DATA SECURITY AND COMMERCIAL CONTRACTS

An update on the changing US laws relating to

data security and how to address this critical area

of change and risk in your commercial contracts

http://delvacca.acc.com

DATA SECURITY AND

Participants

Michael Pillion

Barbara Melby

Sheila Hawes

Associate General Counsel and Chief Privacy Officer

AmerisourceBergen Corporation P: 610.727.7437

HOW CHANGES IN PRIVACY AND SECURITY

REGULATION ARE AFFECTING COMMERCIAL

TRANSACTIONS

Topics Covered

•

Presentation Focus is on US Laws

•

Federal Privacy and Data Security Laws

•

State Privacy and Data Security Laws

•

Proposed Federal Law

•

Impact on the Commercial Contract (focusing on services

transactions)

Federal Laws

•

Laws that apply to particular sectors:

• Gramm-Leach-Bliley Act (G-L-B), a/k/a Financial Services Modernization Act of 1999, regulating personal information collected or held by financial

institutions or other businesses that provide financial services and products.

• Privacy requirements

• Security safeguard requirements

• Breach notification requirements

• Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act

(HITECH), regulating medical information, including protected health information (PHI):

• HIPAA Privacy Rule – privacy requirements applicable to PHI

• HIPAA Security Rule - safeguard requirements

Federal Laws

•

Consumer protection laws, such as the Federal Trade

Commission Act (FTC Act)

•

Not specifically privacy and data security laws

•

Used to prohibit unfair or deceptive practices involving the

collection, use, processing, protection and disclosure of personal

information.

•

FTC’s "Red Flags" Rules issued under the Fair and

Accurate Credit Transactions Act (FACTA), requiring

financial institutions and creditors to have theft protection

programs that detect or “red flag” identity theft in their

day-to-day operations.

Federal Laws

• Laws that apply to types of activities that use personal information or might otherwise affect individual privacy, such as:

• Children's Online Privacy Protection Act (COPPA), regulating the online collection of information from children.

• Fair Credit Reporting Act (FCRA), as amended by FACTA, regulating consumer credit and other information.

• Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM), regulating commercial e-mail.

• Telephone Consumer Protection Act (TCPA), regulating telemarketing.

• Electronic Communications Privacy Act (ECPA), regulating electronic communications.

• Computer Fraud and Abuse Act (CFAA), regulating computer tampering.

State Laws

•

Hundreds of privacy and data security laws governing the

collection, use, protection and disclosure of personal

information exist at the state level, with inconsistent scope and

obligations. State privacy and data security laws include, for

example:

•

Data security breach notification laws

•

Laws mirroring FTC Act and other consumer protection laws

•

Laws supplementing G-L-B and HIPAA, including Medical

Information laws

•

Data Security laws

•

Record disposal laws

•

Laws protecting personal information of students

•

Card transaction laws

•

Social Security number laws

State Data Breach Notification Laws

law, which became effective in July, 2003.

• The California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.

• Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General.

• Today, 47 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have breach notification laws.

• Texas – law requires notification to be given by persons/entities who conduct business in Texas (not defined) to residents of other states. If the other state has a breach notification law, the notice can be given under either Texas law or the other state’s law. If no law in the other state, Texas notification law applies. • These are reactive laws, not proactive laws.

Alaska Virgin Islands Arkansas Arizona California Colorado Connecticut Delaware Maryland Virginia West Virginia Florida Georgia Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine New York Pennsylvania Massachusetts Michigan Minnesota Mississippi Missouri Montana _{North Dakota}

Arizona South Dakota Nevada New Hampshire New Jersey North Carolina Ohio Oklahoma Oregon Rhode Island South Carolina Tennessee Wyoming Texas Vermont Washington Wisconsin

Utah District of Columbia

Nebraska New Mexico Alabama Hawaii Guam Puerto Rico

State Data Breach Notification Laws

State Citation

Alaska Alaska Stat. § 45.48.010 et seq. Arizona Ariz. Rev. Stat. § 44-7501 Arkansas Ark. Code § 4-110-101 et seq.

