Data Protection: Security Measures
NDA
Table of Contents:
Obligation to Maintain Security Measures
Data Security Breach Incidents
- Notice
- Audit
- Corrective Measures
- Public Announcements
Data Protection: Security Measures
Information in electronic form comprises an increasingly larger component of confidential information disclosed via NDAs. Such electronic data is often stored in electronic databases accessible by networked terminals and servers, including those outside the control of the receiving party, thus making them particularly susceptible to unauthorized access. Due to the growing occurrence of security breaches leading to the unauthorized access of such databases, parties have included additional terms relating to the handling and protection of electronic data that go beyond the standard measures applicable to traditional types of disclosed information.
For a discussion on data protection terms applicable to general commercial contracts, please see the section entitled “Data Protection and Security”.
Obligation to Maintain Security Measures
As illustrated in the following exemplars, the receiving party retains a general obligation to implement proper security measures to ward against unauthorized access to confidential information (aka security breach):
Exemplar N6A-1
Each party agrees to hold any Confidential Information disclosed to it in confidence, agrees not to use such Confidential Information except in connection with the Project and agrees to limit disclosure of Confidential Information to those employees, agents or other third parties necessary for the Project who have agreed to be bound by the obligations herein. For purposes hereof, holding Confidential Information in confidence shall include the maintenance of physical and data security measures in accordance with applicable law or regulation and of a nature and scope to prevent unauthorized access to such Confidential Information.
Exemplar N6A-2
Recipient shall implement and maintain appropriate organizational, technical, and administrative security measures, exercising the same degree of care to protect Discloser’s Confidential Information that it uses for its own confidential information of a similar nature, but in no event less than reasonable care. Promptly after learning of any unauthorized use or disclosure of, and/or unauthorized attempt to access or modify, any Confidential Information in Recipient’s (or its Authorized Recipients’) custody or control, Recipient shall notify Discloser in writing and cooperate with Discloser to investigate and mitigate any adverse effects. Recipient shall be responsible for any unauthorized use or disclosure of Confidential Information by its Authorized Recipients.
The following exemplar offers more detail and specificity with regard to the heightened need to protect against unauthorized access to electronic data:
Exemplar N6A-3
Licensor shall implement and maintain security standards that meet or exceed the highest standards in the industry and that, in any event, are designed to meet the following objectives: (a) to ensure security and confidentiality of Protected Data; (b) to protect against any anticipated threats or hazards to the security or integrity of Protected Data; and (c) to protect against unauthorized access to or use of Protected Data. Licensor shall maintain physical, electronic, and procedural controls and safeguards, in compliance with all applicable laws, to protect the Protected Data from unwarranted disclosure. These controls shall include the maintenance of reasonable and appropriate safeguards to restrict access to the Protected Data to those employees, agents, or service providers of Licensor and Subcontractors who need such information to carry out the purpose of providing the Services. For information disclosed in electronic form, Licensor agrees that such safeguards must include electronic barriers (e.g., “firewalls” or similar barriers) and password protected access to the Protected Data. In addition, in the event that Licensor sends or receives any Protected Data over the Internet or through an internet service provider (or ISP), Licensor shall secure or encrypt such information in a manner consistent with the highest industry security standards. For information disclosed in written form, Licensor agrees that such safeguards shall include secured storage of Protected Data. Licensor shall also establish and maintain any additional physical, electronic, and procedural controls and safeguards to protect the Protected Data from unwarranted disclosure as may be required for the to comply with any and all applicable laws.
One of the most sensitive categories of electronic data that may be disclosed under an NDA is personal information (e.g., biometric, medical, financial information or other or personally identifiable information). Unauthorized access to such personal data can lead to significant legal (civil damages and criminal prosecution) and regulatory (fines and penalties) liability. Therefore, parties that contemplate the disclosure of such personal data should take great care to ensure the protection thereof with special and specific terms applicable to such data.
