Data is rapidly becoming a company's most valuable asset. Innovations in data analytics, artificial intelligence tools that use data and other technologies are accelerating this trend. Unfortunately, bad actors who seek to obtain or compromise your data and systems are also innovating. Breaches of personal data may lead to litigation, investigations, fines, penalties and reputational harm. While a company cannot eliminate these risks, there are some actions that your company should take to protect data in the hands of third-party suppliers. This article describes five privacy- and security-related questions that a general counsel should ask regarding company data in the hands of third-party suppliers and other business partners.
Have We Assessed Our Security and Privacy Risks?
A company should fully understand its privacy and security environment by performing a comprehensive privacy and security assessment. This will include review and examination of existing third-party supplier arrangements (including any subcontractors) and the processes around vendor selection, contracting and monitoring. Most data privacy and security laws apply to the owner or controller of the information. An assessment involving third parties who have company data is important because a company cannot contract away its responsibility for data breaches.
How Robust Is Our Oversight of Third Parties Who Have Our Data or Access to Our Networks?
A company should develop a plan for robust vendor oversight in the evaluation, selection, contracting and ongoing monitoring of third parties who have company data or access to company networks. This must be a practical, risk-based plan in which corporate resources are invested in the highest risk areas to protect the most valuable data. You will need to make choices to invest in reasonable, defensible measures. Protection of personal data is a key risk area, as personal data tends to be regulated. For example 47 states in the United States have data breach notification laws, and Europe and other countries regulate the collection, processing and international transfer of personal data.
Do We Have Appropriate Contractual Protections?
Contracts between companies and third parties must include comprehensive privacy and security protections. At a minimum, the third party must agree to provide "reasonable and appropriate" security measures. You may also consider having the contract require compliance with other information security standards, such as industry standards (e.g., ISO 27001 series), and any laws and regulations that impose security requirements on the company.
How Do We Monitor Developments?
Regulators are cultivating an ever-increasing patchwork of data protection laws and regulations. Because third parties may host and process data in various locations around the world, companies must keep abreast of constantly evolving developments in global data protection laws and regulations, including data localization laws and data transfer regulations. Compliance failures may subject a company to considerable fines and penalties (e.g., the EU General Data Protection Regulation, effective in May 2018, will allow penalties of up to four percent of worldwide revenues for compliance failures). In addition, data localization laws, which require that data must remain in the country, are emerging. For example, Russia has such a law, and others have been proposed in Indonesia and China.
Do We Address Privacy and Security in Other Transactions, Such as M&A?
Privacy and security issues can also arise in transactions outside of outsourcing, such as joint ventures and mergers and acquisitions. A target company may be in violation of privacy or data protection laws, and a prospective buyer may potentially assume all the liabilities associated with the target's noncompliance. To mitigate these risks, a company must exercise careful due diligence, which includes examining how the target processes data, evaluating the target's compliance with applicable laws and reviewing the target's own information security plan and privacy practices.
Careful consideration of these five questions will help a general counsel mitigate some of the key privacy and security risks when entrusting corporate data to third parties and business partners.
Originally published 13 October 2016
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2016. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