California Cal. Civ. Code §§ 1798.29, 1798.80 et seq. Colorado Colo. Rev. Stat. § 6-1-716

Connecticut Conn. Gen Stat. § 36a-701b Delaware Del. Code tit. 6, § 12B-101 et seq.

Florida Fla. Stat. §§ 501.171, 282.0041, 282.318(2)(i) (2014 S.B. 1524, S.B. 1526) Georgia Ga. Code §§ 10-1-910, -911, -912; § 46-5-214

Hawaii Haw. Rev. Stat. § 487N-1 et seq. Idaho Idaho Stat. §§ 28-51-104 to -107 Illinois 815 ILCS §§ 530/1 to 530/25

Indiana Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq. Iowa Iowa Code §§ 715C.1, 715C.2

Kansas Kan. Stat. § 50-7a01 et seq.

Kentucky KRS § 365.732, KRS §§ 61.931 to 61.934 (2014 H.B. 5, H.B. 232) Louisiana La. Rev. Stat. § 51:3071 et seq., 40:1300.111 to .116 (2014 H.B. 350)

Maine Me. Rev. Stat. tit. 10 § 1347 et seq.

Maryland Md. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308 Massachusetts Mass. Gen. Laws § 93H-1 et seq.

Michigan Mich. Comp. Laws §§ 445.63, 445.72 Minnesota Minn. Stat. §§ 325E.61, 325E.64 Mississippi Miss. Code § 75-24-29

Missouri Mo. Rev. Stat. § 407.1500

State Data Breach Notification Laws

State Citation

Nebraska Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807 Nevada Nev. Rev. Stat. §§ 603A.010 et seq., 242.183

New Hampshire N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21 New Jersey N.J. Stat. § 56:8-163

New York N.Y. Gen. Bus. Law § 899-aa, N.Y. State Tech. Law 208 North Carolina N.C. Gen. Stat §§ 75-61, 75-65

North Dakota N.D. Cent. Code § 51-30-01 et seq.

Ohio Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192 Oklahoma Okla. Stat. §§ 74-3113.1, 24-161 to -166

Oregon Oregon Rev. Stat. § 646A.600 et seq. Pennsylvania 73 Pa. Stat. § 2301 et seq.

Rhode Island R.I. Gen. Laws § 11-49.2-1 et seq. South Carolina S.C. Code § 39-1-90, 2013 H.B. 3248

Tennessee Tenn. Code § 47-18-2107

Texas Tex. Bus. & Com. Code §§ 521.002, 521.053, Tex. Ed. Code § 37.007(b)(5) Utah Utah Code §§ 13-44-101 et seq.

Vermont Vt. Stat. tit. 9 § 2430, 2435

Virginia Va. Code § 18.2-186.6, § 32.1-127.1:05 Washington Wash. Rev. Code § 19.255.010, 42.56.590 West Virginia W.V. Code §§ 46A-2A-101 et seq.

Wisconsin Wis. Stat. § 134.98

Wyoming Wyo. Stat. § 40-12-501 et seq.

District of Columbia D.C. Code § 28- 3851 et seq.

Guam 9 GCA § 48-10 et seq.

Puerto Rico 10 Laws of Puerto Rico § 4051 et seq.

State Data Breach Notification Laws

–

Common Provisions

•

Common Provisions

•

Who must comply?

•

Who is covered?

•

State resident consumer

•

What information (PII) is

covered?

•

Name combined with SSN,

account no., drivers license

no.

•

What triggering or

breaching event?

Unauthorized acquisition of

data

•

What notice

requirements?

•

Timing or method of notice

•

Who must be notified

•

Exemptions (e.g., for

encrypted information)

•

Penalties, enforcement

State Data Breach Notification Laws --

Differing Standards

•

Vary by State and circumstances of the breach

•

Definition of “personal information”

Who must comply?

•

Notification triggers

•

Notification to AG or other state agency

•

Manner of notification

•

Data format: hard copy files vs. electronic only

2014 Amendments to California Data

Breach Notification Law

• Amendments effective January 1, 2015. Modifies the current data breach notification statutes in two primary respects.

• First, if a business “maintains” personal information about a California

resident (expansion from owns or licenses), the business must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from

unauthorized access, destruction, use, modification, or disclosure.”

• Becomes a proactive law.

• Second, where the notifying entity was the source of a breach involving the disclosure of Social Security or driver’s license numbers, and “if any” offer to provide identity-theft prevention or mitigation services is made, it must be made at no cost to the affected person for no less than 12 months along with all information necessary to take advantage of the offer.

• Also adds prohibition on sale, advertisement for sale or offer of sale of an individual’s social security number.

Data Security Laws

• Several states, including California, Massachusetts, Connecticut and Nevada, have enacted laws requiring that companies take certain steps to protect the security of personal information that they collect, use and maintain.

• Massachusetts regulations requires that companies (including out-of-state) who own, license, store or maintain personal information about a MA resident must comply with strict requirements to safeguard such personal information.

• Required Comprehensive Written Information Security Program (for both paper and

electronic information)

• Required Encrypt personal information of MA residents that is (i) on portable devices

(e.g., smartphones, laptops), (ii) stored in portable media (e.g., memory sticks, DVDs), or (iii) transmitted over a public or wireless network

• Companies subject to the MA regulations must take reasonable steps to ensure

their third-party service providers that have access to personal information of a MA resident will comply with the MA regulations.

• Contracts with third-party service providers must require compliance with the MA

State Laws Mirroring FTC Act, and

Supplementing G-L-B and HIPAA

•

Laws that mirror FTC Act and other consumer protection

statutes, prohibiting unfair or deceptive business

practices.

•

Laws supplementing G-L-B and HIPAA which do not

preempt more protective state laws that are not

State Laws

– Medical Information Laws

• A number of states, including California and New Jersey, have adopted statutes specifically aimed at the protection of medical information.

• New law in New Jersey, signed into law on January 9, 2015 and becomes effective August 1, 2015.

• Applies to health insurance carriers, including health service corporations, hospital service corporations, and health maintenance organizations authorized to issue New Jersey health benefit plans.

• Bars such health insurance carriers from collecting a patient’s name linked with his or her Social

Security number, driver’s license or other state identification number, address, and other identifiable health information unless this data is encrypted or otherwise unusable by an unauthorized third party.

• Law requires security measures to extend beyond a simple password and mandates that health insurance carriers implement safeguards that render the data unreadable, undecipherable, or otherwise unusable by someone who can bypass the password protection.

• Law applies to all end-user computers, such as desktops and laptops and mobile devices, and all data and information transmitted via public networks.

• The NJ bill signing came a little more than one year after Horizon Blue Cross Blue Shield suffered the theft of two laptops that contained varying amounts of personal data on more than 839,711 policyholders, including names, demographic information, addresses, birth dates, some Social Security numbers and certain medical information.

State Laws

– Record Disposal Laws

•

Several states, including California, New Jersey, New York and

Delaware, have enacted laws requiring proper disposal of tangible

and intangible records containing personal information.

•

New Delaware law, effective January 1, 2015

• Covers “commercial entities,” defined broadly, including non-profit entities

• Commercial Entities must take all reasonable steps to destroy or arrange for the

destruction of personal identifying information in its custody and control by

shredding, erasing, or otherwise destroying or modifying it so that the information is entirely unreadable or indecipherable.

• Consumer who suffers actual damages may bring civil action and court may award

treble damages

• Authorizes administrative enforcement proceedings

State Laws Protecting Personal

Information of Students

•

Laws include enhanced privacy requirements for school

districts that are relevant to education technology

companies that provide services to school districts.

•

Address student data privacy in a number of ways,

including restricting with whom student data may be

shared, restricting which data may be collected, requiring

school districts to adopt data-retention and security

standards, and requiring the publication of data collection

indices that explain each element of student data that

State Laws Protecting Personal

Information of Students

•

Several new state laws also require specific provisions

regarding student data privacy to be included in any

contract between a school district and a third-party

service provider.

•

In Louisiana, agreements with contractors must include, among

other matters, provisions for privacy and security audits by the

district as well as data breach planning, notification, and

remediation procedures.

•

In California, such agreements must include, among other matters,

procedures for parents and legal guardians to review and correct

personally identifiable information held by the contractor.

State Laws Protecting Personal

Information of Students

• California’s Expanded Student Data Privacy Regime

• Student Online Personal Information Protection Act (SOPIPA) recently enacted in California and taking effect on January 1, 2016, is not limited to services provided directly to schools.

• SOPIPA applies stringent privacy rules to any operator of websites, Internet services, or mobile applications with actual knowledge that the services are used primarily for “K–12 school

purposes” and were designed and marketed for K–12 school purposes.

• SOPIPA prohibits, among other actions, using student data for targeted advertising on the service; using any information collected, including persistent unique identifiers (such as

persistent cookies), for targeted advertising on any other site or service; and selling student data. SOPIPA also imposes certain data security and deletion requirements on covered services.

• “K–12 school purposes” is defined as any purpose that customarily takes place at the direction of

a K–12 school, teacher, or school district or that aids in the administration of school activities.

• Accordingly, even if an online service is not provided directly to schools, if it is used by K–12

students or fills a traditional school function, it may be subject to the restrictions. Services subject to SOPIPA may therefore include some social networks, collaboration tools, study aids (such as flashcard apps or other mobile education apps), note-swapping services, and message boards, among any other tools that a school might use or benefit from.

Some More State Laws

•

Card transaction laws. Several states, including

California, New York and Massachusetts, have enacted

laws that limit the collection of personal information in

connection with payment card transactions.

•

Social Security number laws governing the collection,

use, protection, disclosure and sale of Social Security

numbers.

Constantly Changing State Laws

•

At least 23 states introduced or considered security

breach notification legislation in 2014. Most of the bills

provided for amendments to existing security breach laws.

•

At least 11 states enacted some type of breach legislation

for businesses, educational institutions or government in

2014.

•

Kentucky in 2014 became the 47th state to have a breach

law.

2015 Proposed Amendments to New

York Law

•

In mid-January 2015, New York’s attorney general proposed

amendments to his state’s data security laws, which would:

• require companies to put into place certain strong technical and physical security measures to protect the data they hold,

• amend the state's existing breach notification law to include within the definition of “private information” the combination of an email address and password, an email address in combination with a security question and answer, medical data such as biometric information and health insurance information,

• create a safe harbor from liability for companies that adopt and attain certification that they have effectively implemented heightened security standards, and

• provide a shield for companies that share forensic reports with law

enforcement officials by ensuring that the disclosure does not affect any privilege or protection.

New Federal Legislation?

•

In remarks at the FTC on January 12, 2015, and in his State of the

Union Address on January 20, 2015, President Obama called for the

passage of the Personal Data Notification & Protection Act, which

would:

• Create a single national standard for security breach notification

• Businesses would have 30 days to notify affected individuals of a security breach.

• Businesses would not need to notify affected individuals if “there is no reasonable risk of harm or fraud” to the affected individuals.

• Businesses would be required to notify individuals directly and provide media notification in any state with more than 5,000 affected individuals.

• Businesses must notify “an entity designated by the Department of Homeland Security” within 10 days of discovering the breach.

New Federal Legislation?

•

Proposed Personal Data Notification & Protection Act would:

and between private sector and federal government

• President Obama’s proposal encourages the private sector to share “appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center” (“NCCIC”).

• The NCCIC would then share the cyber threat information with (1)

appropriate federal agencies and (2) Information Sharing and Analysis Organizations (“ISAOs”), which are developed and operated by the private sector.

• Businesses that share the cyber threat information they acquire would be granted “targeted liability protection.”

• Enhance law enforcement’s ability to investigate and prosecute cyber

New Federal Legislation?

•

Tug of war?

• Financial industry tradegroups pushing for the Personal Data Notification and

Protection Act because preemption of state data security breach notification laws would require (and enable) retailers and other businesses to meet a single national standard.

• Industry groups also backing the Personal Data Notification and Protection Act as it

will promote sharing of cyber threat information between private and public sectors because threat of litigation reduced.

• Some State Attorney Generals and privacy advocates are against because some

State laws are more protective.

•

President Obama also proposed a federal Student Digital Privacy Act

modeled on California’s SOPIPA.

Related Contract Provisions for

Commercial Contracts

•

More and more of the commercial contract is related to

the Customer’s data and the corresponding rights,

obligations and liabilities of the Vendor and Customer.

•

What contract provisions are required?

•

Depends on the particular facts and circumstances of the

relevant transaction, taking into account:

• What types of data will be accessed/processed/hosted?

• Consider the sensitivity – Personal Information? Protected Health

Information (PHI)? Sensitive Personal Information? Business-sensitive information?

Data Definitions

•

Data

• Not only the data as provided by Customer – also any data accessed by Vendor and any data resulting from Vendor’s performance of the services • Will Vendor will have data of Customer’s clients or other third parties?

•

Personal Information (Subset of Customer Data)

• Identifies a person (e.g., name, address)

• Authenticates a person (e.g., passwords, PINs)

• Subset: “sensitive personal information,” such as SSN, financial account numbers, other government-issued IDs

• Subset: protected health information (PHI) under HIPAA

•

Vendor should provide protection of Customer’s data

commensurate with the level of sensitivity of the data

•

Confidential Information

• Include Customer Data in definition of Customer Confidential Information • Personal Information as “exception to the exception” from the definition of

Data Security Plan

•

Maintenance of data security plan

•

Meeting requirements of law

•

Meeting requirements of Customer policy?

•

Meeting requirements of Vendor policy?

•

Meeting requirements of Industry standards? Data security

standards (such as ISO; ITIL; PCI DSS)?

•

Enhancement over time to keep pace with the foregoing;

lessons learned; sensitivity of data

•

Addressing, among other things:

• Physical security, commensurate with data sensitivity

• Logical/system security, to avoid compromise of confidentiality through commingling

Data Security Plan

•

Maintenance of data security plan

•

Addressing, among other things:

• Access by authorized personnel only

• Regular monitoring of intrusion detection system and reporting

• Encryption (e.g., for transfers outside firewalls)

• Use of mobile devices and storage (e.g., laptops, tablets, USB drives, back-up tapes), including whether use is permitted

• Enhanced standards for Personal Information, including PHI

• Employee privacy and security training

Response to Data Security Breach

•

Required response to data security breach

•

Response

•

Report

•

Remediation

•

Notice required by law

•

Credit monitoring required by law/policies

•

Other requirements under law/policies

Compliance

•

Compliance

•

Definition of “Laws”

•

Definition of entities that issue “Laws”

•

Build in new and modified laws

• Compliance

• Allocation of compliance and monitoring obligations between Parties

• Vendor Laws: Vendor must monitor and comply (at Vendor’s cost)

• Customer Laws: Customer must monitor; Vendor must comply (at whose cost?); Customer may issue “Compliance Directives” to Vendor

• Where to allocate specific privacy laws (e.g., HIPAA, G-L-B, EU Data Privacy Directives)?

• Remember certain specific laws – for example, contracts with third-party service providers that receive, store, maintain or process personal information of a MA resident are required to protect it as required by the MA Regulations.

• Language can be simple – e.g., that the vendor is required to comply with applicable Laws (and new or modified Laws), and that the MA Regulations are covered by the definition of “Laws”

• Right to audit the vendor’s compliance

• Requirement that the vendor return or destroy all personal information upon termination

• Requirement to provide prompt notification of breach

Compliance

•

Compliance

•

Compliance with Policies

•

Vendor policies (including changes)

•

Customer policies (including changes)

•

Can they be aligned?

