Data breach liability: confidentiality vs. privacy

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://www.lexology.com/library/detail.aspx?g=b98863cd-e713-4f4b-85d9-07b274fed112

IT service providers, particularly cloud service providers, increasingly
are resisting unlimited liability for breaches of privacy and data security
obligations in their customer agreements. Instead, they offer unlimited
liability for breaches of confidentiality, asserting the customer’s risk of
a data breach would be covered as a breach of confidentiality, and arguing
that unlimited liability for breaches of data protection obligations is
simply double dipping.

A Data Breach Is Not Needed to Create Liability

When an IT service provider takes this position, one of the first questions
a customer asks is: Assuming that the service provider has access to data
that would be covered by privacy and data security laws, what is the risk
if the provider breaches the privacy and data security obligations without
an actual data breach

In other words, does there need to be a data breach for the customer to
incur liability? Unfortunately, the answer is no.

To fully understand the risk of accepting the IT service provider’s
position, a customer should identify:

- The privacy and data protection requirements the customer must satisfy.
- The likelihood the IT service provider may cause the customer to fail to
comply with those requirements.
- The potential for damages, fines, penalties or other enforcement activity
if the customer fails to comply with those requirements—even absent a data
breach.

Privacy and Data Protection Requirements

In terms of the privacy and data protection requirements the customer may
need to satisfy, the customer should consider legal and regulatory
requirements (including regulatory guidance) and industry standards. For
example, if a customer collects or processes credit card information, the
customer must comply with the Payment Card Industry Data Security Standards
(PCI DSS) as well as Visa's Cardholder Information Security Program (CISP),
MasterCard's Secure Data Protection program (SDP) and Discover Network's
Information Security and Compliance program (DISC). In addition,
Massachusetts 201 CMR 17.00 requires a company that owns or licenses
personal information of Massachusetts residents to implement and maintain a
comprehensive information security program that contains administrative,
technical and physical safeguards.

Even if there is no data breach, failing to comply with these standards may
subject the customer to enforcement actions by the relevant regulatory
authority and/or significant fines.

‘Flow-Through’ Terms

Once a customer identifies the relevant requirements, the customer should
ensure that these requirements are expressly passed through to the IT
service provider through well-tailored “flow-through” terms. Not only is
the customer at risk for liability if the IT service provider causes it to
fail to comply with the requirements; simply failing to flow through the
requirements may subject the customer to liability for noncompliance.

This is true even if the service agreement includes a confidentiality
clause, which generally requires the receiving party to exercise a duty of
care to protect confidential information of the disclosing party in a way
that is consistent with the measures the receiving party takes to protect
its own confidential information. It is often unclear, however, exactly
what measures an IT service provider takes. For example, Massachusetts 201
CMR 17.00 specifically requires companies to oversee its service providers,
including requiring its service providers by contract to implement and
maintain appropriate security measures.

Legal requirements and industry standards are not the only potential risk.
The customer also may have contracts in place with its end-user customers
and other third parties that would expose it to unlimited liability for
breaches of privacy and data security obligations. If the IT service
provider only offers unlimited liability for breaches of confidentiality
and the IT service provider’s obligation is to comply with its own duty of
care standard and not the customer’s standards, the customer may not be
able to look to the IT service provider for full recourse if the IT service
provider causes the customer to breach these contractual obligations.

A Data Breach Does Not Always Mean a Breach of Confidentiality

Even if there is a data breach, customers may be at risk that the
confidentiality provision does not cover the data subject to the breach.
Confidentiality provisions often define “confidential information” in a
manner that may not encompass all of the data subject to privacy and data
security laws. For example, the definition may include only information
that is labeled as confidential or that a “reasonable person” would
consider to be confidential. In this case, certain types of data, such as
IP addresses or geolocation data, are unlikely to be labeled as
confidential when disclosed to the IT service provider and may not be
something a “reasonable person” would consider to be confidential.

“Confidential information” often is defined to include end-user customer
data but not employee data. The IT service provider’s services, however,
may include storing or processing employee data. Particularly for services
such as cloud-based HR solutions, this may be as simple as receiving
employee names, phone numbers, addresses and emails in order to provide
technical support.

If the customer discloses personally identifiable information to the IT
service provider that is not covered by the definition of confidential
information, then a breach of that data would not be a breach of
confidentiality for which the IT service provider would have unlimited
liability under the service agreement.

Conclusion

The risk of liability for a breach of privacy and data security obligations
without a data breach is only increasing. Audit and enforcement activities
have continued to increase, an example being the U.S. Department of Health
and Human Services Office for Civil Rights’ focus on HIPAA privacy rule
violations—with some resulting in civil penalties in the millions. This
risk is likely to continue to grow as regulators and states become even
more active in setting data protection requirements and enforcing them,
including increasing scrutiny of how companies are flowing down protections
to third parties.

Customers will want to minimize their risk in deals with IT service
providers by (1) including privacy and data security obligations sufficient
to satisfy their privacy and data protection requirements; and (2)
insisting on uncapped liability for the IT service provider’s breach of
those obligations. If the IT service provider simply refuses to accept such
unlimited liability and only offers uncapped liability for breaches of
confidentiality, the customer may try to reduce its risk by:

- Including privacy and data security obligations sufficient to satisfy the
customer’s privacy and data protection requirements, even if those
obligations are subject to a general limitation on liability.
- Ensuring damages the customer may incur for breach of privacy and data
protection obligations, such as regulatory fines, penalties and the like,
are not excluded by a sweeping exclusion of liability for consequential
damages, even if they are subject to a general limitation on liability.
- Seeking a heightened liability cap for breaches of privacy and data
security obligations in addition to uncapped liability for breaches of
confidentiality
- Defining “confidential information” to ensure it encompasses all personal
data the customer may disclose to the IT service provider.
- Including the right to terminate for convenience without the payment of
any early termination charge.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!