In efforts to curb cybersecurity and privacy issues, governments around the world have been tightening legislation on how organizations collect and share data.
The most effective way to comply with these requirements is to draft the appropriate contracts. This is an extremely complex area because the rules are often convoluted and subject to change.
The move toward stricter legislation follows the milestone introduction of the EU GDPR (General Data Protection Regulation) in 2018.
Article 28 of the Regulation gives specific instructions on how contractual agreements relate to data sharing, stating that data processors may only process personal data in line with the data controller’s documented instructions. Additionally:
- Organizations must implement appropriate technical and organizational measures to ensure the protection of individuals’ data subject rights
- Data processors cannot engage another party to process the personal information without the prior authorization of the data controller
- Data processors must assist the data controller in meeting its GDPR requirements in relation to the security of data processing, the notification of data breaches, and DPIAs (data protection impact assessments)
- Data processors must delete or return all information to the data controller as requested at the end of the contract
- The data processor must agree to audits and provide the data controller with whatever information it needs to ensure that both parties meet their Article 28 requirements
While versions of these requirements can be seen in other legislation, each jurisdiction has its own rules. For example, the CPRA (California Privacy Rights Act) adds three contracting parties: third parties, service providers (similar to data processors), and contractors.
Meanwhile, DFARS (Defense Federal Acquisition Regulation Supplement) clause 252.204-7012 must be included in any contract with a sub-contractor for DoD (Department of Defense) contracts. It includes reporting of cybersecurity incidents and allowing assessors to get any approved certificates.
The responsibility for ensuring that subcontractors are subject to these requirements in flow-down clauses lies with the prime contractor.
An integral part of compliance with these cybersecurity and privacy laws is contract management. It is crucial that these contracts define the roles and responsibilities of the parties involved.
It is much better for the parties themselves to define their relationship than leave it up to a court. Contracts, like anything else in a business, need to be managed. If an organization’s contracts are well written and kept up to date, problems can be avoided. If not, it can be very expensive.
Many of the requirements for contracts between the business (data controller) and other parties are similar. There are differences, however; for example, the CPRA specifically requires tools that the business uses to monitor the other contracting party. These include manual reviews, automated scans, regular assessments, audits, and technical and operational testing at least once a year.
Other state privacy laws have additional requirements. Virginia and Connecticut require an annual assessment, while Colorado allows for an audit.
If you get this wrong in your supplier contracts, it could cost you. Take the recent case of People of the State of California v. Sephora USA, Inc. The cosmetics firm agreed with an analytics provider to share information it acquired from customers as part of its retail business in exchange for information gathered from other businesses, to help identify new customers.
Did Sephora “sell” its information to the analytics provider by “making available, transferring, or otherwise communicating […] a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration” (§1798.140 (ad))?
The California Attorney General thought so when he brought the enforcement action.
Sephora could have avoided this by ensuring that its contract with the analytics provider specifically stated that the exchange of information was not a “sale.” It could also have defined it as a sale provided that it modified its website to comply with the law.
However, it did neither, and as a result it breached its customers’ data privacy rights. Worse, once Sephora was notified of the California Attorney General’s enforcement action, it didn’t take advantage of the 30-day grace period.
Ultimately, Sephora was forced to settle the case for $1.2 million.
The case sends a strong message about the need for organizations to get their contractual requirements correct. Cookies, websites, privacy notices, and contracts with service providers should all be reviewed and managed.
If you fail to meet your contractual requirements, you run the risk of enforcement action and lawsuits.