Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Texas Bar CLE's Making and Breaking Iron-Clad Contracts course in Austin, Texas on March 6, 2020.
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
1. Spencer Fane LLP | spencerfane.com 1
The Role of Contracts in Privacy,
Cybersecurity, and Data Breach
Shawn E. Tuma
Co-Chair, Data Privacy & Cybersecurity Practice
Spencer Fane LLP
13. Spencer Fane LLP | spencerfane.com 13
Ancient Cybersecurity Wisdom
“Water shapes its course according
to the nature of the ground over
which it flows; the soldier works out
his victory in relation to the foe
whom he is facing.”
“In all fighting the direct method
may be used for joining battle, but
indirect methods will be needed to
secure victory.”
14. Spencer Fane LLP | spencerfane.com 14
Lesson: Evaluate and audit third-parties’
security
• In re GMR Transcription Svcs., Inc., Consent Order
(Aug. 14, 2014).
• FTC’s Order requires business to follow 3 steps when
working with third-party service providers:
1. Investigate before hiring data service
providers
2. Obligate data service providers to adhere
to the appropriate level of data security
protections
3. Verify that the data service providers are
complying with obligations
15. Spencer Fane LLP | spencerfane.com 15
NIST Cybersecurity Framework
• Adds “Supply Chain Risk Management (SCRM)” as a “Framework Core”
function
• Coordinate cybersecurity efforts with suppliers of IT and OT (operational
technology) partners
• Enact cybersecurity requirements through contracts;
• Communicate how cybersecurity standards will be verified and validated; and
• Verify cybersecurity standards are met.
16. Spencer Fane LLP | spencerfane.com 16
Lesson: This is the “WHY” for the
contractual obligations
• Addendum to business contracts
• Common names: Data Security & Privacy Agreement; Data Privacy;
Cybersecurity; Privacy; Information Security
• Common features:
– Defines subject “Data” / “Network” protected in categories
– Establishes acceptable and prohibited uses for Data / Network
– Establishes standards for protecting Data / Network (3rd / Nth)
– Allocates obligations and responsibility for incident
– Notice, roles, expenses
– Requires binding third-parties to similar provisions
17. Spencer Fane LLP | spencerfane.com 17
How about a few examples for “WHY”?
18. Spencer Fane LLP | spencerfane.com 18
Example 1: “It’s not our fault!”
• Private security firm’s job applicants’ personal data (including identification of
those with Top Secret security clearances) is exposed on an unsecured
Amazon server.
• Firm says it wasn’t its fault, it was fault of its third-party vendor that we hired
to process new job applications that left the data exposed.
– Former CIA, NSA, Secret Service
– Names, home addresses, telephone numbers, email addresses
– Applicant transported nuclear activation codes
– Applicant was “warden advisor” at Abu Ghraib black site
• Who do you think is responsible?
• Do you think a better contract would have helped?
• What would have helped prevent this?
19. Spencer Fane LLP | spencerfane.com 19
Example 2: “We can’t afford it”
• MegaCorp is a global leader in biotechnology and one of the world’s wealthiest
companies. MegaCorp developed new highly confidential and proprietary bio-
authentication technology that could solve the world’s cybersecurity problem by
setting access rights to data based on users’ unique DNA.
• MegaCorp recognizes the cyber threat and has state-of-the-art cybersecurity for its
network, having a larger cybersecurity budget than the revenue of many biotech
companies.
• For testing to prove the technology works, MegaCorp turns to the 4 best biotech
research facilities, known for the quality and integrity of their research, not their
profitability.
• MegaCorp’s contracts with the facilities requires they maintain security and
confidentiality of its intellectual property (IP).
20. Spencer Fane LLP | spencerfane.com 20
Example 2: “We can’t afford it” (cont.)
• During testing for MegaCorp, Research1 discovers an intrusion in its network.
Due to budget limitations, its “IT guy” calls his buddy to do “forensics” and
discover Research1’s network was being used to mine Bitcoin. They block the
hacker and conclude “no problem.”
• Two weeks later Research1 gets hit with ransomware and a demand for
$1,000,000 paid in Bitcoin. IT guy was able to restore the network from
backups so he sent a taunting email to the hacker, just for fun. He also ignored
that lawyer who warns of possible advanced persistent attack and said it may
be a legal breach.
• One week later the hacker emails MegaCorp’s Board of Directors saying they
have MegaCorp’s data, demand $100 million to not disclose it.
21. Spencer Fane LLP | spencerfane.com 21
Lessons from “We can’t afford it!”
• Larger enterprises have a better appreciation of cyber risk and more resources to
spend on it. SMBs are not there … yet … still thinking, “we can’t afford it,” is
justifiable.
• Does the harm to MegaCorp’s IP change depending on whether taken from it or
Research1?
• MegaCorp would crush Research1 in a lawsuit … “indemnification”… so what?
