Colonial Pipeline and JBS are the most recent in a long string of largely public data breaches (e.g., Equifax, Capital One, and SolarWinds), where an industry giant suffers a data breach with spider-webbing effects in the aftermath.
With Colonial Pipeline, a group known as DarkSide took credit for the ransomware attack that caused the pipeline operator to shut down its fuel distribution. A similar group, REvil, is said to be responsible for the JBS ransomware attack. Both groups basically operate what is commonly referred to as a "ransomware-as-a-service" business.
More and more, these data breaches are jumping right out of cyberspace and having a direct, real-world effect. For example, with the Colonial Pipeline incident, gas prices rose due to panic buying out of fear for a potential shortage. And while it feels like this is the first time we have seen the cyber world disrupt daily life, it is frankly not the first time and unfortunately will not be the last.
Attorneys know from experience that cyber incidents affect organizations all the time. But unlike cyberspace, where organizations are seemingly fighting a never-ending uphill battle, there are steps an organization can take to protect itself from a legal standpoint when it comes to security and privacy.
One of those steps involves taking proactive measures. The value of using written information security programs (WISPs) cannot be overstated. Likewise, having knowledgeable and experienced cyber counsel as part of the corporate advisory team is an equally important first step. Having counsel review contractual provisions gives an organization an advantage when dealing with its own data breach, or that of one of its vendors.
Data security and privacy provisions are all but commonplace at this point, but organizations need to be mindful that most contracts are not by default uniformly drafted. Understanding technology, data flows, and the applicability of the legal regulatory framework is essential to fully and effectively protecting an organization and reducing its legal liabilities. While the expression typically says "the devil is in the details," it could easily be amended these days from a regulatory standpoint to say that "the devil is indeed in the contracts."
As with any agreement in which data is going to be exchanged, the parties to the agreement should foremost have specific provisions around data privacy and cybersecurity. First, for any vendor contract, it is important to have a clear and concise definition section. Defining terms like "data," "personal data," "data law," "data subject," "security incident," and "security technical controls" is critical. These definitions provide a clear framework for the additional provisions throughout the contract.
Additionally, the contract should contain a confidentiality provision but avoid the all-too-common mistake of just including a generic one. Cyber counsel should tailor such a provision where parties will exchange sensitive data by identifying the different types of confidential documents, how those types of documents should be treated by both parties, and the consequences for failure to abide by the confidentiality. As is the case with many organizations, though, if intellectual property is an issue, then the parties to the contract should carefully consider specific provisions around the intellectual property.
Next, a well-defined contract should identify the nature and type of data that is implicated by the data privacy and cybersecurity provisions by, among other things, setting forth security requirements and notice obligations in the event of a security incident. Thus, the contract should appropriate the amount of assistance assumed in the event of a security incident and the liability that follows, including language related to data misuse which is a critical component.
Furthermore, the contract should address the issue of the vendor's vendor, i.e., an organization's third parties. Depending on the nature of the relationship, and the sensitive nature of the data being exchanged, this type of provision can vary and should be carefully considered by legal counsel. Accordingly, where it is clear third-party vendors will be provided access to or allowed to receive sensitive data, the tailored inclusion of this particular type of contractual provision is key in managing risk and legal exposure.
Finally, regarding any critical vendor or supplier in the chain of custody related to the data, an audit provision should not be overlooked. Such a provision should make allowance for auditing primarily, but also set defined parameters around any security and privacy audit. Once an auditing provision is applied to the contract, the next step of course is to actually audit the vendor. Sometimes taken for granted and often viewed as daunting, it is an important follow-through contractual provision and a necessary step before moving any further. After all, such a provision makes possible—and more importantly, contractually permissible—performance of a vendor audit/assessment. With so many cyber incidents originating from a company's third-party vendors, failing to include this provision, or performing the audit, would be like failing to address your vehicle's check engine light just before embarking on a trip across the country. Needless to say, the odds of something happening rise exponentially.
Legally, many data privacy laws require contract language between organizations. Domestically, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to enter into business associate agreements (BAAs) with third parties that will receive, or be provided access to, protected health information (PHI). Still, HIPAA is not the only game in town. The California Consumer Privacy Act of 2018 (CCPA) requires a written contract in place between the covered business and the service provider, such as a service agreement. See California Civil Code § 1798.140(v). Virginia's Consumer Data Protection Act (CDPA) requires controllers to ensure that agreements with processors are compliant with the law, and any contract that waives or limits consumer rights under this law is void and unenforceable. Colorado likewise just passed the Colorado Privacy Act (CPA) that appears to require agreements between controllers and data processors.
Similarly, the European Union's General Data Protection Regulation (GDPR) takes an equally serious approach to contracts. If your organization is subject to the GDPR, it must have a written data processing agreement in place with all its data processors. An organization must correspondingly understand the type and nature of the data it is collecting in order to determine the type of contractual obligations it can require of others, plus in some instances, which obligations it needs to assume.
One of the biggest pitfalls for an organization is to assume liability beyond what it is required, like signing a BAA where no PHI is being exchanged or where HIPAA does not apply. Once again, having knowledgeable legal counsel that understands the nature of data and how that data impacts legal obligations as part of the corporate advisory team is more important than ever.
In a word: sequential. Organizations should carefully consider data privacy and cybersecurity at every stage of the contracting process. Understanding what data you are collecting and laws impacting that data is cumulative, and above all else, key to mitigating liability and preventing the organization from assuming liability that it would not ordinarily assume—or rather, should not assume—because of data practices.
Repeatedly, organizations make the simple mistake of not understanding the role they play in the data transaction. It is essential for an organization to determine its role (e.g., controller, processor, covered entity, business associate, or none of the above), and likewise be ready to defend it. Gone are the days when general counsel could effectively make these arguments. The regulatory terrain now is just too tangled, changes occur rapidly, and it is simply not enough to be conversant in tech matters. Having targeted cybersecurity and data privacy attorneys that understand the data, as well as the laws and their applicability, cannot be overstated. Experienced and knowledgeable cyber counsel must understand how these laws fit together practically and how they can fit to the unique infrastructure of the corporation. After all, the corporate footprint does not move ahead on defined rails; it needs to adjust and compensate for what is ahead. So, while it may be that different laws are impacting one data transaction, legal counsel should have the right experience with contracts and defending/prosecuting breach of contract cases in order to properly guide the corporation over any type of terrain. One cannot ultimately avoid a pothole if no one thinks to discover whether it is even there.
In short, no matter what course your organization chooses, keep in mind that cybersecurity and data privacy are not exclusively within the directive sphere of IT and IT security, nor should either be viewed as a one stop technology problem. Regulatory compliance and enforcement are serious legal issues and need to be handled as such. A multi-faceted, multi-jurisdiction, multi-departmental approach is necessary and a good central mode of thought. An organization should not hesitate in taking a laser-focused approach to addressing such a critical area.
After all, when a data breach occurs and decisions seemingly shift into hyperdrive, the only thing standing between either the organization and a lawsuit, being able to make a claim, or being subjected to a regulatory investigation may well be the contract and its well thought out construction.
This article does not constitute legal advice or create an attorney-client relationship. Because of the nature of this article, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.