In the following exemplars, the receiving party is required to establish and implement programs designed to ensure the security of personal data:
Exemplar N6A-4
If any Confidential Information provided or disclosed to, or acquired by, Contractor in connection with the Purpose includes the name and address of an individual COMPANY subscriber, or other information that under Applicable Law (as such term is defined below) is personally identifiable information (or other equivalent term used under any Applicable Law) of an individual COMPANY subscriber, (collectively, "Personal Data"), the communication, storage and use thereof by Contractor shall be subject to the provisions of this Section. "Applicable Law" means any privacy, data security, breach notification, identity theft or other United States federal or state law applicable to Personal Data
(a) Contractor has established, and implements and maintains, (i) a comprehensive written information security program that is reasonably designed to protect the security, confidentiality and integrity of Personal Data (the "Security Program"); and (ii) a written program for combating identity theft in connection with Contractor's use of Personal Data, either as a component of the Security Program or on a stand-alone basis (the "Identity Theft Prevention Program").
(b) The Security Program and the Identity Theft Prevention Program shall each each comply with all Applicable Laws and contain administrative, technical and physical safeguards appropriate to Contractor's size and complexity, the nature and scope of Contractor's use of Personal Data, and the sensitivity of Personal Data.
(c) Without limiting the generality of the foregoing (i) the Security Program and the Identity Theft Prevention Program shall include reasonable policies and procedures for detecting, preventing and mitigating identity theft that conform to regulations and guidelines promulgated pursuant to Applicable Laws. For purposes of this Agreement, references to and compliance with Applicable Law shall mean reference to and compliance with any Applicable Law of the jurisdiction in which an individual whose Personal Data included in Confidential Information resides, even if any such Applicable Law does not otherwise impose a direct obligation on Contractor.
(d) COMPANY and Contractor shall cooperate in good faith to establish procedures for the secure communication between them of Personal Data.
(e) Personal Data, and all summaries, excerpts, abstracts and compilations of Personal Data, are deemed Confidential Information and shall be treated as such under this Agreement despite the lack of any confidentiality or proprietary legend, marking, stamp or other designation and regardless of the form in which Personal Data is embodied.
Exemplar N6A-5
Contractor shall maintain a formal security program materially in accordance with industry standards that is designed to: (i) ensure the security and integrity of Customer Information; (ii) protect against threats or hazards to the security or integrity of Customer Information; and (iii) prevent unauthorized access to Customer Information.
Data Security Breach Incidents
Depending on the nature of the personal data and the likelihood of a security-breach incident involving such data, the parties drafting an NDA may wish to include terms defining the process and procedure to be undertaken in response to such an incident.
Notice
The first step in such a process is notifying the owner/disclosing party of the incident:
Exemplar N6A-6
Upon becoming aware of a Data Protection Incident, Contractor shall promptly notify COMPANY in writing, reasonably detailing the circumstances and particulars thereof. Promptly following its own receipt thereof, Contractor shall provide COMPANY with a copy of (A) any written communication from a governmental entity pertaining to a Data Protection Incident, and (B) any complaint or demand filed with a court or governmental entity pertaining to a Data Protection Incident; provided, that Contractor may redact from such copy any non-public information that identifies or describes any customer or client of Contractor. For purposes of this section, a "Data Protection Incident" means (A) any (1) breach of Contractor's facilities, equipment or systems, (2) failure to comply with the Security Program or the Identity Theft Prevention Program, (3) unauthorized disclosure, access or use of Personal Data in the possession or under the control of Contractor, or (4) violation by Contractor or any employee, contractor, agent or representative of Contractor of any Applicable Law, that in each case reasonably may be expected to (x) adversely affect the security or confidentiality of Personal Data, or (y) lead to identity theft or other substantial harm or inconvenience with respect to a COMPANY subscriber; or (B) any (1) claim made or suit filed or proceeding instituted by a third party with respect to, or (2) inquiry, investigation or directive initiated or issued by any governmental entity regarding (x) the failure by Contractor to comply with any Applicable Law, or (y) any compromise in the security or confidentiality of Personal Data in the possession or under the control of Contractor.
