An update on the changing US laws relating to data security and how to address this critical area of change and risk in your commercial contracts

http://delvacca.acc.com

DATA SECURITY AND

COMMERCIAL CONTRACTS

Participants

2

Michael Pillion Partner

Morgan Lewis

P: 215.963.5554

E: mpillion@morganlewis.com

Barbara Melby Partner

Morgan Lewis

P: 215.963.5053

E: bmelby@morganlewis.com

Sheila Hawes Associate General Counsel and

Chief Privacy Officer

AmerisourceBergen Corporation

P: 610.727.7437

E: shawes@amerisourcebergen.com

2

HOW CHANGES IN PRIVACY AND SECURITY

REGULATION ARE AFFECTING COMMERCIAL

TRANSACTIONS

3

Topics Covered

• Presentation Focus is on US Laws

• Federal Privacy and Data Security Laws

• State Privacy and Data Security Laws

• Proposed Federal Law

• Impact on the Commercial Contract (focusing on services

transactions)

4

Federal Laws • Laws that apply to particular sectors:

• Gramm-Leach-Bliley Act (G-L-B), a/k/a Financial Services Modernization Act

of 1999, regulating personal information collected or held by financial

institutions or other businesses that provide financial services and products.

• Privacy requirements

• Security safeguard requirements

• Breach notification requirements

• Health Insurance Portability and Accountability Act (HIPAA), as amended by

the Health Information Technology for Economic and Clinical Health Act

(HITECH), regulating medical information, including protected health

information (PHI):

• HIPAA Privacy Rule – privacy requirements applicable to PHI

• HIPAA Security Rule - safeguard requirements

• HIPAA Security Breach Notification Rule – breach notification requirements

5

Federal Laws

• Consumer protection laws, such as the Federal Trade

Commission Act (FTC Act)

• Not specifically privacy and data security laws

• Used to prohibit unfair or deceptive practices involving the

collection, use, processing, protection and disclosure of personal

information.

• FTC’s "Red Flags" Rules issued under the Fair and

Accurate Credit Transactions Act (FACTA), requiring

financial institutions and creditors to have theft protection

programs that detect or “red flag” identity theft in their day-

to-day operations.

6

Federal Laws

• Laws that apply to types of activities that use personal information or might otherwise affect individual privacy, such as:

• Children's Online Privacy Protection Act (COPPA), regulating the online collection of information from children.

• Fair Credit Reporting Act (FCRA), as amended by FACTA, regulating consumer credit and other information.

• Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM), regulating commercial e-mail.

• Telephone Consumer Protection Act (TCPA), regulating telemarketing.

• Electronic Communications Privacy Act (ECPA), regulating electronic communications.

• Computer Fraud and Abuse Act (CFAA), regulating computer tampering.

• Many other Federal laws that regulate the use of personal information.

7

State Laws

• Hundreds of privacy and data security laws governing the collection, use, protection and disclosure of personal information exist at the state level, with inconsistent scope and obligations. State privacy and data security laws include, for example: • Data security breach notification laws

• Laws mirroring FTC Act and other consumer protection laws

• Laws supplementing G-L-B and HIPAA, including Medical Information laws

• Data Security laws

• Record disposal laws

• Laws protecting personal information of students

• Card transaction laws

• Social Security number laws

• More and always changing

8

State Data Breach Notification Laws

• In 2002, California was the first state to enact a data security breach notification law, which became effective in July, 2003.

• The California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.

• Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General.

• Today, 47 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have breach notification laws.

• Texas – law requires notification to be given by persons/entities who conduct business in Texas (not defined) to residents of other states. If the other state has a breach notification law, the notice can be given under either Texas law or the other state’s law. If no law in the other state, Texas notification law applies.

• These are reactive laws, not proactive laws.

9

Alaska

Virgin

Islands

Arkansas Arizona

California Colorado

Connecticut

Delaware

Maryland

Virginia

West

Virginia

Florida

Georgia

Idaho

Illinois Indiana

Iowa

Kansas Kentucky

Louisiana

Maine

New York

Pennsylvania

Massachusetts Michigan

Minnesota

Mississippi

Missouri

Montana North Dakota

Arizona

South Dakota

Nevada

New Hampshire

New Jersey

North Carolina

Ohio

Oklahoma

Oregon

Rhode Island

South Carolina

Tennessee

Wyoming

Texas

Vermont

Washington

Wisconsin

Utah District of Columbia

Nebraska

New Mexico

Alabama

Hawaii

Guam

Puerto Rico

47 Data Breach Notification States

10

State Data Breach Notification Laws

11

State Citation

Alaska Alaska Stat. § 45.48.010 et seq.

