Due to an increase in regulations, vendors, service providers and customers must now address security obligations and liabilities. To understand today’s regulations, we can examine relevant federal and state laws, even though no single one establishes comprehensive security requirements.
Federal security regulations have been promulgated mostly for the financial services and healthcare industries. Regulations under the Gramm-Leach Bliley Act (GLB Act), applicable to financial institutions and entities significantly engaged in financial activities, contain broad guidelines for safeguarding customer information.
Companies covered by the GLB Act are required to implement security programs that account for the size and complexity of the entity and the scope of its activities. They also have obligations to exercise due diligence in selecting and monitoring the security practices of third-party service providers, and require contracts with those designed to meet the objectives of the regulations.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA),for healthcare providers, healthcare plans and healthcare clearing houses requires safeguards in administrative, physical and technical areas, amongst others.
HIPAA requires security measures that take into account the size, complexity and capabilities of the entity. Additionally, if medical data is disclosed to service providers, there must be contracts with the providers and those agreements must contain specifically mandated provisions that implement HIPAA’s security requirements.
On the state level there is also little uniformity regarding security requirements. For example, California has been one of the most aggressive states in employing strong privacy and security legislation.
Under California’s SB 1386, persons or companies conducting business in the state are required to promptly disclose any breach of a network security system to California residents if unencrypted personal information is acquired by an unauthorized person. This legislation impacts businesses within and outside California, and has no exceptions for non-profits or small businesses. Unlike the GLB Act and HIPAA, the California legislation permits a private right of action for its violation.
Many states are adopting laws designed to reduce identity theft, and one example is Georgia’s Senate Bill 475, which establishes permitted ways that a business may discard electronic or paper records containing personal information.
Guidelines for the future…
Sources in addition to federal and state regulations, while not binding, may prove important in establishing appropriate security standards.
One example is the National Strategy to Secure Cyberspace, which identifies recommendations that entities can use to improve cybersecurity. Other examples include guidelines established by federal and state agencies for their own operations, and policies established by specific industry groups.
International proposals include the OECD Guidelines for the Security of Information Systems and Networks, and ISO 17799, issued by the International Standard for Organization, which covers issues such as continuity planning and system access control. Such guidelines, in addition to legislation, will set the bar for appropriate security standards in the future.
Where security is a concern, there are a number of provisions a customer might want to consider in reviewing the contractual terms of any commercial relationship.
For example, an obligation requiring a service provider to “comply with all applicable laws and regulations” could include security issues. Similarly, provisions requiring a service provider to “maintain the confidentiality of a vendor’s proprietary information” might also have security ramifications.
Alternatively, a provider might be unable or unwilling to take on such strict obligations, and instead could agree to implement only security procedures and safeguards designed to protect proprietary information.
Particular concerns need to be specifically addressed, including requirements to provide notice of a security breach; obligations to follow identified security policies; and the right of the customer to conduct periodic security audits.
While covenants requiring a provider to follow “industry standards” might also prove useful, the scope and boundaries of those is unclear.
When obtaining specific hardware or software products, a customer might want assurances that the product does not contain a “back door” or permit other unauthorized access to customer data. It might not be possible to obtain absolute promises relating to the security or vulnerability of a particular system or product, but a customer should obtain assurances as to the measures a vendor takes to prevent intrusion or the introduction of malicious code. The availability of support if a security breach occurs should be considered.
The willingness of a vendor or service provider to agree to obligations related to security will be influenced by its liability under the contract. Many vendors assume responsibility only for direct damages caused by their breach, and even then will limit their liability to a fixed dollar amount.
While direct damages include the cost to correct a product defect or to re-perform a service, they do not include consequential damages caused by the default, such as costs to recreate data, lost profits and lost opportunity costs. Most importantly, unless otherwise provided in an agreement, direct damages also do not cover liability to third parties, or penalties or damages for violations of applicable law – all of which could be more significant than direct damages. For example, costs to inform third parties of a security breach, would not be covered.
In today’s contracts, the security standards imposed, the types of damages that are recoverable, and the limitation on those damages should all be addressed.
Gary Saidman is a partner in the law firm of Kilpatrick Stockton and a member of its Corporate and Technology Practice Groups