Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Pressed by new security breach disclosure laws, financial institutions to data brokers to major corporations, major corporations were compelled to disclose a number of breaches in 2005. One of the earlier highly publicized data security breaches involved the consumer information broker, ChoicePoint Inc., which announced that criminals posing as legitimate businesses accessed the personal information of over 140,000 individuals. Following the ChoicePoint incident, a cascade of stories about personal data security breaches involving companies such as MasterCard International [FOOTNOTE 1] and Bank of America became public. But data security concerns are not only limited to domestic breaches. In fact, concern over data security has reached beyond U.S. borders as more businesses engage in offshore outsourcing. In India, a major outsourcing country, one serious breach occurred when a former bank employee was accused of stealing $350,000 from a U.S. consumer’s bank accounts. [FOOTNOTE 2] In the absence of uniform federal privacy or data security legislation in the United States that addresses the collection, storage, transmission or use of personal information, privacy protection and data security concerns have made outsourcing transactions increasingly more complex. FEDERAL AND STATE LAWS Unlike the European Union’s comprehensive Directive on Data Protection, the existing patchwork of federal law includes a number of significant statutes that govern the collection and use of personally identifiable information by companies and their vendors. Some of the more significant laws that implicate outsourcing both on an international and local level include the Health Insurance Portability and Accountability Act (HIPAA), [FOOTNOTE 3] the Sarbanes-Oxley Act (SOX) [FOOTNOTE 4] and the Gramm-Leach-Bliley Act (GLB). [FOOTNOTE 5] HIPAA is intended to protect sensitive consumer information relating to health care and prohibits the use of an individual’s medical information for purposes other than that for which the information was provided, without the person’s express consent. In addition, before disclosing protected health information to any business associate, HIPPA requires a covered entity to ensure that a contract is in place obligating the business associate to also adopt the privacy standards imposed by the law. As a result, all entities that deal with protected health information, whether directly or indirectly, are thus effectively compelled to abide by the requirements of HIPPA. The focus of SOX is the financial data of public companies, and its provisions primarily reflect congressional efforts to protect investors in publicly traded companies by providing, among other things, a uniform accounting framework and by improving the accuracy and reliability of corporate disclosures and reporting. The act does not apply to private companies. [FOOTNOTE 6] The obligation to certify financial disclosures remains with the company’s appropriate executive even if a corporation engages in business process outsourcing — transferring to outside vendors, whether within the United States or overseas, activities such as payroll processing or human resource management. Consequently, the responsibility is nondelegable, and “companies using outsourcers may be out of compliance with SOX in part because controls aren’t being audited.” [FOOTNOTE 7] At the state level, California has been the most active in enacting legislation [FOOTNOTE 8] and it has served as the impetus for the passage of data security regulations in other states last year. California and other state laws are likely to impact outsourcing practices, adding another level of compliance for those companies that do business in states that have data security and privacy protection laws. For companies engaged in outsourcing transactions in more than one state, compliance most likely will be more time-consuming and require additional resources, owing to the fact that not all state laws are uniform and what may be permissible in one state is prohibited in another. Depending on the services being provided, many of which involve electronic and computer records, varying privacy and data security laws will apply to a company’s business practices. Regardless of which laws (federal, state, or both) affect an outsourcing deal, there are at least three important issues that warrant attention by counsel during the negotiation of an outsourcing transaction. These include due diligence, negotiating legal compliance, and mitigating risk at an operational level. DUE DILIGENCE With the existence of many privacy and data security laws and regulations, due diligence has become, more or less, mandatory, requiring attorneys to take a careful and proactive role in the process. From a customer perspective, its reputation is often at stake because breaches of privacy can lead to bad press and loss of good will, especially when customers are required to disclose the breach, and noncompliance with privacy standards can lead to potential legal liability. Under many laws, including SOX, for example, [FOOTNOTE 9] a customer cannot shift risk to a service provider for certain regulatory violations (e.g., criminal liability, consent decrees and so on). The use of a due diligence checklist often will assist in providing a broader understanding of the outsourcing transaction, including those privacy and data security measures that need to be implemented and those which are already standard practice for the service provider. Among other things, some key items that might appear on a checklist include: � What is the customer’s business (financial institution, insurance provider, manufacturer) and what specific market does it serve? � What specific aspect of its business is the customer outsourcing (IT, claims processing, accounting services)? � To what type of data will the service provider need access, and to whom does the data belong and where did it originate? � What is the geographic scope of the transaction? � Where and how is the data to be located or stored? Due diligence is the first line of defense to ensure proper compliance. At this stage in the process, the parties should be open and forthcoming with respect to their concerns and have written privacy and security policies. Counsel must help determine the particular laws that may be impacted. NEGOTIATING LEGAL COMPLIANCE When negotiating data security and privacy issues, it is