contract drafting and management: developing...
Post on 11-Aug-2020
0 Views
Preview:
TRANSCRIPT
Contract Drafting and Management: Developing
Provisions to Mitigate Security, Compliance,
and Technology Risks
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
THURSDAY, JUNE 25, 2020
Presenting a live 90-minute webinar with interactive Q&A
Monique N. Bhargava, Partner, Loeb & Loeb, Chicago
Kari S. Larsen, Partner, Perkins Coie, New York
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-877-447-0294 and enter your Conference ID and PIN when prompted.
Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately
so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the ‘Full Screen’ symbol located on the bottom
right of the slides. To exit full screen, press the Esc button.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the link to the PDF of the slides for today’s program, which is located
to the right of the slides, just above the Q&A box.
• The PDF will open a separate tab/window. Print the slides by clicking on the
printer icon.
FOR LIVE EVENT ONLY
Legal and Regulatory Framework
• CCPA and other state privacy / security laws
• Gramm-Leach-Bliley (“GLB”) and other financial privacy regulations
• Health Information Portability and Accountability Act (HIPAA) and state health information regulations
• Biometric information privacy laws
• Federal Trade Commission Act• Fair Credit Reporting Act (“FCRA”) and Fair and Accurate
Credit Transactions Act (“FACTA”)• Cross Border law (“GDPR”)
• Education sector laws
• Minor data privacy protections
5
Where Do We Start?
• Data mapping• Defining data collected• Identifying sources of data• Assessing how data is used• Assessing how data is shared
• Vendor assessment and contracts
• Security assessment and testing
• Data incident response plan
6
Define the Data –What’s Personal?
Traditionally, in U.S. law, Personally Identifiable Information (PII) was defined as information that can be used alone, or in conjunction with other information to identify a specific person, including:
• Basic Contact Information• e.g., First and Last Name, Phone Number, Email Address, Mailing Address,
etc. • Retail Delivery Report
• Non-public Personally Identifiable Information (GLBA), which is any information:
• (1) that a consumer provides to obtain a financial product or service (e.g., name, address, income, Social Security number, etc.);
• (2) that results from a consumer transaction (e.g., account numbers, payment history, loan or deposit balances, and credit or debit card purchases), or
• (3) that is otherwise obtained in connection with providing a financial product or service
(e.g., information from court records or a consumer report).
7
The Definition of What’s “Personal” is Expanding • California Consumer Privacy Act (CCPA):
▪ “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
• General Data Protection Regulation (GDPR):• “Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an
identifiable natural person is one who can be identified, directly or indirectly.
8
Unique Device ID
Persistent Identifiers
Employment and Education
Data
PreciseLocation Data
Biometrics Sensory DataAudio
Recordings
Define the Relationship
Where does the data originate from?
• From client, vendor, or third party
Who owns the data?
• Joint Control
• Client owned
• Vendor owned
• Third party owned
Who is storing and transmitting
data?
9
Common Contractual Issues
Data use
Data sharing
Network access
Security protocols
Cross-border transfer
Liability for security incidents
10
Define the Legal Obligations
California
• Specific required language for Service Providers
• Restrictions on use and sale• Certification of understanding
• Reasonable security protocols
NY SHIELD Act
• Requires security safeguards to be specified by contract
General Data Protection Regulation
• Specific data processing provisions required
• Cross-border transfers may require standard contractual clauses
11
California Consumer Privacy ActService Providers versus Third Parties – Important Distinction
• Service Providers are: • Hired to perform services.
• Handle personal information to perform services
• Sign a contract with CCPA required provisions
• Third parties are everyone who is not:• The business, or
• A Service Provider limited by contract from using or disclosing personal information for any purpose beyond the defined scope of service
• If no CCPA compliant contract, Service Provider could be treated as a Third Party
12
NY SHIELD Act
• Expands the Definition of "Private Information“ to include biometric information and username/email address in combination with a password or security questions and answers. It also includes an account number or credit/debit card number, even without a security code, access code, or password if the account could be accessed without such information.
• Expands the Territorial Application of the breach notification requirement to any person or business that owns or licenses private information of a New York resident.
• Imposes Data Security Requirements to require companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. This includes implementing a data security program containing specific measures, including risk assessments, employee training, vendor contracts, and timely data disposal.
13
Global Data Handling Regulation (GDPR)
• What is the GDPR?
• Data Protection law for persons located in EU (is not limited to EU residents)
• Applies to a US-based company when it is processing personal data of a person LOCATED in EU.
• Vendor contracts required• Article 28 requirements
14
What is the Proper Allocation of Risk?
