Managing data security and privacy is becoming an increasingly larger part of a company’s risk portfolio, especially as it relates to transactions with third parties. These third-party transactions may include the outsourcing of technology services, hosted data, or software as a service (“Saas”), and as an example, consumer information privacy is an area garnering a lot of attention. From data breach notice reporting to class action lawsuits, companies who handle the non-public personal information of individuals have possession of high-risk information, and entities regulated by HIPPA and the Gramm Leach Bliley Act need to ensure they are compliant with the statutory requirements. One way to mitigate this risk is through diligence in contract/negotiation phase.
When negotiating with a third party provider (where sensitive information may be involved), the entity should ensure that one or more of the following provisions are present in the contract:
- a provision stating that the vendor shall not disclose any personally identifiable information of the entity’s customers without written consent
- a provision stating that the vendor shall comply with all applicable regulations and laws concerning the type of data that may be transferred
- a duty to provide notice to the entity in the event any suspected breach of security has taken place which may affect the entity’s data
- in the event data is disclosed (with the appropriate permission), require that the receiving party agree in writing to be bound by terms at least as stringent as the terms in the constituent agreement
Depending on the industry, the type of data, and the underlying transaction involved, third-party agreements should contain provisions about data security and privacy. For any agreement that may involve the sensitive data of a regulated entity, the entity should seek the advice of attorneys who have experience negotiating these types of agreements.