Overview

IACCM CONTRACTING PRINCIPLES
Data Security and Privacy

IACCM

1. Definitions

The following definitions apply to these IACCM Contracting Principles:

  • "Protected Data" means personal data (such as personally identifiable information and credit card information) and other highly sensitive data (such as passwords) of a customer or its clients that are in the possession of or accessible by the supplier.  Depending on the originator, nature, and location of the data being processed, the definition of Protected Data may be modified to take into account applicable law (e.g., data subject to HIPAA, the European Data Privacy Directive, GDPR, or PIPEDA).  (Other types of confidential information may be subject to contractual confidentiality obligations but are not considered Protected Data within the scope of this Principles document.)
  • "Protected Data Non-Compliance" means a failure by the supplier to comply with its obligations regarding the handling or safeguarding of Protected Data under the contract or under data protection/privacy laws or regulations applicable to the supplier.
  • "Protected Data Loss" means the accidental, unauthorised or unlawful destruction, loss, alteration or disclosure of, or access to Protected Data.  (Not all Protected Data Losses result from a Protected Data Non-Compliance, such as where hacking takes place despite the supplier’s good faith compliance with all applicable obligations.)

2.  General Concepts

These general concepts form the basis for the more detailed IACCM Contracting Principles that follow:

  • A security environment should be designed based on the assumption that security or process failures may occur and that there needs to be multiple layers of protection to guard against Protected Data Losses.
  • Contract terms should reflect a balance of cost and benefit in the security environment.  Customers and suppliers can more effectively reduce operational risks of Protected Data Losses by focusing on (and clearly delineating) their respective security obligations rather than by focusing solely on supplier liabilities in the event of a Protected Data Non-Compliance.
  • The extent to which a supplier will conform to particular industry security standards or will meet custom/more exacting requirements is a commercial issue that should be negotiated based on the size and scope of the deal (including particular security safeguards) and the nature of the solution (e.g., whether it is a standard service offering for a multi-customer environment or is a dedicated custom-built solution).  
  • Liability for Protected Data Non-Compliance should be based on the same principles as applied for other contract breaches – liability should be based on sufficient proof of the breach, should be proportionate to fault, and should reflect a fair allocation of risk as agreed to by the parties.  In addition, each party should have an obligation to mitigate damages.

3.  IACCM Contracting Principles

3.1. Scope of Protected Data Obligations

  • Contract terms should, where possible, provide specificity with regards to the types of Protected Data being exchanged and the access, use, sharing or re-transmission (collectively, “Use”) of the Protected Data by the supplier.
  • The supplier’s data security obligations should be clearly and accurately described based on the role it will perform and should focus on functions and tasks, not outcomes.
  • The customer should undertake reasonable steps to safeguard their own Protected Data, such as encryption, firewalls or regular backups.
  • The supplier should specify the security standards to which its operations adhere by reference to specific industry standards (such as ISO 27001, PCI-DSS, etc.) or otherwise, and the supplier should provide applicable certifications upon request.  

3.2. Compliance with Laws and Regulations

  • Each party should comply with the data protection/privacy laws, regulations and mandatory industry standards (such as PCI-DSS) that apply to its own operations and activities.
  • The supplier’s responsibilities with respect to data protection/privacy laws that apply specifically to the customer’s operations and activities should be reflected as specific operational obligations rather than a general compliance with law obligation.
  • When appropriate, the customer’s data protection/privacy compliance activities that are included in the scope of supplier’s services should be clearly stated within the contract to avoid misunderstandings or gaps in responsibilities.
  • The contract should provide an equitable mechanism to modify the supplier’s contract obligations (and charges, where appropriate) based on changes to data protection/privacy laws that have a material impact on the supplier and/or customer.  
  • The supplier should not be expected to provide the customer with independent compliance audit reports that contain highly sensitive information and are generally not created for dissemination.  Rather, the parties should adopt an alternative process by which their respective experts can meet to share appropriate information to give the customer assurances relating to security controls.  In cases where the customer has an obligation to provide regulators with the suppliers’ compliance documentation or where laws or regulations permit regulators to audit the suppliers’ compliance with security standards, the contract should address those situations and provide for appropriate safeguards for the supplier’s information and operations.

3.3. Allocation of Liability for Protected Data Losses

  • The supplier should be liable in the event of its Protected Data Non-Compliance, subject to reasonable limitations. The supplier should be accountable only for Protected Data Losses that result from its Protected Data Non-Compliance.  If a Protected Data Loss results from multiple points of failure, the supplier should be held responsible only to the extent the loss is the result of its Protected Data Non-Compliance(s).
  • For service offerings where the supplier has only incidental access to Protected Data (e.g., business contact information for customer employees) and the risk of damages are small, the supplier’s liability for a Protected Data Non-Compliance should be subject to the standard contract limitation of liability (such as a cap at a fixed dollar amount or a multiple of annual charges).
  • Where the supplier is operating within the customer’s security environment or has significant access to Protected Data, it may be appropriate for the supplier to be subject to higher liability caps for a Protected Data Non-Compliance.
  • The supplier should be subject to uncapped liability for a Protected Data Non-Compliance only if there was an intentional or grossly negligent misuse or release of Protected Data by the supplier.
  • The contract’s general exclusion of indirect, consequential or other categories of damages (e.g., lost profits, revenues, goodwill) should apply in the case of Protected Data Non-Compliance.  However, it may be appropriate to identify discrete categories of covered damages for which the supplier will be liable (subject to caps), such as cost of breach notifications, credit monitoring, data recovery (unless the customer’s failure to back up its data in a reasonable fashion gave rise to the loss), and regulatory fines.  These exclusions and covered categories of liabilities should also apply to the supplier’s indemnifications for third party claims attributable to a Protected Data Non-Compliance.