15
Client Wants to be Indemnified for:
•Violation of laws•Security Breach incidents
•Failure to comply with obligations
•Third-party services/data/tools
•Materials and claims supplied by Agency
Vendor Wants to Limit Indemnification to:
•Intentional acts, gross negligence, or wilful misconduct
•Material failure to maintain the described security protocols
•Pass-through indemnification to the extent received
Client Wants to Limit Indemnification to:
• Intentional acts, gross negligence, or wilful misconduct
Vendor Wants to be Indemnified for:
•Violation of laws
•Improper provision of data•Failure to comply with obligations
•Third-party services/data/tools
•Risks client has opted to take•Client supplied Information
•Client modifications/scope of use
What Are the Types of Damages?
• “Direct” • Damages which, in the ordinary course of human experience, can be expected to naturally and
necessarily result from a breach
• These damages are presumed to have been foreseen or contemplated by the parties as consequences of a breach
• “Consequential” or “Special” Damages• Damages that arise out of special circumstances, not ordinarily predictable
• May not be obvious to one of the parties in advance without communication of the other party’s special circumstances
• “Incidental” • Expenses or commissions in connection with effecting cover and any other reasonable expense
incident to the delay or breach
16
Common Exclusions
• Exclude consequential, incidental, indirect, damages
• Exclude lost profits/revenue and/or reputational harm• Do not assume that these are consequential damages
• Carve-outs to Exclusions• Indemnification
• Confidentiality
• Data Breach/Privacy
• Consider liability in the context of insurance limits
17
Unenforceable Exclusions
• All damages, particularly in sales contracts• Whitesell Corp. v. Whirlpool Corp., 2012 WL 3631491 (6th Cir. Aug. 23, 2012)
• Agreement clause precluded recovery of damages arising from “any performance or breach,” which effectively barred all damages and deprived the plaintiff of any adequate remedy
• Court found the clause to be contrary to contract law requiring that sales contracts must provide at least minimum adequate remedies
• Gross negligence
• Willful misconduct or intentional wrongdoing
18
Lost Profits
• Courts have held that “lost profits” can be either direct or consequential damages
• The important question is whether the lost profits would follow naturally and necessarily from a breach of the contract
• direct lost profits → generated from an agreement between the contracting parties
• consequential lost profits →generally dependent upon an agreement with a nonparty
• Thus, lost profits should be a separate category from consequential damages
19
Ways to Limit Liability Outside the Limitation of Liability Provision
IndemnificationRepresentations and
Warranties
TerminationObligations/Services
description
20
Thank You
Monique (Nikki) Bhargava
Partner, Advanced Media & Technology
Loeb & Loeb LLP
mbhargava@loeb.com
312-464-3358
21
| © 2019 Perkins Coie LLP
KEY CONTRACT TERMS TO CONSIDER
Risk Mitigation Strategies
Address circumstances where broader economic challenges could affect strict compliance with payment terms, such as providing limited
extensions and waiver of late fees.
Payment Terms
What happens if opportunity for physical inspection or potential for accepting delivery is impaired?
Acceptance of Goods, Risk of Loss,
Transfer of Title
If courts are closed, parties can provide clear process for resolution remotely by the parties.
Alternative Dispute Resolution
22
| © 2019 Perkins Coie LLP
Risk Mitigation Strategies
Address worst-case liability as between the parties to the agreement in advance.
Limitations of Liability, Liability Caps,
Liquidated Damages
Adopt clear parameters for when parties can suspend performance, the duration of the suspension, and when it will expire.
Suspension
Address how the parties can agree to defer milestones and when they can return to the regular milestone schedule.
Milestones
Adopt flexible delivery windows or non-binding delivery estimates, anagreed process for substituting goods and services, and procedure to
permit prioritizing orders and/or reassign personnel among customers.
Delivery Terms
KEY CONTRACT TERMS TO CONSIDER
23
| © 2019 Perkins Coie LLP
KEY CONTRACT TERMS TO CONSIDER
Risk Mitigation Strategies
Adopt special disclaimers for addressing potential technology issues, force majeure, the duration of a health crisis, to render performance “as is/with all
faults” or to address alternate performance possibilities.
Disclaimers
Adopt more flexible opportunities to cure alleged breaches during health or technology crises if ability to cure is impaired but not infeasible.
If infeasible, then flexibility is inapplicable.
Termination for Cause
Adopt agreed safety practices for personnel performing services, require other party personnel visiting premises to comply with
health and safety policies, permit removal for non-compliance or evidence of symptoms, cooperate with contact tracing.
Health and Safety
24
| © 2019 Perkins Coie LLP
KEY CONTRACT TERMS TO CONSIDER
Risk Mitigation Strategies
As a service provider, mitigate risk by providing credits as sole remedy for service level failures attributable to pandemic (e.g., network congestion, if
applicable). As customer, consider bonuses or penalties for not meeting service levels, be specific with excuses for non-performance.
Service Levels
Consider tying material changes in law to alternative dispute resolution process where parties can mutually agree to amend or terminate due to
pandemic-related changes in law affecting performance, for example.
Governing Law
Require (adopt) a plan to address reductions in force, supply chain disruptions, and macro adverse changes to the relevant market,
along with notice requirements when invoked.
