help for Corporate Legal Departments Contracting Conundrum: “Reasonable Security Measures” Browse-Wrap, Click-Wrap, and In-Between
In this issue: Trade Secret Owners Beware Blockchain: Mind Your Contract Terms License Restrictions: Covenants or Conditions?
Your company may suffer a cybersecurity incident that warrants bringing in third-party forensics or other consultants to investigate and report on the cause or consequences of the cyber event or compromise. To seek to protect the third parties’ reports with the work product privilege (and, thus, to avoid having to disclose the reports in litigation) – and to try to side-step the unexpected failure to establish such protection that Capital One recently experienced (In re: Capital One Consumer Data Security Breach Litigation) – do (and don’t do) the following with respect to your contracts with these third parties: Do have outside counsel be the entity contracting directly with the third party. Have outside counsel pay the third party’s fees, directly. Then, have outside counsel bill you for reimbursement of the fees paid. Do contract under a specific statement of work or services description that is exclusive to the particular cyber incident. Do state and expressly limit the purpose of the third party’s services and reports to anticipating litigation arising from the cyber incident. The purpose should not explicitly or implicitly include, for example, financial controls or reporting. Do require that the third party’s report be in a form and of substance specific to the purpose of anticipating litigation. The report should not mirror what would be provided for reports for other purposes. Do require the third party to issue formal and informal reports and updates only to the contracting outside counsel. Outside counsel, then, as necessary or appropriate, can distribute further the reports or updates, for example, to select internal stakeholders. Don’t allow those who receive reports and updates from outside counsel to further distribute the reports or updates, whether internally or externally. Require recipients to explicitly agree to limited use and handling terms, before receiving reports or updates. Don’t allocate the costs and fees for the third party’s services to any internal billing or cost center other than Legal’s. The costs and fees should be assigned to Legal’s budget. Categorize the costs and fees as “legal” costs and fees, not, for example, cybersecurity or business costs or fees. And, in the contract with the third-party forensics firm or consultant, do include requirements that the third party conform to all of the applicable above do’s and don’t’s. Importantly, these are only a few do’s and don’t’s that may help guide many companies to attempt to structure and implement contracts with third-party consultants so as to establish the work product privilege applicable to the third party’s reports. Each company, each cybersecurity incident, and applicable law can vary and be unique, so it is perhaps even more critical for the company to immediately involve inside (or outside) counsel to navigate these thorny issues. Background – In re: Capital One Consumer Data Security Breach Litigation The above do’s and don’t’s follow from the recent decision of the U.S. District Court for the Eastern District of Virginia in the above-referenced litigation. Capital One sought to avoid having to disclose the report issued by the cybersecurity forensics firm that it retained in wake of the March 2019 data security breach suffered by the financial company. In affirming a magistrate judge’s order to compel Capital One to disclose the forensics report, the Virginia federal district court made several observations. Well before the breach (and not specific to the March breach), Capital One had retained the forensics firm under a general SOW, on a retainer basis, to provide a set number of service hours for any one of a broad range of incident response services that might be needed. After the security breach, although the bank’s outside counsel signed a letter agreement with the forensics firm for services with respect to the breach. The terms of the letter agreement provided for the same scope and kind of services, on the same terms and conditions, as the general SOW (except that the forensics firm would work at the direction of the outside counsel and provide the forensics report to the outside counsel). For performing under the letter agreement, the consultant was first paid from the retainer already provided under the general SOW. Then, Capital One directly paid the balance of the consultant’s fees due under the letter agreement – with funds from Capital One’s internal general cybersecurity budget. Capital One (at least at first) internally identified the fees paid to the consultant as a “business critical” expense – not as a “legal” expense. During the forensics firm’s investigation, it communicated directly with the bank’s external financial auditors, so that the auditor’s could assess whether the breach impacted the bank’s accounting controls. Many internal and external parties received a copy of the forensics report, but Capital One provided no explanation as to why these recipients received a copy of the report, as to whether the report was provided for business purposes, regulatory reasons, or specifically in anticipation of litigation, or as to any restrictions placed on the recipients’ use, reproduction, or further distribution of the report. Both the magistrate judge and, on appeal, the district court judge who opined on the matter saw these above facts, among others, as support for finding that the forensic firm’s investigation report was not protected from disclosure by the work product privilege.
In this issue: Software License Terms Force Majeure Contract Renegotiation
© 2021 King & Fisher Law Group, PLLC. All rights reserved.