The Canadian Bar Insurance Association

Underlying contracts help address third-party data breach risk

New causes of action for breach of privacy make data breach one of the most significant risks facing Canadian companies — but organizations may have an opportunity to manage this risk when contracting for information services with third-party vendors, Toronto privacy lawyer Peter Murphy writes in Lawyers Weekly.`

“In Canada, privacy laws apply to situations where personal information is transferred to a service provider. The Personal Information Protection and Electronic Documents Act (PIPEDA) requires subject organizations to use contractual or other means to ensure comparable protections apply to their personal information while in the service vendor’s control. Canada’s provincial private sector privacy laws have similar requirements,” writes Murphy, a partner at Shibley Righton LLP.

As such, when procuring information services, organizations should be sure to include the following features in underlying contracts to ensure comparable protections are present, and to better address data breach issues:

First of all, writes Murphy, information service vendors should be required to comply with applicable privacy laws, regulations, policies and guidelines with respect to their contracted services and related personal information.

“The vendor’s use of the organization’s data must be prescribed in the contract and be consistent with the purpose for which the data were collected. The vendor’s data retention should be minimized and subject to confidentiality obligations. Responsibilities should be allocated to ensure subject data are kept up to date and to permit individuals to have access to their respective personal information on request. The organization should have the right to inspect and audit the vendor to ensure compliance,” says Murphy.

Vendors should also be required to inform the procuring organization of any data access requests and data breaches they suffer with respect to the service. Vendors should also be required to co-operate with the organization to facilitate privacy investigations, maintain related records and make them available to the organization. They should also help facilitate breach notifications, he says.

Vendors should be required to use technical, administrative and physical safeguards to protect the data, including tracking data access and use, firewalls, antimalware programs, individual user accounts, regularly updated passwords and encryption.

As Murphy explains, administrative safeguards include covenants to comply with security, privacy, disaster protection and breach response policies. The policies should include regular data access reviews, new staff background checks and immediate termination of outgoing staff data access privileges.

Physical safeguards involve the use of physical access controls, and the contract should specify the locale of the data and prohibit the vendor from co-mingling the data with any other data. Vendors should also be restricted from exporting the organization’s personal information out of Canada without consent, he says.

The return of the data should also be clearly provided for, explains Murphy, and any permitted destruction of the data should be subject to specified controls, to ensure it will be irretrievable.

Although, "there is an increasing tendency for vendors of cloud and software-as-a-service solutions to attempt to exclude almost all liability for data breach under their contracts,” and limiting the vendor’s liability is common, Murphy adds that “it is important that the procuring organization retain sufficient means to enforce vendor contractual compliance.”

“When negotiating the procurement of information services, organizations are better prepared if they have a full understanding of data breach risks and the contractual, technical, administrative and physical protections they require from the outset of negotiations. Having this understanding promotes a more efficient and competitive procurement process, better value, and the use of best practices to manage data breach risk in the resulting contract,” he writes.

To Read More Peter Murphy Posts Click Here
Lawyer Directory
BridgePoint Financial Services (post to 5.31.19)Toronto Lawyers Association (post to 6.30.19)MKD International (post until Sept. 30/18)Feldstein Family Law (post until May 31/19)Legal Print & Copy Inc.Steve Rastin (post until Jan. 31/19)Benson Percival Brown - Flat Box Ad Unit - 300x125Forensic Restitution (post until Feb. 28/19)