Data Breach Provisions in Outsourcing Contracts
Tuesday, June 24, 2014
Print Mail Download i

We have already discussed the increase in data breaches and the need to include data breach provisions in outsourcing contracts, but what should those provisions cover? Below is a list of questions you should ask when choosing how your outsourcing contract will address data breaches:

  • What happens when one party discovers a breach? Typically, the obligation would be to promptly report the breach’s occurrence to the other party, thoroughly investigate what happened, and then disclose the results to the other party.

  • Who must notify affected individuals and government authorities? 48 states and many foreign countries now have laws requiring notification to individuals whose information is potentially compromised in a data breach. Your contract should specify who has the obligation to make and pay for this notification. Typically, the notification to an individual has to look like it is coming from the entity with whom the individual has a relationship so that it has meaning.

    For example, assume John Smith does all his banking with First National Bank, which, in turn, outsources the processing of his information to Big Outsourcer. Assume further that Big Outsourcer experiences a data breach. If John Smith receives a notice from Big Outsourcer, which is a name he does not know or recognize, he is likely to ignore it. But if he receives a notice that looks like it came from First National Bank, he recognizes the name and pays attention. It makes the most sense for Big Outsourcer to arrange and pay for the notification effort, all with First National Bank’s approval and consent.

    Also keep in mind: the laws requiring notification to individuals also require notification of government authorities and/or consumer reporting agencies so your outsourcing contract should include provisions on that as well.

  • Who has control over the content of communications? Public communication and public relations issues are a central component of managing any breach. Your contract should clearly specify who has responsibility to generate the content of proposed communications and which party has approval rights and control.

  • Who will interact with law enforcement? Data breach events often are the result of criminal actions. In many instances then, a data breach will involve interacting with law enforcement agencies, such as the FBI, the Secret Service, or local police. It is important to establish a single efficient chain of communication with law enforcement.

  • What will the insurance requirements be? Insurance companies now offer cyber insurance to cover the costs associated with a data breach. Many outsourcing contracts will require the service provider to obtain cyber security insurance to cover the costs of a data breach event.

Copyright © 2024 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Current Legal Analysis

More from Morgan, Lewis & Bockius LLP

Arizona to Fintech Companies: Come Play in Our Sandbox!
by: Melissa R. H. Hall , Charles M. Horn
New Russia Sanctions: Key Takeaways
by: Brian L. Zimbler , Carl A. Valenstein
DOJ’s First Enforcement Action for ‘No-Poaching’ Agreements Since the Landmark Antitrust Guidance for HR Professionals
by: Mark L. Krotoski
Government Requests for Data: CLOUD Act Attempts to Provide Guidance
by: Dr. Axel Spies , Jessica M. Pelliciotta
Contract Corner: Is It Time for Form NDA Spring Cleaning?
by: Michael L. Pillion , Jessica M. Pelliciotta
Renewable Energy Deals Targeted for More Scrutiny in New Trade Report
by: Stephen Paul Mahinka
No Such Thing as Simple Food Labeling: Changes Ahead in 2018
by: Ryan Fournier
Gender Equality: The French Government’s Roadmap
by: Sabine Smith-Vidal , Laetitia de Pelet
Power to the States: Which Came First, the Chicken (CFPB) or the Eggs (AGs)?
by: Nicholas M. Gess , Charles M. Horn
DC Circuit’s ACA v. FCC Decision: Implications for Calling and Texting
by: Gregory T. Parks , Ezra D. Church

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins