Tackling Data Related Challenges in Contracts Monday, April 3, 2017

Kim Bykov Julia Le Jennifer K. Mailander Hilary Wandall Vice President, Managing Senior Counsel Julia Le Corporate Counsel Jennifer K. Mailander Associate General Counsel Director Compliance and Privacy Hilary Wandall General Counsel and Chief Data Governance Officer Kim – substantive materials due 2/24 Pull articles

Topic Overview It’s all about the Data Using contract terms to protect sensitive data Supplier security controls Addressing third party risk Strategies for surmounting data-related deal-breakers Special contract provisions for key data issues Managing changing regulatory requirements

Poll Question #1: Are you responsible for or do you contribute to: 1) contract review 2) due diligence review 3) both 4) neither

It’s all about the Data… What types of data will be shared? Personal Data (EU) / Personally Identifiable Information (US) Protected Health Information (US) Cardholder Data Other sensitive data types What is the region of data? Who owns the data? Whether you’re looking to mitigate data protection risk through any of the methodologies we’re here to discuss today – contract provisions, vendor risk assessments, insurance – its all about the data, and how the data flows. To leverage each of these strategies effectively, you need to understand the data – what it is – and how the data flows. Comment from Kim Bykov: This slide is intended to summarize key question about implicated data and data flows, which will drive contract terms, assessments, insurance and other risk mitigation function

And, how the Data will be processed Where will data be stored? Who has the obligation to secure the environment? Who has access to the data? What’s the data flow? Will data be transferred? Pursuant to what legal mechanisms? Operational mechanisms? Who has the obligation to secure the environment? For cloud offerings, what is the nature of the deployment model (public, private, hybrid cloud) and service model (SaaS, IaaS, PaaS)? What happens to the data when the contract ends? Whether you’re looking to mitigate data protection risk through any of the methodologies we’re here to discuss today – contract provisions, vendor risk assessments, insurance – its all about the data, and how the data flows. To leverage each of these strategies effectively, you need to understand the data – what it is – and how the data flows. Comment from Kim Bykov: This slide is intended to summarize key question about implicated data and data flows, which will drive contract terms, assessments, insurance and other risk mitigation function

Using Contract Terms to Protect Sensitive Data Confidentiality provisions Disclosing party must identify what data is confidential Data classification Not a well resolved area Distinguish between security provisions re: accessing data from the customer’s site versus the vendor’s site Many contracts have specific security controls and we’d be fine accepting the terms if we were accessing the customer’s data

Using Contract Terms to Protect Sensitive Data Confidentiality provisions (cont.) Are there multiple confidentiality provisions? Non-Disclosure Agreement Proposal Security provisions Sometimes you have to sign addendums to protect certain types of data, e.g., health-related data Privacy provisions Standard of care Distinguish between security provisions re: accessing data from the customer’s site versus the vendor’s site Many contracts have specific security controls and we’d be fine accepting the terms if we were accessing the customer’s data

Using Contract Terms to Protect Sensitive Data Security requirements and breach notification Know your legal, regulatory, contractual and operational requirements Audit rights/requirements Distinguish between security provisions re: accessing data from the customer’s site versus the service supplier’s site Incident versus breach notification Require BCP/DR for critical suppliers

Using Contract Terms to Protect Sensitive Data Indemnification Limitations of liability and exceptions e.g., carve outs for breaches of confidentiality and data breaches Third party/supplier access provisions Flow down terms Additional operational requirements Audit rights/requirements

Supplier Security Controls Supplier assessment forms Some are security Some are security and privacy Some are everything that’s relevant to the data Standardization would be very valuable here It’s helpful where organizations have integrated all data and related controls into a single assessment Let’s add a handout on the different types of assessments that are available. Vendor Security Controls, and negotiating corresponding security-related contractual provisions, internally and with key stakeholders Standardization would be very valuable here - An area in need of further improvement. - Very long forms

Supplier Security Controls (cont.) Privilege and data stored in the cloud Do you want to control how data is being accessed and how client is using the data? Appropriate contract provisions and maintenance - Plays into proper access controls and ability to support privilege. Clients are beginning to ask for this increasingly and it highlights importance of security controls Is this an audit function – to see who accessed data? The audit trail becomes important Vendor risk assessment and required controls should match key contract provisions in resulting agreement.

Supplier Security Controls (cont.) Your IT team can be your best friend They know security regulations really well Buyer IT and business can often be at odds Prioritize your suppliers by risk It depends on the goods/services being provided Are they critical to your organization? Vendor risk assessment and required controls should match key contract provisions in resulting agreement.

Does your organization have a third party risk assessment process? Poll Question #2: Does your organization have a third party risk assessment process? 1) Yes 2) No 3) Don't know

Addressing Third Party Risk Determine your risk tolerance – key factors to consider: What kind of data are needed for the activity? Are they sensitive or confidential? How valuable is the data to the company? What risks do the data and/or the associated activity create for the organization, for customers, for business partners or the individuals to whom the data relate? At a time when vendors do not accept unlimited liability for data-related risks, how do organizations determine what data-related terms and risk levels are commercially acceptable, and what risk they can shift to suppliers or mitigate through other channels such as cyber-insurance

Addressing Third Party Risk (cont.) Determine your risk tolerance – key factors to consider: What types of suppliers or other third parties (e.g., a business alliance partner, MA&D partners are needed for or otherwise support effective implementation the activity? Does use of a supplier or other third party increase the risks identified above? If so, how?) At a time when vendors do not accept unlimited liability for data-related risks, how do organizations determine what data-related terms and risk levels are commercially acceptable, and what risk they can shift to suppliers or mitigate through other channels such as cyber-insurance