• MegaCorp would have gladly paid the $1million ransom to try and protect its IP, even
with no guarantee.
• What contractual terms would have helped MegaCorp?
• What practical discussions would have helped MegaCorp?
• What risk transfer devices would have helped?
• What technology would have helped?
23. Spencer Fane LLP | spencerfane.com 23
Focus on basic principles
• Two primary reasons for cybersecurity in contracting are to:
– Minimize risk, including third-party risk; and
– Determine the process and responsibility for incidents.
• Risk can be reduced to two basic things: protecting – wherever and however –
and responding to incidents concerning:
– Networks
– Data
24. Spencer Fane LLP | spencerfane.com 24
Checklist: Using contracts to manage
supply chain / third-party risk
Focus on objectives: protecting, responding, responsibility for data/network
Staff appropriately
Understand facts of relationship/transaction
Understand risks by thinking worst case scenario from outset
Minimalize risks: do not risk it if you do not have to
Discuss objectives, facts, risks, protection with those responsible
Assess third-party’s sophistication and commitment
Agree upon appropriate protections
Investigate ability to comply
Obligate compliance, notification (to you), responsibility
Include in incident response planning
Cyber Insurance: transfer risk where possible
25. Spencer Fane LLP | spencerfane.com 25
Ok, ok, ok … here are your example contract provisions …
27. Spencer Fane LLP | spencerfane.com 27
"Highly Sensitive Personal Information" means an (i) individual's government-issued identification
number (including Social Security number, driver's license number, or state-issued identification
number); (ii) financial account number, credit card number, debit card number, or credit report
information, with or without any required security code, access code, personal identification number, or
password that would permit access to an individual’s financial account; or (iii) biometric, genetic, health,
medical, or medical insurance data.
Source: Westlaw
THE POINT:
Clearly define your data and networks at issue
28. Spencer Fane LLP | spencerfane.com 28
"Security Breach" means [(i)] any act or omission that [materially] compromises either the security, confidentiality, or
integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place by
Service Provider [(or any Authorized Persons)], or by Customer should Service Provider have access to Customer’s
systems, that relate to the protection of the security, confidentiality, or integrity of Personal Information [, or (ii) receipt
of a complaint in relation to the privacy and data security practices of Service Provider [(or any Authorized Persons)] or a
breach or alleged breach of this Agreement relating to such privacy and data security practices]. Without limiting the
foregoing, a [material] compromise shall include any unauthorized access to or disclosure or acquisition of Personal
Information.
Source: Westlaw
THE POINT:
Clearly define important events, what is a cyber
“event”, “incident”, “security breach”, “data
breach”?
29. Spencer Fane LLP | spencerfane.com 29
Source: Westlaw
THE POINT:
Specify what security measures must be taken to
protect the data and networks
Information Security.
(a) Service Provider represents and warrants that its creation, collection, receipt, access, use, storage, disposal,
and disclosure of Personal Information does and will comply with all applicable federal [and], state[, and
foreign] privacy and data protection laws, as well as all other applicable regulations and directives.
(b) Service Provider shall implement and maintain a written information security program including appropriate
policies, procedures, and risk assessments that are reviewed at least annually.
Without limiting Service Provider's obligations under Section [3(a)], Service Provider shall implement administrative,
physical, and technical safeguards …
***
30. Spencer Fane LLP | spencerfane.com 30
Source: Westlaw
THE POINT:
Specify what (1) must be done and (2) by whom if
there is a “Security Breach”
Security Breach Procedures.
(a) Service Provider shall:
(i) provide Customer with the name and contact information for [an employee/security operations or other service desk] of
Service Provider [who/which] shall serve as Customer's primary security contact and shall be available to assist
Customer twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with
a Security Breach;
(ii)notify Customer of a Security Breach as soon as practicable, but no later than [twenty-four (24) hours/[AGREED
TIMEFRAME]] after Service Provider becomes aware of it; and…
***
31. Spencer Fane LLP | spencerfane.com 31
Source: Westlaw
THE POINT:
Right to audit – sure we trust you, but we want to
verify because we are responsible for our data
Oversight of Security Compliance.
[Upon Customer's [written] request, to confirm Service Provider’s compliance with this Agreement, as well as any applicable laws,
regulations, and industry standards, Service Provider grants Customer or, upon Customer’s election, a third party on Customer's behalf,
permission to perform an assessment, audit, examination, or review of all controls in Service Provider’s physical and/or technical
environment in relation to all Personal Information being handled and/or services being provided to Customer pursuant to this
Agreement. Service Provider shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical
premises, documentation, infrastructure, and application software that processes, stores, or transports Personal Information for
Customer pursuant to this Agreement. In addition, upon Customer's [written] request, Service Provider shall provide Customer with the
results of any audit by or on behalf of Service Provider performed that assesses the effectiveness of Service Provider's information
security program as relevant to the security and confidentiality of Personal Information shared during the course of this Agreement.]