Arizona Ariz. Rev. Stat. § 44-7501

Arkansas Ark. Code § 4-110-101 et seq.

California Cal. Civ. Code §§ 1798.29, 1798.80 et seq.

Colorado Colo. Rev. Stat. § 6-1-716

Connecticut Conn. Gen Stat. § 36a-701b

Delaware Del. Code tit. 6, § 12B-101 et seq.

Florida Fla. Stat. §§ 501.171, 282.0041, 282.318(2)(i) (2014 S.B. 1524, S.B. 1526)

Georgia Ga. Code §§ 10-1-910, -911, -912; § 46-5-214

Hawaii Haw. Rev. Stat. § 487N-1 et seq.

Idaho Idaho Stat. §§ 28-51-104 to -107

Illinois 815 ILCS §§ 530/1 to 530/25

Indiana Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq.

Iowa Iowa Code §§ 715C.1, 715C.2

Kansas Kan. Stat. § 50-7a01 et seq.

Kentucky KRS § 365.732, KRS §§ 61.931 to 61.934 (2014 H.B. 5, H.B. 232)

Louisiana La. Rev. Stat. § 51:3071 et seq., 40:1300.111 to .116 (2014 H.B. 350)

Maine Me. Rev. Stat. tit. 10 § 1347 et seq.

Maryland Md. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308

Massachusetts Mass. Gen. Laws § 93H-1 et seq.

Michigan Mich. Comp. Laws §§ 445.63, 445.72

Minnesota Minn. Stat. §§ 325E.61, 325E.64

Mississippi Miss. Code § 75-24-29

Missouri Mo. Rev. Stat. § 407.1500

Montana Mont. Code § 2-6-504, 30-14-1701 et seq.

State Data Breach Notification Laws

12

State Citation

Nebraska Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807

Nevada Nev. Rev. Stat. §§ 603A.010 et seq., 242.183

New Hampshire N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21

New Jersey N.J. Stat. § 56:8-163

New York N.Y. Gen. Bus. Law § 899-aa, N.Y. State Tech. Law 208

North Carolina N.C. Gen. Stat §§ 75-61, 75-65

North Dakota N.D. Cent. Code § 51-30-01 et seq.

Ohio Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192

Oklahoma Okla. Stat. §§ 74-3113.1, 24-161 to -166

Oregon Oregon Rev. Stat. § 646A.600 et seq.

Pennsylvania 73 Pa. Stat. § 2301 et seq.

Rhode Island R.I. Gen. Laws § 11-49.2-1 et seq.

South Carolina S.C. Code § 39-1-90, 2013 H.B. 3248

Tennessee Tenn. Code § 47-18-2107

Texas Tex. Bus. & Com. Code §§ 521.002, 521.053, Tex. Ed. Code § 37.007(b)(5)

Utah Utah Code §§ 13-44-101 et seq.

Vermont Vt. Stat. tit. 9 § 2430, 2435

Virginia Va. Code § 18.2-186.6, § 32.1-127.1:05

Washington Wash. Rev. Code § 19.255.010, 42.56.590

West Virginia W.V. Code §§ 46A-2A-101 et seq.

Wisconsin Wis. Stat. § 134.98

Wyoming Wyo. Stat. § 40-12-501 et seq.

District of Columbia D.C. Code § 28- 3851 et seq.

Guam 9 GCA § 48-10 et seq.

Puerto Rico 10 Laws of Puerto Rico § 4051 et seq.

Virgin Islands V.I. Code tit. 14, § 2208

State Data Breach Notification Laws –

Common Provisions

• Common Provisions

• Who must comply?

• Who is covered?

• State resident consumer

• What information (PII) is

covered?

• Name combined with SSN,

account no., drivers license

no.

• What triggering or

breaching event?

• Unauthorized acquisition of

data

• What notice

requirements?