Business Continuity Plan
25
| © 2019 Perkins Coie LLP
KEY CONTRACT TERMS TO CONSIDER
Risk Mitigation Strategies
Adopt duty for one or both parties to provide status reports of whether circumstances are affecting performance, e.g., pandemic. Detail how and
whether challenges should be disclosed to the public. Consider technology solutions for compliance obligations.
Confidentiality and Reporting Obligations
Consider whether standard reps and warranties may be affected. For example, a party committing to perform services on-site should consider
the impact that closing borders could have on a rep that the party has obtained all authorizations and permits required to provide the services.
Representations and Warranties
Review insurance policies and work with insurance counsel to ensure adequate coverage and specify expected coverages of other party for breaches,
unforeseen circumstances, pandemic, etc.
Insurance
26
| © 2019 Perkins Coie LLP
PRACTICAL CONSIDERATIONS
• Remote working will almost certainly become a permanent fixture of modern life for many.
• Companies must adjust to this new reality by adjusting how compliance programs are managed, including how incidents are reported, investigated, and resolved.
• Companies will need to maintain their culture of compliance by preserving open communication with their employees, and by messaging from the top that compliance remains a top priority.
• There are some practical things companies can do to ensure their compliance programs and procedures remain effective when employees work from home.
Remote Work – Risk Mitigation
27
| © 2019 Perkins Coie LLP
REPORTING
• Remote working has the strong potential to tamp down informal reporting of potential compliance issues—the sort of issues that are discovered around the “water cooler,” as opposed to through a formal report
• Now is also the time to make sure compliance reporting systems—particularly those systems that operate by phone or email—are up and running, and to remind employees that those systems are available even when they are working from home. While many employees now prefer the internet over telephones to report ethics concerns, data shows that a substantial segment of the population still logs cases by phone. If an employee calls and is not able to get through, they may feel discouraged and not end up reporting the issue at all.
• As the “social distance” between employees—and, in particular, recent hires—becomes greater, maintaining social norms of “if you see something, say something,” becomes more difficult, but not impossible. The clearest solution is to insist that the lines of communication between managers and subordinates remain open. Encourage managers to periodically check in with their subordinates more often than they would in person. Find creative ways to instill these norms in new employees, like requesting existing employees to help “mentor” new employees on how to conduct business ethically, or including compliance and ethics subjects in existing mentorship programs. Innovative technology solutions can assist
with surveillance and supervision.
Remote Work – Risk Mitigation
28
| © 2019 Perkins Coie LLP
HANDLING OF COMPANY INFORMATION
• Make sure to have a documented policy that requires employees to use firm approved systems and applications to conduct business for the company. Chances are most businesses already have one—but just in case, consider these recommended measures, and make sure to issue reminders of the policy periodically.
• Install and maintain authentication requirements to secure access to company information and systems.
• Define minimum expectations for the use and protection of company information (“need to know” principle carries beyond the office).
• Subject to the duration of the telework, consider automatic reminders when accessing company systems or networks that require consent before use. Include this in any overall compliance training designed to address minimum expectations for teleworking.
• Consider defining a process for hard copy records (what's allowed, what's not, what must be submitted, what can be destroyed, etc.), together with recordkeeping, confidentiality and data privacy requirements.
• When issuing litigation or investigation holds, remind employees to also look in their home office and on any personal device on which they may have stored company documents.
Remote Work – Risk Mitigation
29
>
>
>
| © 2019 Perkins Coie LLP
IoT devices will be automating data collection in a “trustless” environment.
AI will be processing data, including personal data, between different systems.
Existing privacy policy/notice regimes likely unsuited for disparate collection and processing, must be assessed and updated.
Technology Can Provide Transparency and Trust
30
>
>
>
| © 2019 Perkins Coie LLP
Blockchains create transparent, immutable records.
Digital ledger technology has the capability to create trust amongst disparate IoT network stakeholders, may be solution for certain recordkeeping and reporting obligations.
Blockchain offers a new “trust framework” with potential ability to preserve privacy.
Trust in a Trustless Environment
31
>
>
>
| © 2019 Perkins Coie LLP
Cloud computing can help meet IT needs and may have IT performance, innovation, cybersecurity, and cost savings benefits. May have to consider regulatory compliance issues, following or revising compliance policies and BCDR requirements.
Increasingly seeing cloud-based AI cybersecurity tools. Users must assess whether cyber tools are consistent with any legal, regulatory and compliance obligations and understood by applicable regulators.
Remote training, supervision/surveillance and auditing technologies.
Other Technology Solutions
32
QUESTIONS?
33
KARI S. LARSEN
PARTNER
PERKINS COIE, LLP
1155 AVENUE OF THE AMERICAS, 22ND FLOOR
NEW YORK, NY 10036-2711
D. +1.212.261.6866
E. KLARSEN@PERKINSCOIE.COM
W. WWW.PERKINSCOIE.COM
34
top related