Drafting and negotiating the data protection provisions in services agreements can be one of the trickier and more time-consuming aspects of the contracting process. One of our prior Contract Corner series from 2014 discussed the importance of documenting security requirements and monitoring security commitments, addressing security incidents, and key issues to consider when drafting liability provisions. In this Contract Corner, we revisit some of these issues based on the latest contracting trends that we are seeing for services agreements and dive into additional considerations when addressing key data safeguard provisions.
Assess and Define the Data
At the outset of the contracting process, it is important for the deal team and the key stakeholders to evaluate and properly define the types of data that the service provider will access or process as part of the services. A sound understanding of the scope of data involved in a services transaction helps establish expectations up front and will drive a contract that contains the right level of security requirements and an appropriate allocation of liability for security breaches. The contract should then reflect the output of this internal assessment through carefully crafted defined terms that will flow throughout the data safeguard provisions.
As part of the data assessment and initial drafting of definitions, consider the following:
- Assessing the Scope and Types of Data: What types of company data will the service provider process or otherwise have access to as part of the services? Is there confidential or proprietary business information involved? Will the service provider have access to personal data, such as data of employees, customers, or other individuals? How sensitive is the personal data? Certain additional requirements may apply if protected health information, payment card data, or personal data of European residents are in scope. These additional requirements are not discussed as part of this Contract Corner.
- Defining Company Data: Consider starting with a broad definition of company data, to include all company data and information provided by or on behalf of the company to the service provider or its representatives in connection with the services. Be sure to include personal data within this definition, if applicable, so that such data is afforded at least the same protections under the agreement and, as between the company and the service provider, such data is owned and controlled by the company.
- Defining Personal Data: As with company data, consider defining personal data as broadly as possible to capture any data or information that identifies an individual or that can be used to identify an individual. Try to avoid tying the contractual definition to statutory or regulatory definitions, as such definitions may be designed to trigger notification requirements and thus require some combination of data elements. In addition, clarify that personal data can be in any media or format, including electronic or written records. Also consider if any specific categories or examples should be included based on the services being provided, such as IP addresses or benefits information.