• Timing or method of notice

• Who must be notified

• Exemptions (e.g., for

encrypted information)

• Penalties, enforcement

authorities and remedies

13

State Data Breach Notification Laws --

Differing Standards • Vary by State and circumstances of the breach

• Definition of “personal information”

• Who must comply?

• Notification triggers

• Notification to AG or other state agency

• Manner of notification

• Data format: hard copy files vs. electronic only

• Safe harbor for encryption

14

2014 Amendments to California Data

Breach Notification Law • Amendments effective January 1, 2015. Modifies the current data breach

notification statutes in two primary respects.

• First, if a business “maintains” personal information about a California

resident (expansion from owns or licenses), the business must “implement

and maintain reasonable security procedures and practices appropriate to the

nature of the information, to protect the personal information from

unauthorized access, destruction, use, modification, or disclosure.”

• Becomes a proactive law.

• Second, where the notifying entity was the source of a breach involving the

disclosure of Social Security or driver’s license numbers, and “if any” offer to

provide identity-theft prevention or mitigation services is made, it must be

made at no cost to the affected person for no less than 12 months along with

all information necessary to take advantage of the offer.

• Also adds prohibition on sale, advertisement for sale or offer of sale of an

individual’s social security number.

15

Data Security Laws

• Several states, including California, Massachusetts, Connecticut and Nevada, have enacted laws requiring that companies take certain steps to protect the security of personal information that they collect, use and maintain.

• Massachusetts regulations requires that companies (including out-of-state) who own, license, store or maintain personal information about a MA resident must comply with strict requirements to safeguard such personal information.

• Required Comprehensive Written Information Security Program (for both paper and electronic information)

• Required Encrypt personal information of MA residents that is (i) on portable devices (e.g., smartphones, laptops), (ii) stored in portable media (e.g., memory sticks, DVDs), or (iii) transmitted over a public or wireless network

• Companies subject to the MA regulations must take reasonable steps to ensure their third-party service providers that have access to personal information of a MA resident will comply with the MA regulations.

• Contracts with third-party service providers must require compliance with the MA regulations.

16

State Laws Mirroring FTC Act, and

Supplementing G-L-B and HIPAA • Laws that mirror FTC Act and other consumer protection

statutes, prohibiting unfair or deceptive business

practices.

• Laws supplementing G-L-B and HIPAA which do not

preempt more protective state laws that are not

inconsistent.

17

State Laws – Medical Information Laws • A number of states, including California and New Jersey, have adopted statutes specifically aimed at

the protection of medical information.

• New law in New Jersey, signed into law on January 9, 2015 and becomes effective August 1, 2015.

• Applies to health insurance carriers, including health service corporations, hospital service

corporations, and health maintenance organizations authorized to issue New Jersey health

benefit plans.

• Bars such health insurance carriers from collecting a patient’s name linked with his or her Social

Security number, driver’s license or other state identification number, address, and other

identifiable health information unless this data is encrypted or otherwise unusable by an

unauthorized third party.

• Law requires security measures to extend beyond a simple password and mandates that health

insurance carriers implement safeguards that render the data unreadable, undecipherable, or

otherwise unusable by someone who can bypass the password protection.

• Law applies to all end-user computers, such as desktops and laptops and mobile devices, and

all data and information transmitted via public networks.

• The NJ bill signing came a little more than one year after Horizon Blue Cross Blue Shield suffered

the theft of two laptops that contained varying amounts of personal data on more than 839,711

policyholders, including names, demographic information, addresses, birth dates, some Social

Security numbers and certain medical information.

• Law is supplemental to HIPAA

18

State Laws – Record Disposal Laws

• Several states, including California, New Jersey, New York and

Delaware, have enacted laws requiring proper disposal of tangible

and intangible records containing personal information.

• New Delaware law, effective January 1, 2015

• Covers “commercial entities,” defined broadly, including non-profit entities

• Commercial Entities must take all reasonable steps to destroy or arrange for the

destruction of personal identifying information in its custody and control by

shredding, erasing, or otherwise destroying or modifying it so that the information is

entirely unreadable or indecipherable.

• Consumer who suffers actual damages may bring civil action and court may award

treble damages

• Authorizes administrative enforcement proceedings

• Exemption for entities subject to G-L-B, HIPAA, Federal Credit Reporting Act

19

State Laws Protecting Personal

Information of Students • Laws include enhanced privacy requirements for school

districts that are relevant to education technology

companies that provide services to school districts.