***
32. Spencer Fane LLP | spencerfane.com 32
Source: Westlaw
THE POINT:
“Data is the hot potato” – if you don’t need it, get
rid of it … securely.
Return or Destruction of Personal Information.
At any time during the term of this Agreement at Customer's [written] request or upon the termination or expiration of this Agreement
for any reason, Service Provider shall, and shall instruct all [Authorized Employees/Authorized Persons] to, promptly return to
Customer all copies, whether in written, electronic, or other form or media, of Personal Information in its possession or the possession
of such [Authorized Employees/Authorized Persons], or securely dispose of all such copies, and certify in writing to Customer that
such Personal Information has been returned to Customer or disposed of securely. Service Provider shall comply with all [reasonable]
directions provided by Customer with respect to the return or disposal of Personal Information.
33. Spencer Fane LLP | spencerfane.com 33
Source: Westlaw
THE POINT:
Pay up … well, if you can (but you had better both
have privacy / cyber risk insurance).
Indemnification. Service Provider shall defend, indemnify, and hold harmless Customer [and Customer's parent
company] and [its/their] subsidiaries, affiliates, and [its/their] respective officers, directors, employees, agents,
successors, and permitted assigns (each, a "Customer Indemnitee") from and against all losses, damages, liabilities,
deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of whatever kind, including
reasonable attorneys' fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any
insurance providers, arising out of or resulting from any third-party claim against any Customer Indemnitee arising
out of or resulting from Service Provider's failure to comply with any of its obligations under [this Section/[SECTION
NUMBER]].
34. Spencer Fane LLP | spencerfane.com 34
THE POINT:
You – and everyone you rely upon in the supply
chain – better have privacy / cyber risk insurance.
Privacy/Cyber/Network Security/Professional Liability. Service Provider shall maintain appropriate
Privacy/Cyber/Network Security/Professional Liability coverage in the amount of not less than $1,500,000 per
occurrence and $10,000,000 in the aggregate with coverage to specifically provide protection against liability for
the following: (a) privacy breaches and resulting liability arising from the loss or disclosure of BIGCORP Data or
Personal Information (b) denial or loss of service (c) introduction, implantation or spread or malicious code software
and (d) unauthorized access to or use of computer systems to include first party coverage for forensic investigation,
notification and credit monitoring and Third Party coverage for network security errors and omissions with no
exclusions for unencrypted portable devices or media or cyber events. Service Provider agrees to provide proof that
this insurance is maintained for a period of two years after the termination of the Agreement.
35. Spencer Fane LLP | spencerfane.com 35
THE POINT:
The security and privacy protections for the data
flow down to the nth level downstream.
Subcontractors. Service Provider and Affiliates of Service Provider will perform sufficient due diligence prior to the
retention of any Subcontractor to ensure that such Subcontractor will not, in any way, compromise the security,
confidentiality, availability or integrity of any BIGCORP Data. Further, Service Provider and Affiliates of Service
Provider will ensure that the terms of its subcontract with any Subcontractor are sufficient to enable such Service
Provider or Affiliate of Service Provider to perform all of its responsibilities and obligations of the Agreement and the
Security Datasheet. Service Provider will take appropriate action to cause its Affiliates, Subcontractors, and Service
Provider Personnel to be advised of and comply with the applicable terms and conditions of the Agreement and the
Security Datasheet, and will ensure that Service Provider Personnel are trained regarding their handling of BIGCORP
Data and obligations under the Agreement and Security Datasheet.
36. Spencer Fane LLP | spencerfane.com 36
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP
972.324.0317
stuma@spencerfane.com
• 20+ Years of Cyber Law Experience
• Practitioner Editor, Bloomberg BNA – Texas
Cybersecurity & Data Privacy Law
• Council Member, Southern Methodist University
Cybersecurity Advisory
• Board of Advisors, North Texas Cyber Forensics Lab
• Policy Council, National Technology Security Coalition
• Board of Advisors, Cyber Future Foundation
• Cybersecurity & Data Privacy Law Trailblazers, National
Law Journal (2016)
• SuperLawyers Top 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-20
• Best Lawyers in Dallas 2014-20, D Magazine
• Chair-Elect, Computer & Technology Section, State Bar of
Texas
• Privacy and Data Security Committee of the State Bar of
Texas
• College of the State Bar of Texas
• Board of Directors, Collin County Bench Bar Conference
• Past Chair, Civil Litigation & Appellate Section, Collin
County Bar Association
• Information Security Committee of the Section on Science
& Technology Committee of the American Bar Association
• North Texas Crime Commission, Cybercrime Committee &
Infragard (FBI)
• International Association of Privacy Professionals (IAPP)