Audit
Upon receipt of such notice, the owner/discloser may want to conduct an independent investigation of the incident via the exercise of an audit right:
Exemplar N6A-7
Promptly upon the occurrence of a Data Protection Incident, Contractor shall accord to any independent security expert or auditor engaged by COMPANY and reasonably acceptable to Contractor reasonable access to all facilities, systems and records in the possession or under the control of Contractor solely to investigate and examine Contractor's use of Personal Data and compliance by Contractor with the Security Program and the Identity Theft Prevention Program as they relate to Personal Data; provided, that any independent third party engaged by COMPANY that is qualified as a Certified Information System Security Professional or as a Certified Information Systems Auditor, or holds a Global Information Assurance Certification from the SANS (SysAdmin, Audit, Network, Security) Institute, shall be deemed acceptable to Contractor. Such independent security expert or auditor engaged by COMPANY must execute a confidentiality agreement in a customary form reasonably approved by Contractor prior to any such inspection.
Exemplar N6A-8
At least once per year, Contractor shall at its expense have an audit conducted by a reputable and experienced external party in accordance with the then current security industry standards, including generally accepted auditing standards such as, without limitation, American Institute of Certified Public Accountants (“AICPA”) of the information technology and information security controls for all facilities used in complying with its data security and other obligations under this Agreement, including, but not limited to SSAE18, SOC 1 Type II or SOC 2 Type II audits, network-level vulnerability assessment, or penetration tests performed by a recognized third-party audit firm based on the recognized industry best practices. The minimum coverage of a SOC report is 6 months of Customer’s fiscal year (January through December). Upon Customer’s written request, Contractor shall make available to Customer for review all of the following, as applicable: Statement on Standards for Attestation Engagements (SSAE) No. 18 audit reports for Reporting on Controls at a Service Organization (SOC reports) and reports relating to its vulnerability scans and penetration test reports. Customer may request a Gap Letter to provide assurance there are no material changes since the date of the latest available SOC report. In each case, information not relative to Customer and solely relative to any other client may be redacted or deleted. Customer shall treat such audit reports as Contractor’s Confidential Information under this Agreement.
Corrective Measures
The parties will also need to address the management and rectification of, and ascribe liability for, the incident, as demonstrated in the following example:
Exemplar N6A-9
In the event of the occurrence of a Data Protection Incident involving Personal Data, Contractor shall take such reasonable corrective measures as COMPANY may request that are customary under the circumstances (such as providing breach notifications to COMPANY subscribers). Contractor shall promptly reimburse COMPANY upon its written request reasonably detailing any of the following costs and expenses actually and reasonably incurred by COMPANY as a direct result of such Data Protection Incident: (a) the reasonable fees and disbursements of any independent security expert or auditor engaged by COMPANY to conduct any investigation or examination upon the occurrence of a Data Protection Incident, and (b) any corrective measures required by any Applicable Law or by any governmental entity, financial institution or payment card issuer or processor to be taken by COMPANY (such as providing breach notifications to COMPANY subscribers, closing and/or reopening COMPANY subscriber accounts, and offering credit monitoring services and identity theft insurance to COMPANY subscribers).
Public Announcements
Finally, the parties should coordinate the content and timing of any communication to the public regarding the incident:
Exemplar N6A-10
Contractor shall not issue any press release or make any public announcement concerning any Data Protection Incident involving Personal Data without the prior express written approval of COMPANY with regard to the form, content and timing of such announcement, which approval shall not be unreasonably withheld or delayed. Contractor shall cooperate in good faith with COMPANY in promptly responding to all third-party inquiries pertaining to any Data Protection Incident involving Personal Data.