• Address student data privacy in a number of ways,

including restricting with whom student data may be

shared, restricting which data may be collected, requiring

school districts to adopt data-retention and security

standards, and requiring the publication of data collection

indices that explain each element of student data that

school districts collect.

20

State Laws Protecting Personal

Information of Students • Several new state laws also require specific provisions

regarding student data privacy to be included in any

contract between a school district and a third-party

service provider.

• In Louisiana, agreements with contractors must include, among

other matters, provisions for privacy and security audits by the

district as well as data breach planning, notification, and

remediation procedures.

• In California, such agreements must include, among other matters,

procedures for parents and legal guardians to review and correct

personally identifiable information held by the contractor.

21

State Laws Protecting Personal

Information of Students

• California’s Expanded Student Data Privacy Regime

• Student Online Personal Information Protection Act (SOPIPA) recently enacted in California and

taking effect on January 1, 2016, is not limited to services provided directly to schools.

• SOPIPA applies stringent privacy rules to any operator of websites, Internet services, or mobile

applications with actual knowledge that the services are used primarily for “K–12 school

purposes” and were designed and marketed for K–12 school purposes.

• SOPIPA prohibits, among other actions, using student data for targeted advertising on the

service; using any information collected, including persistent unique identifiers (such as

persistent cookies), for targeted advertising on any other site or service; and selling student data.

SOPIPA also imposes certain data security and deletion requirements on covered services.

• “K–12 school purposes” is defined as any purpose that customarily takes place at the direction of

a K–12 school, teacher, or school district or that aids in the administration of school activities.

• Accordingly, even if an online service is not provided directly to schools, if it is used by K–12

students or fills a traditional school function, it may be subject to the restrictions. Services

subject to SOPIPA may therefore include some social networks, collaboration tools, study aids

(such as flashcard apps or other mobile education apps), note-swapping services, and message

boards, among any other tools that a school might use or benefit from.

22

Some More State Laws

• Card transaction laws. Several states, including

California, New York and Massachusetts, have enacted

laws that limit the collection of personal information in

connection with payment card transactions.

• Social Security number laws governing the collection,

use, protection, disclosure and sale of Social Security

numbers.

23

Constantly Changing State Laws

• At least 23 states introduced or considered security

breach notification legislation in 2014. Most of the bills

provided for amendments to existing security breach laws.

• At least 11 states enacted some type of breach legislation

for businesses, educational institutions or government in

2014.

• Kentucky in 2014 became the 47th state to have a breach

law.

24

2015 Proposed Amendments to New

York Law • In mid-January 2015, New York’s attorney general proposed

amendments to his state’s data security laws, which would:

• require companies to put into place certain strong technical and physical security measures to protect the data they hold,

• amend the state's existing breach notification law to include within the definition of “private information” the combination of an email address and password, an email address in combination with a security question and answer, medical data such as biometric information and health insurance information,

• create a safe harbor from liability for companies that adopt and attain certification that they have effectively implemented heightened security standards, and

• provide a shield for companies that share forensic reports with law enforcement officials by ensuring that the disclosure does not affect any privilege or protection.

25

New Federal Legislation? • In remarks at the FTC on January 12, 2015, and in his State of the

Union Address on January 20, 2015, President Obama called for the

passage of the Personal Data Notification & Protection Act, which

would:

• Create a single national standard for security breach notification

• Businesses would have 30 days to notify affected individuals of a security

breach.

• Businesses would not need to notify affected individuals if “there is no

reasonable risk of harm or fraud” to the affected individuals.

• Businesses would be required to notify individuals directly and provide media

notification in any state with more than 5,000 affected individuals.

• Businesses must notify “an entity designated by the Department of Homeland

Security” within 10 days of discovering the breach.

• Preemption of state security breach notification laws

26

New Federal Legislation? • Proposed Personal Data Notification & Protection Act would:

• Encourage cyber threat information sharing within the private sector and between private sector and federal government

• President Obama’s proposal encourages the private sector to share “appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center” (“NCCIC”).

• The NCCIC would then share the cyber threat information with (1) appropriate federal agencies and (2) Information Sharing and Analysis Organizations (“ISAOs”), which are developed and operated by the private sector.

