Home → Blog
NEGOTIATING DATA PROTECTION LIABILITY IN COMMERCIAL CONTRACTS
On behalf of Margules Law Group, P.A. | 08/25/2021 | Firm News
Many startup companies today are contracting with data service providers to organize or process personal data provided by customers. For purposes of the General Data Protection Regulations (“GDPR”) and other data protection regulations recently enacted in the United States, the startup company is the “controller” which determines the purpose for which the collected data from a customer is being used. The data “processor” compiles the information onto its software or platform for data collection or organization. The “processor” never determines the purpose for which the data is to be used. In this scenario, the parties enter into a Master Services Agreement (“MSA”) and attached is a Data Privacy Addendum (“DPA”), which lays out certain security measures that will be put into place to ensure the protection of the data being processed. Most importantly, the parties will also negotiate who will bear liability in the case of a cyber event (such as a ransomware attack or destruction or misuse of sensitive information).
For the controller, negotiating data protection liability in contract is essential and can often result in lengthy internal and external discussions as to what is the appropriate stance to take regarding a potential cyber event. The GDPR provides initial protections, but the DPA should also be carefully tailored to allocate responsibility more specifically This article discusses some steps companies should take in negotiating liability for data protection:
DIVISION OF RESPONSIBILITY FOR COMPLIANCE AND STATUTORY LIABILITY
It is important for companies to first identify who has responsibility for compliance with data protection law with regards to the purposes for which the data is used. Typically, the controller is the party primarily responsible for initial compliance with the data protection principles in the GDPR, part of which governs the purposes for which data is allowed to be used by a controller.
The GDPR also provides for processor liability in the event of failure to comply with minimum data security principles, and the DPA will provide additional written protections for the controller and its customer(s) as to the processor for compliance.
For individuals, the GDPR provides direct statutory compensation from a controller or processor for destruction, misuse or otherwise wrongful disclosure of personal data.
Many U.S. States have, or are in the process of enacting legislation which expands on GDPR principles (going as far as hitting certain companies with fees) or creates more lenient principles (such as safe harbors for companies in the case of an event).
RISK ASSESSMENT AND COMPLIANCE
The controller also needs to identify the risks in protecting data, including any risks to personal data. In many situations, personal data is the data being processed. The controller should assess factors such as where the data is being held, how much data there is, how many processors (or sub-processors) are involved, and whether any part of the processing poses any risks of non-compliance with applicable DP regulations. The smaller companies (such as startups in the beginning stages of funding) should be careful to determine which processors they are working with, their reputation and how reliable they are based on their track record.
INDEMNITY PROVISIONS IN DPA’s
In many events the processor will hire sub-processors. From a negotiating standpoint, most DPA’s provide an indemnity provision for sub-processors that the data processor uses to outsource services provided to the controller. For example, such a provision would state “processor shall be liable for any violations of the DPA by any of its sub-processors.” Companies might want to negotiate these provisions in order to have the ability to go after a sub-processor in the event that they have caused substantial damages, but in most cases, the primary processor bears the sole responsibility for any breach of the DPA related to data security.
MITIGATION OF DAMAGES
A cyber event is one of the more impactful events that would trigger a violation of a DPA, such as a ransomware attack or otherwise accidental misuse, destruction, withholding or wrongful disclosure of personal or confidential data protected by the DPA or applicable data privacy regulations.
As will be discussed in a subsequent article, some of the damages resulting from cyber events can be mitigated with cyber insurance. Some smaller companies do not have any cyber insurance, but the companies that do should find out what the limits of their coverage are and what exclusions the provider has to avoid coverage for a cyber event. The majority of policies today do not cover ransomware attacks.
Many of the associated risks of data processing can also be mitigated in advance with the negotiation of contractual terms in the DPA (including robust contract terms such as setting the GDPR as a minimum threshold). However, most U.S. companies are starting to realize that using the GDPR as a guideline is not enough, and the minimum data security measures should be expanded.
Most regulations and DPA’s provide a customer (or its controller) the right to do an audit of the processor's security measures or compliance with the DPA data security terms (which usually provide that the processor shall be in compliance with any applicable data privacy regulations).
The points set forth above are only a fraction of what needs to be assessed in negotiations. Contact or consult with an attorney with the appropriate background to ensure your contracting processor is compliant and your company is protected.
Most United States governments are expanding on the GDPR requirements and as a U.S. based company, it is important to have counsel in your corner to make sure your company has negotiated and drafted contracts that keep pace with the ever expanding principles of security in the modern age of digital service providers and data processing.