important for the parties to avoid taking a draconian approach. Instead of including broad provisions, such as those that mandate compliance with “all applicable laws” during the term of the agreement, the parties should adopt a more flexible approach, given that each has a vested interest in reaping the benefits and ensuring the longevity of the transaction. Important issues to be thoroughly negotiated might include financial responsibility for implementing changes required by existing laws or new laws that might be enacted after the deal is signed. Moreover, it is important to indicate those laws that will apply (e.g., HIPAA, SOX, state law) and which party shall have the ability to interpret them as they exist or any amendments that might be later enacted. For example, it may be impractical for a service provider, especially one located abroad, to interpret often-complex U.S. laws and federal regulations, in the absence of clear directives and requirements from experienced counsel acting on its part. Further, if existing laws do not change or no new laws are enacted, a customer may still update its data security and privacy policies as a matter of business practice or to adapt to an evolving industry landscape. In this situation, the parties may need to re-evaluate their agreement and modify their existing practices and procedures to reflect these changes. Finally, both parties should ensure that compliance costs are reflected in the contract. MITIGATING RISK For both parties, it is critical to mitigate operational risks and potential liability at the outset. Although not foolproof, a contract that incorporates certain provisions that address potential operational problems or failure can be enormously helpful heading off future difficulties. In most situations, it is good practice for the customer to keep private data in its control. Ideally, this would be best achieved if the data were electronically stored at the customer’s premises, if practical. If data must reside with the provider, the customer should control access. This may be achieved, among other ways, by storing data at a service provider location approved by the customer, ensuring that data can be relocated only with the customer’s consent, and segregating customer data from the service provider’s data, as well as the data of its other clients. In addition, the contract should include early warning notification requirements to inform the company of any security breaches or risks, as well as provisions addressing strong audit requirements (both physical and electronic) to allow a customer to identify problems early, keep up-to-date with the service provider’s privacy controls, and ensure that software is fully updated, with the latest patches installed. For example, SOX requires that, as part of a company’s assessment of its internal controls, audits be performed at its service provider’s locations where financial data is maintained. From a practical standpoint, certain protective technological measures, such as firewalls, anti-virus software, and password-protected or read-only access to systems may already be implemented to some extent in the vendor’s environment. These common measures may greatly reduce the risk that protected information is improperly accessed or disseminated in violation of the applicable regulations, and may be implemented at a set technology cost that could be allocated between the parties. Other, more robust measures, such as electronic card access, maintenance of multiple backup facilities, and “clean desk” policies (where the vendor’s computers have no hard drives or removable disks, and employees are prohibited from having camera or text-message-ready cell phones in the workplace), may be more costly to implement, but may be necessary to ensure compliance. For additional procedures and security techniques, companies might also look to industry-created standards, such as the Generally Accepted Information Security Principles (GAISA) for ways to minimize privacy risks in outsourcing arrangements. CONCLUSION As outsourcing continues to grow, data security and the protection of personally identifiable information present important issues under a variety of laws. If the proper precautions are not taken early on, data security risks and privacy concerns may develop because corporations might discover they have less control over their data when it is placed in the hands of service providers, risking security breaches or legal liabilities. Therefore, it is imperative that customers and vendors, working together, identity the data security and privacy laws applicable to their transaction and institute the necessary safeguards. Richard Raysman and Peter Brown are partners at Brown Raysman Millstein Felder & Steiner. They are co-authors of “Computer Law: Drafting and Negotiating Forms and Agreements” (Law Journal Press). ::::FOOTNOTES:::: FN1 In January 2006, MasterCard announced an initiative whereby it will work with merchants to provide them with “information, tools and support to help safeguard consumer data.” See Joris Evers, “MasterCard Kicks Off Security Push,” CnetNews.com (Jan. 11, 2006) available at http://news.com.com/MasterCard+kicks+off+data+security+push/2100-1029_3-6026210.html. FN2 Ed Frauenheim, “Insecurities Over Indian Outsourcing,” Cnet News.com (April 26, 2005) available at http://news.com.com/Insecurities+over+Indian+outsourcing/2100-7355_3-5685170.html FN3 42 U.S.C. � 201 et seq. FN4 Pub. L. No. 107-204, 116 Stat. 745 (2002). FN5 15 U.S.C. �� 6801-6809. FN6 Despite being applicable only to public companies, many private companies continue to pay careful attention or even adhere to SOX. Among their reasons for doing so include the possibility of becoming a public company or merging with an existing public company. Also, some private companies follow SOX as a “best practices” standard. FN7 Ed Frauenheim, “Relief from Sarbanes-Oxley on the Way?,” C/net news.com (June 9, 2005) available at http://news.com.com/Relief+from+Sarbanes-Oxley+on+the+way/2100-1014_3-5737846.html. FN8 See e.g., The California Security Breach Notification Act, Cal Civ. Code � 1798.29, 1798.82 & 1798.84; The California Online Privacy Protection Act, � 22575 et seq; and Cal. Bus. & Prof. Code � 4050-4060. FN9 The obligations created by �404 of SOX are nondelegable and the appropriate corporate managers retain responsibility for ensuring that its requirements are satisfied.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.