• Businesses that share the cyber threat information they acquire would be granted “targeted liability protection.”

• Enhance law enforcement’s ability to investigate and prosecute cyber crimes

27

New Federal Legislation?

• Tug of war?

• Financial industry tradegroups pushing for the Personal Data Notification and

Protection Act because preemption of state data security breach notification laws

would require (and enable) retailers and other businesses to meet a single national

standard.

• Industry groups also backing the Personal Data Notification and Protection Act as it

will promote sharing of cyber threat information between private and public sectors

because threat of litigation reduced.

• Some State Attorney Generals and privacy advocates are against because some

State laws are more protective.

• President Obama also proposed a federal Student Digital Privacy Act

modeled on California’s SOPIPA.

28

Related Contract Provisions for

Commercial Contracts

• More and more of the commercial contract is related to

the Customer’s data and the corresponding rights,

obligations and liabilities of the Vendor and Customer.

• What contract provisions are required?

• Depends on the particular facts and circumstances of the

relevant transaction, taking into account:

• What types of data will be accessed/processed/hosted?

• Consider the sensitivity – Personal Information? Protected Health

Information (PHI)? Sensitive Personal Information? Business-

sensitive information?

29

Data Definitions • Data

• Not only the data as provided by Customer – also any data accessed by Vendor and any data resulting from Vendor’s performance of the services

• Will Vendor will have data of Customer’s clients or other third parties?

• Personal Information (Subset of Customer Data) • Identifies a person (e.g., name, address)

• Authenticates a person (e.g., passwords, PINs)

• Subset: “sensitive personal information,” such as SSN, financial account numbers, other government-issued IDs

• Subset: protected health information (PHI) under HIPAA

• Vendor should provide protection of Customer’s data commensurate with the level of sensitivity of the data

• Confidential Information • Include Customer Data in definition of Customer Confidential Information

• Personal Information as “exception to the exception” from the definition of Customer Confidential Information

30

Data Security Plan

• Maintenance of data security plan

• Meeting requirements of law

• Meeting requirements of Customer policy?

• Meeting requirements of Vendor policy?

• Meeting requirements of Industry standards? Data security

standards (such as ISO; ITIL; PCI DSS)?

• Enhancement over time to keep pace with the foregoing;

lessons learned; sensitivity of data

• Addressing, among other things:

• Physical security, commensurate with data sensitivity

• Logical/system security, to avoid compromise of confidentiality through

commingling

• How data is segregated

31

Data Security Plan • Maintenance of data security plan

• Addressing, among other things:

• Access by authorized personnel only

• Regular monitoring of intrusion detection system and reporting

• Encryption (e.g., for transfers outside firewalls)

• Use of mobile devices and storage (e.g., laptops, tablets, USB

drives, back-up tapes), including whether use is permitted

• Enhanced standards for Personal Information, including PHI

• Employee privacy and security training

• Notice of changes by Vendor – Customer consent required?

32

Response to Data Security Breach

• Required response to data security breach

• Response

• Report

• Remediation

• Notice required by law

• Credit monitoring required by law/policies

• Other requirements under law/policies

• Responsibility for costs, fines

33

Compliance

• Compliance

• Definition of “Laws”

• Definition of entities that issue “Laws”

• Build in new and modified laws

• Check your definition of privacy laws

34

Compliance • Compliance

• Allocation of compliance and monitoring obligations between Parties

• Vendor Laws: Vendor must monitor and comply (at Vendor’s cost)

• Customer Laws: Customer must monitor; Vendor must comply (at whose

cost?); Customer may issue “Compliance Directives” to Vendor

• Where to allocate specific privacy laws (e.g., HIPAA, G-L-B, EU Data Privacy

Directives)?

• Remember certain specific laws – for example, contracts with third-party service

providers that receive, store, maintain or process personal information of a MA

resident are required to protect it as required by the MA Regulations.

• Language can be simple – e.g., that the vendor is required to comply with

applicable Laws (and new or modified Laws), and that the MA Regulations

are covered by the definition of “Laws”

• Right to audit the vendor’s compliance

• Requirement that the vendor return or destroy all personal information

upon termination

• Requirement to provide prompt notification of breach

35

Compliance

• Compliance

• Compliance with Policies

• Vendor policies (including changes)

• Customer policies (including changes)

• Can they be aligned?