• Is it feasible for Vendor to adjust its policies on a customer-specific

basis?

• Can Customer be comfortable relying on Vendor’s policies?

•

Mandatory change control – costs of changes –

potential for vendors to look to spread costs of major

change

•

Timing for implementing change

Derivative Data, Access, Return and

Destruction

•

Vendor right to derivative data

• Does Customer have the right to give Vendor the right under applicable privacy policies, contracts, laws, etc.?

•

Access and Return of data

• Access in response to customer requests (may be required by HIPAA and other laws)

• Access and preservation for discovery purposes

• Access to respond to requests by law enforcement or governmental authority

• In what format? Any need for conversion assistance?

•

Destruction of data

• In accordance with the requirements of applicable laws, policies, contracts, etc.

Audit and Compliance Certifications

•

Audit

•

Vendor cooperation with audits, including with regulatory audits

•

SSAE 16

• Audit of the design and/or effectiveness of Vendor’s controls; results in audit report that Vendor may share with its customers.

• Can apply even if the data in Vendor’s possession does not affect

Customer’s internal control over financial reporting – choice of type (SOC 1 vs. SOC 2).

•

Quality/compliance certifications (e.g., ISO/IEC)

Liability

•

Limitations on Liability

• Contract will typically contain:

• Disclaimer of consequential and other indirect damages

• Direct damage cap

• Certain exceptions to the disclaimer and/or cap

• Key issue is how direct claims by Customer and Vendor

indemnification obligations for breaches of data security, confidentiality and compliance obligations under the MSA are treated under the direct damage cap and disclaimer of indirect damages.

• “Pre-defined” direct damages

• Costs of data breach remediation.

• Indemnified losses.

Indemnification

• Vendor defense and indemnification of Customer from and against third party claims (including regulators or individuals whose data has been disclosed), and associated liabilities and costs arising from:

• Breach by Vendor (or its subcontractors) of Vendor’s data security or

confidentiality obligations under the contract

• Indemnification obligations are typically a pure exception to the disclaimer of consequential damages.

• Indemnification obligations for data security and compliance obligations often challenged as pure exception to the direct damages cap.

Liability for data breach

•

Let’s break it down – what are the major areas for

damages exposure

investigating breaches

remediating systems

restoring data

recreating data

data breach notifications and remediation requirements with

respect to the individual and regulators

Liability for data breach

•

What we are seeing (and it is not consistent)

•

Unlimited or enhanced liability if the supplier was in

breach

of its obligations

•

May depend on the type of data (is there a lot of PI or

PHI)

•

May depend on the encryption or other solution

Liability for data breach

• Supplier is not “in breach” but • Data is residing on the supplier’s

systems or under the supplier’s control

• Should the customer have to prove a breach for supplier to be liable?

Where it gets

contentious

•data breach notifications and remediation requirements with respect to the individual and regulators

Maybe

differentiate by

type of damage:

Additional Key Topics

• Service locations and subcontracting

• Where is the data? Customer’s locations, Vendor’s locations,

Subcontractor locations, DR/BCP sites, “Cloud” locations – where are the servers, both for data storage and processing?

• Who has the data and are they subject to the same contract requirements?

• Contract flow-down requirements in subcontracts • Background check requirements

• Governing law vs. laws that apply due to data type/source/location

• Considerations for companies that provide services directly to schools based on applicable State laws

For more information

Visit our blog: Sourcing@MorganLewis

Sourcing@MorganLewis

updates lawyers and sourcing professionals

on the latest developments and trends affecting outsourcing,

technology, and other commercial transactions.

Recent topics:

• Usage Rights in Software License Agreements

• 2015’s Outsourcing Trends to Watch

• New Jersey Law to Impose Encryption Obligations on Health Insurance Carriers

• Microsoft Challenges U.S. Government on Warrant for Data Stored Overseas