With the severity of penalties for mishandled data, Customers would do well to look long and hard at service agreements with their Service Providers.
Data security terms can be found sprinkled throughout a master agreement or compiled in one place like a data security or data privacy addendum. Either way, if you are sharing or receiving personally identifiable information or other sensitive data, you’ll want to make sure that your defined terms are sufficiently drafted whether you are using your own template or a third party template.
These three defined terms set the foundation for data security clauses to follow: 1) Authorized Employees vs. Authorized Persons, 2) Personal Information vs. Highly Sensitive Personal Information, and 3) Security Breach.
1. Authorized Employees vs. Authorized Persons
Who is authorized to view or use the data? This question is commonly answered by defining a specific term for this group of people, usually called “Authorized Employees.” Alternatively, this has been called Authorized Users, Authorized Persons, or Authorized Personnel. Regardless of what we call it, it is important to look at how this term is defined.
For example, “Authorized Employees” may only cover actual W2 or full-time employees of the customer. If your organization hires contractors, then consider expanding the definition to include employees, contractors, agents, auditors, and more. You may even need to define what you mean by “employees” and specify whether previous employees are included. Another element to consider is whether you want to set pre-conditions for this user group, such as having a written confidentiality agreement in place.
Here’s an example of a narrowly-defined user group (pro-service provider):
“Authorized Employees” means employees of the Service Provider who need to know or otherwise access Personal Information to enable the Service Provider to perform its obligations of this Agreement.
Here’s an example of a broadly-defined “Authorized Persons” term (pro-customer):
“Authorized Persons” means (i) Authorized Employees and Service Provider’s contractors, agents, auditors, and service providers of Service Provider who need to know or otherwise access Personal Information to enable Service Provider to perform obligations of this Agreement, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Information per the terms and conditions of this Agreement.
2. Personal Information vs. Highly Sensitive Personal Information
What’s the difference between Personal Information and Highly Sensitive Information? In cases where a contract involves the sharing or exchange of more than one type of data, be very clear as to the differences between how those data types are defined and distinguished, as well as how they are to be handled.
Personal Information
The definition of Personal Information will likely need some breadth, so the term can encompass the varying focus or scope of different privacy laws. Industry-standard is to follow the GDPR guidelines for EU or global agreements while provisions conforming to California’s CCPA/CPRA have taken the lead domestically.
Here’s an example of a well-defined “Personal Information” term:
”Personal Information” means information provided to the Service Provider by or at the direction of the Customer, information which is created or obtained by the Service Provider on behalf of the Customer, or information to which access was provided to the Service Provider by or at the direction of the Customer, in the course of the Service Provider’s performance under this Agreement that: (i) identifies or can be used to identify an individual (including, without limitation, names, signatures, addresses, telephone numbers, email addresses, and other unique identifiers); or (ii) can be used to identify or authenticate an individual (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or PINs, user identification and account access credentials or passwords, financial account numbers, credit report information, student information, biometric, health, genetic, medical, or medical insurance data, answers to security questions, an individual’s internet activity or similar interaction history, inferences drawn from other personal information to create consumer profiles, geolocation data, an individual’s commercial, employment, or education history, and other personal characteristics and identifiers), in case of both subclauses (i) and (ii), including, without limitation, all Highly Sensitive Personal Information. The Customer’s business contact information is not by itself deemed to be Personal Information.
Highly Sensitive Personal Information
While both types of information will need to be secured, Highly Sensitive Personal Information will need to be encrypted when transmitted and encryption may even be required when data is at rest on a mobile device or media. For U.S. companies, the National Institute of Standards and Technology (NIST) is a great place to start in that it is a must to be a part of the DoD supply chain and puts a business in a good place to address updates necessary for GDPR compliance.
There is no statutory definition for Highly Sensitive Personal Information, but it is commonly defined as information that carries a greater risk if disclosed, including social security numbers, financial data, and medical and health information.
Here’s an example of a well-defined “Highly Sensitive Information” term:
“Highly Sensitive Personal Information” means an (i) individual’s government-issued identification number (including social security number, driver’s license, state-issued identification number); (ii) financial account number, credit card number, debit card number, or credit report information, with or without any required security code, access code, personal identification number, or password that would permit access to an individual’s financial account; or (iii) biometric, genetic, health, medical, or medical insurance data.
3. Security Breach
A breach of security or other event that causes data loss is the number one risk of sharing data between companies. This type of event is defined as a “Security Breach” or alternatively a “Security Incident” or “Data Loss”.
Customers should attempt to define Security Breach broadly to include potential, threatened, and actual data-related incidents because potential incidents often become reality. Customers appreciate the extra notice time. On the other hand, the service providers will want to minimize notification responsibilities and liability by narrowing the definition of a Security Breach to only actual incidents.
Here’s an example of a broadly-defined Security Breach term (pro-customer). The term becomes more narrowly defined (pro-service provider) if subclause (ii) is removed:
”Security Breach” means [(i)] any act or omission that [materially] compromises either the security, confidentiality, availability, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place by the Service Provider [(or any Authorized Persons)], or by Customer should Service Provider have access to Customer’s systems, that relate to the protection of the security, confidentiality, availability, or integrity of Personal Information , or (ii) receipt of a complaint in relation to the privacy and data security practices of Service Provider (or any Authorized Persons) or a breach or alleged breach of this Agreement relating to such privacy and data security practices. Without limiting, a compromise includes any unauthorized access, disclosure, or acquisition of Personal Information.
These terms and definitions are by no means exhaustive, but the goal is not to be exhaustive. Hopefully, this list can provide a gateway into the intricacies of data privacy and cybersecurity terminology for a practitioner or two in a practice area that is growing faster than anything the legal industry has seen in decades. Stay tuned for part two of this articlecoming soon!