• Is it feasible for Vendor to adjust its policies on a customer-specific

basis?

• Can Customer be comfortable relying on Vendor’s policies?

• Mandatory change control – costs of changes –

potential for vendors to look to spread costs of major

change

• Timing for implementing change

• Responsibility for fines

36

Derivative Data, Access, Return and

Destruction • Vendor right to derivative data

• Aggregated and de-identified data.

• Does Customer have the right to give Vendor the right under applicable privacy policies, contracts, laws, etc.?

• Access and Return of data

• Access in response to customer requests (may be required by HIPAA and other laws)

• Access and preservation for discovery purposes

• Access to respond to requests by law enforcement or governmental authority

• In what format? Any need for conversion assistance?

• Destruction of data

• In accordance with the requirements of applicable laws, policies, contracts, etc.

37

Audit and Compliance Certifications

• Audit

• Vendor cooperation with audits, including with regulatory audits

• SSAE 16

• Audit of the design and/or effectiveness of Vendor’s controls; results in

audit report that Vendor may share with its customers.

• Can apply even if the data in Vendor’s possession does not affect

Customer’s internal control over financial reporting – choice of type

(SOC 1 vs. SOC 2).

• Quality/compliance certifications (e.g., ISO/IEC)

• Payment Card Industry (PCI) Compliance Report

38

Liability

• Limitations on Liability

• Contract will typically contain:

• Disclaimer of consequential and other indirect damages

• Direct damage cap

• Certain exceptions to the disclaimer and/or cap

• Key issue is how direct claims by Customer and Vendor

indemnification obligations for breaches of data security, confidentiality

and compliance obligations under the MSA are treated under the direct

damage cap and disclaimer of indirect damages.

• “Pre-defined” direct damages

• Costs of data breach remediation.

• Indemnified losses.

• Governmental fines and penalties

39

Indemnification

• Vendor defense and indemnification of Customer from and against third

party claims (including regulators or individuals whose data has been

disclosed), and associated liabilities and costs arising from:

• Breach by Vendor (or its subcontractors) of Vendor’s data security or

confidentiality obligations under the contract

• Indemnification obligations are typically a pure exception to the disclaimer

of consequential damages.

• Indemnification obligations for data security and compliance obligations

often challenged as pure exception to the direct damages cap.

40

Liability for data breach

• Let’s break it down – what are the major areas for

damages exposure

investigating breaches

remediating systems

restoring data

recreating data

data breach notifications and remediation requirements with

respect to the individual and regulators

41

Liability for data breach

• What we are seeing (and it is not consistent)

• Unlimited or enhanced liability if the supplier was in

breach of its obligations

• May depend on the type of data (is there a lot of PI or

PHI)

• May depend on the encryption or other solution

requirements

42

Liability for data breach

• Supplier is not “in breach” but

• Data is residing on the supplier’s systems or under the supplier’s control

• Should the customer have to prove a breach for supplier to be liable?

Where it gets contentious

• investigating breaches

• remediating systems

• restoring data

• recreating data

• data breach notifications and remediation requirements with respect to the individual and regulators

Maybe differentiate by

type of damage:

43

Additional Key Topics

• Service locations and subcontracting

• Where is the data? Customer’s locations, Vendor’s locations,

Subcontractor locations, DR/BCP sites, “Cloud” locations – where are

the servers, both for data storage and processing?

• Who has the data and are they subject to the same contract

requirements?

• Contract flow-down requirements in subcontracts

• Background check requirements

• Governing law vs. laws that apply due to data type/source/location

• Considerations for companies that provide services directly to schools

based on applicable State laws

44

For more information

Visit our blog: Sourcing@MorganLewis Sourcing@MorganLewis updates lawyers and sourcing professionals

on the latest developments and trends affecting outsourcing,

technology, and other commercial transactions.

Recent topics:

• Usage Rights in Software License Agreements

• 2015’s Outsourcing Trends to Watch

• New Jersey Law to Impose Encryption Obligations on Health Insurance

Carriers

• Microsoft Challenges U.S. Government on Warrant for Data Stored

Overseas

http://blogs.morganlewis.com/sourcingatmorganlewis/

45