Addressing Third Party Risk (cont.) Third party risk management mitigation Cross-border data transfer management Demonstration of privacy, security and other internal controls in the pre-contractual supplier assessment process Periodic audit or other oversight and monitoring of contractual obligations, risks and controls At a time when vendors do not accept unlimited liability for data-related risks, how do organizations determine what data-related terms and risk levels are commercially acceptable, and what risk they can shift to suppliers or mitigate through other channels such as cyber-insurance

Addressing Third Party Risk (cont.) Expectations of suppliers to carry cyber insurance Scope of coverage Limits on coverage (generally $300M) Average payout of $733K; payout average of 83%, but trending down At a time when vendors do not accept unlimited liability for data-related risks, how do organizations determine what data-related terms and risk levels are commercially acceptable, and what risk they can shift to suppliers or mitigate through other channels such as cyber-insurance

Does your organization Poll Question #3: Does your organization 1) Have cyber insurance? 2) Require suppliers to have cyber insurance? 3) Both 4) Neither 5) Don’t know

Strategies for Surmounting Data-Related Deal-Breakers Know your Counterparty Data compliance requirements arise from multiple sources: Industry-specific regulations or standards Common law or statutory defenses to future claims requiring confidentiality (i.e., trade secrets claims) Customers’ internal data compliance policies

Strategies for Surmounting Data-Related Deal-Breakers (cont.) Build your Team Identify and engage internal SMEs up-front Privacy IT compliance / cybersecurity Insurance

Strategies for Surmounting Data-Related Deal-Breakers (cont.) Build Collateral Create collateral that leverages expertise from internal stakeholders efficiently to avoid losing time at the bargaining table On the buyers’ side, craft a checklist tailored to your business that captures key legal and operational data requirements On the sellers’ side, create a customer-facing summary document of standard and available data protection controls

Special Contract Provisions for Key Data Issues Compliance should be the responsibility of both parties. Agree on specific compliance data privacy standards/regulations that are applicable and include mutual obligations. Security compliance can reference “industry standard” or be specific, e.g. ISO 27001. Supplier may have security documentation. How to approach contract provisions on key data issues such as data privacy compliance, audit rights, requirements to report cloud use, data ownership, and the ability to mine, use, and track data

Special Contract Provisions for Key Data Issues (cont.) Audit rights should be limited to compliance with the agreement. Should have a trigger event, e.g. underpayment/overpayment, security breach, etc. Reporting should be in a dashboard and related to services. All customers get access to the same reporting information. How to approach contract provisions on key data issues such as data privacy compliance, audit rights, requirements to report cloud use, data ownership, and the ability to mine, use, and track data

Special Contract Provisions for Key Data Issues (cont.) Distinguish between pre-existing data and data that will be generated as a result of the agreement. Avoid specifying who owns new data. It’s more important to address what each party can do with the data.

Special Contract Provisions for Key Data Issues (cont.) An advertising campaign, each party will be collecting performance data. You can restrict what one party can do with data collected by other party. You can also restrict the types of data each party can collect, e.g. no PII can be collected. FOR EXAMPLE

Managing Changing Regulatory Requirements (cont.) Include broad definitions of applicable law to allow for flexibility if the law changes after execution of agreement. Provisions should address providing notice, getting consent, and data security to avoid necessity for amendments on a regular basis. How to adjust existing contracts to comply with ongoing regulatory changes, e.g., Privacy Shield, GDPR, and evolving US state laws

Managing Changing Regulatory Requirements (cont.) Make the amendment process quick and easy. Use SOWs or have an exhibit with a template for changes. Large suppliers often have their own language and process-heavy procedures that are not transparent, which can present difficulties in negotiating terms. How to adjust existing contracts to comply with ongoing regulatory changes, e.g., Privacy Shield, GDPR, and evolving US state laws

Managing Changing Regulatory Requirements (cont.) If supplier sits on language revisions, try to partner with procurement and privacy function and find someone you know who might know that person, work with the business. FOR EXAMPLE How to adjust existing contracts to comply with ongoing regulatory changes, e.g., Privacy Shield, GDPR, and evolving US state laws

Managing Changing Regulatory Requirements (cont.) Be sure to include your stakeholders beyond those who are required to be notified. Specify contacts who can address contract issues or remediate so you don’t end up sending a request for amendments into the ether. Include a header page with contacts for each party. How to adjust existing contracts to comply with ongoing regulatory changes, e.g., Privacy Shield, GDPR, and evolving US state laws

Managing Changing Regulatory Requirements (cont.) On the other hand, there may be concerns about being too broad or overly inclusive Include language that states the parties will comply with new laws/requirements within a reasonable period of time. Include language that defines when a law/regulation is applicable, e.g. “applicable to the services under the agreement.”

Managing Changing Regulatory Requirements (cont.) US-EU Privacy Shield changes Can still use Model Clauses for controller to controller and controller to processor. Other requirements General Data Protection Regulation (GDPR) Cross Border Privacy Rules (CBPR)

Key Takeaways Understand the data covered under a contract and how it will be processed Understand the contract provisions Statement of work Identify confidential data Security requirements and breach notifications Indemnification Limitation of liability Privacy Supplier security provisions

Key Takeaways (cont.) Understand and prioritize your third party risk Be prepared by knowing your counterparty, your team and develop supporting materials Be adaptable to the technology landscape when reviewing/drafting contracts Stay informed on the ever-evolving laws/regulations around security and privacy