As discussed in last week’s column, the European Union’s General Data Protection Regulation (GDPR) is affecting e-discovery vendor agreements in the United States.
Parties are adding a separate set of provisions: obligations arising from the EU’s GDPR, a regulation in EU law that took effect on May 25, and which addresses both data protection and privacy for all individuals within the European Union and the export of personal data outside the EU.
In this week’s article, I will discuss how the requirements of the GDPR have resulted in changes to client/vendor e-discovery agreements.
Upon discovering any security vulnerabilities within the VIS, the vendor shall promptly perform, at its sole cost, remedial actions to mitigate any such security vulnerabilities and complete appropriate testing to verify that the risk associated with the vulnerabilities have been effectively mitigated.
The vendor will cause, at least annually for each facility at or from which services are provided, a full-scope service organization control 2 type II report audit (or industry-standard successor report) to be conducted (SOC audit). The entity conducting the SOC audit shall be subject to the client’s approval, with such approval not to be unreasonably withheld or delayed. The vendor will promptly provide the client with a copy of the resulting audit reports (redacted solely to the extent necessary to protect confidential information of other vendor customers contained therein), including documentation describing the controls against which the review was performed (if not described in the report).
Additional Security Requirements
Security requirements are far lengthier than what has already been discussed. There are many more of them, the specifics are described in detail, and virtually all of the specifics are ways of putting in place the requirements of the GDPR. The specifics pertain to:
- Network security;
- Business continuity;
- IT continuity;
- VIS configuration;
- A formal written software development lifecycle that provides for effective change control, configuration management and verifies that all security configurations are in place prior to the use of any component of the VIS in a production environment. Within the software development lifecycle, production data will not be used in testing.
- Secure backups, stored on the VIS, of client data, maintained for at least 30 days.
- Encryption of client data.
- Sanitizing of devices prior to recycling, resale, reassignment or disposal, or following such a computer or mobile device’s loss or theft, or destruction of devices which cannot be sanitized.
- General access control requirements, i.e., the limitation of confidential Information to authorized persons or roles, based on the principle of least privilege, which limits users to the lowest permission levels that they can be assigned that does not prevent the relevant vendor personnel from completing their assigned tasks.
- The vendor will encrypt all passwords, passphrases, and PINs using solutions that are certified against the industry best practices and standards, and verify that the encryption keys and any keying material are not stored with any associated data.
- The vendor will disable user accounts after invalid authentication attempts (usually nine consecutive) and lock users’ computer screens after inactivity in accordance with industry best practices and standards (usually when there has been no activity for a period of at most 15 minutes).
- The vendor must manage account passwords and require minimum password standards in accordance with industry best practices and standards.
There are several reasons why GDPR-based agreements include many specifics omitted from standard master agreements. First, GDPR-based agreements reflect the exchange of data common in the countries which comprise the EU, and increasingly more common as data is stored in more physical locations and accessed as part of e-discovery processing and review. By contrast, standard master agreements articulate the more-generalized IT standards common to countries, such as the United States, where, historically, data has been stored and transmitted in only one country. Second, and relatedly, GDPR contract enforcement allows for the agreement to ensure that the generalized terms of the standard master agreement are instead, specific terms which make data storage, security and other aspects of e-discovery more secure.
For example, and as previously discussed, use of GDPR standards mandates that ISO standards are followed when it comes to security of data by the Vendor, while the generalized terms of the standard master agreement simply articulate aspirations rather than data security actions which must be taken. Third, while the GDPR can be enforced outside of the context of a contract, use of GDPR requirements as terms in an Agreement allows the party seeking enforcement of GDPR terms to do so through litigation, to have the offending party insure the offended party (and so provide the offended party with a strong remedy for offense), and in many other ways to make enforcement of the GDPR stronger than if the GDPR generally applied but whose specifics were not incorporated into the agreement.
The GDPR must be followed in the United States, even though the United States is not part of the EU. If the GDPR is not followed, EU data brought to the United States, or U.S. data stored in the EU, would likely be inadmissible in U.S. courts, and U.S. parties involved in such GDPR violations would make all of the aforementioned data subject to suppression and insurance violations.
GDPR-based agreements are the future of e-discovery agreements. They ensure that GDPR terms will be part of e-discovery agreements, articulate with specificity how those terms translate into e-discovery agreement requirements and, simultaneously, clearly establish and limit penalties for violations of GDPR requirements. The issue is, then, is not whether the GDPR will be incorporated into U.S. master agreements, but how quickly that incorporation will become typical of agreements rather than the exception.
Leonard Deutchman is vice president, legal for KLDiscovery. Before joining KLDiscovery, he was a chief assistant district attorney at the Philadelphia District Attorney’s Office, where he founded the Cyber Crime Unit and conducted and oversaw hundreds of long-term investigations involving cybercrime, fraud, drug trafficking and other offenses.