DATA SECURITY AND COMMERCIAL · PDF fileAn update on the changing US laws relating to data...
Transcript of DATA SECURITY AND COMMERCIAL · PDF fileAn update on the changing US laws relating to data...
An update on the changing US laws relating to data security and how to address this critical area of change and risk in your commercial contracts
http://delvacca.acc.com
DATA SECURITY AND
COMMERCIAL CONTRACTS
Participants
2
Michael Pillion Partner
Morgan Lewis
P: 215.963.5554
Barbara Melby Partner
Morgan Lewis
P: 215.963.5053
Sheila Hawes Associate General Counsel and
Chief Privacy Officer
AmerisourceBergen Corporation
P: 610.727.7437
2
HOW CHANGES IN PRIVACY AND SECURITY
REGULATION ARE AFFECTING COMMERCIAL
TRANSACTIONS
3
Topics Covered
• Presentation Focus is on US Laws
• Federal Privacy and Data Security Laws
• State Privacy and Data Security Laws
• Proposed Federal Law
• Impact on the Commercial Contract (focusing on services
transactions)
4
Federal Laws • Laws that apply to particular sectors:
• Gramm-Leach-Bliley Act (G-L-B), a/k/a Financial Services Modernization Act
of 1999, regulating personal information collected or held by financial
institutions or other businesses that provide financial services and products.
• Privacy requirements
• Security safeguard requirements
• Breach notification requirements
• Health Insurance Portability and Accountability Act (HIPAA), as amended by
the Health Information Technology for Economic and Clinical Health Act
(HITECH), regulating medical information, including protected health
information (PHI):
• HIPAA Privacy Rule – privacy requirements applicable to PHI
• HIPAA Security Rule - safeguard requirements
• HIPAA Security Breach Notification Rule – breach notification requirements
5
Federal Laws
• Consumer protection laws, such as the Federal Trade
Commission Act (FTC Act)
• Not specifically privacy and data security laws
• Used to prohibit unfair or deceptive practices involving the
collection, use, processing, protection and disclosure of personal
information.
• FTC’s "Red Flags" Rules issued under the Fair and
Accurate Credit Transactions Act (FACTA), requiring
financial institutions and creditors to have theft protection
programs that detect or “red flag” identity theft in their day-
to-day operations.
6
Federal Laws
• Laws that apply to types of activities that use personal information or might otherwise affect individual privacy, such as:
• Children's Online Privacy Protection Act (COPPA), regulating the online collection of information from children.
• Fair Credit Reporting Act (FCRA), as amended by FACTA, regulating consumer credit and other information.
• Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM), regulating commercial e-mail.
• Telephone Consumer Protection Act (TCPA), regulating telemarketing.
• Electronic Communications Privacy Act (ECPA), regulating electronic communications.
• Computer Fraud and Abuse Act (CFAA), regulating computer tampering.
• Many other Federal laws that regulate the use of personal information.
7
State Laws
• Hundreds of privacy and data security laws governing the collection, use, protection and disclosure of personal information exist at the state level, with inconsistent scope and obligations. State privacy and data security laws include, for example: • Data security breach notification laws
• Laws mirroring FTC Act and other consumer protection laws
• Laws supplementing G-L-B and HIPAA, including Medical Information laws
• Data Security laws
• Record disposal laws
• Laws protecting personal information of students
• Card transaction laws
• Social Security number laws
• More and always changing
8
State Data Breach Notification Laws
• In 2002, California was the first state to enact a data security breach notification law, which became effective in July, 2003.
• The California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.
• Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General.
• Today, 47 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have breach notification laws.
• Texas – law requires notification to be given by persons/entities who conduct business in Texas (not defined) to residents of other states. If the other state has a breach notification law, the notice can be given under either Texas law or the other state’s law. If no law in the other state, Texas notification law applies.
• These are reactive laws, not proactive laws.
9
Alaska
Virgin
Islands
Arkansas Arizona
California Colorado
Connecticut
Delaware
Maryland
Virginia
West
Virginia
Florida
Georgia
Idaho
Illinois Indiana
Iowa
Kansas Kentucky
Louisiana
Maine
New York
Pennsylvania
Massachusetts Michigan
Minnesota
Mississippi
Missouri
Montana North Dakota
Arizona
South Dakota
Nevada
New Hampshire
New Jersey
North Carolina
Ohio
Oklahoma
Oregon
Rhode Island
South Carolina
Tennessee
Wyoming
Texas
Vermont
Washington
Wisconsin
Utah District of Columbia
Nebraska
New Mexico
Alabama
Hawaii
Guam
Puerto Rico
47 Data Breach Notification States
10
State Data Breach Notification Laws
11
State Citation
Alaska Alaska Stat. § 45.48.010 et seq.
Arizona Ariz. Rev. Stat. § 44-7501
Arkansas Ark. Code § 4-110-101 et seq.
California Cal. Civ. Code §§ 1798.29, 1798.80 et seq.
Colorado Colo. Rev. Stat. § 6-1-716
Connecticut Conn. Gen Stat. § 36a-701b
Delaware Del. Code tit. 6, § 12B-101 et seq.
Florida Fla. Stat. §§ 501.171, 282.0041, 282.318(2)(i) (2014 S.B. 1524, S.B. 1526)
Georgia Ga. Code §§ 10-1-910, -911, -912; § 46-5-214
Hawaii Haw. Rev. Stat. § 487N-1 et seq.
Idaho Idaho Stat. §§ 28-51-104 to -107
Illinois 815 ILCS §§ 530/1 to 530/25
Indiana Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq.
Iowa Iowa Code §§ 715C.1, 715C.2
Kansas Kan. Stat. § 50-7a01 et seq.
Kentucky KRS § 365.732, KRS §§ 61.931 to 61.934 (2014 H.B. 5, H.B. 232)
Louisiana La. Rev. Stat. § 51:3071 et seq., 40:1300.111 to .116 (2014 H.B. 350)
Maine Me. Rev. Stat. tit. 10 § 1347 et seq.
Maryland Md. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308
Massachusetts Mass. Gen. Laws § 93H-1 et seq.
Michigan Mich. Comp. Laws §§ 445.63, 445.72
Minnesota Minn. Stat. §§ 325E.61, 325E.64
Mississippi Miss. Code § 75-24-29
Missouri Mo. Rev. Stat. § 407.1500
Montana Mont. Code § 2-6-504, 30-14-1701 et seq.
State Data Breach Notification Laws
12
State Citation
Nebraska Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807
Nevada Nev. Rev. Stat. §§ 603A.010 et seq., 242.183
New Hampshire N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21
New Jersey N.J. Stat. § 56:8-163
New York N.Y. Gen. Bus. Law § 899-aa, N.Y. State Tech. Law 208
North Carolina N.C. Gen. Stat §§ 75-61, 75-65
North Dakota N.D. Cent. Code § 51-30-01 et seq.
Ohio Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192
Oklahoma Okla. Stat. §§ 74-3113.1, 24-161 to -166
Oregon Oregon Rev. Stat. § 646A.600 et seq.
Pennsylvania 73 Pa. Stat. § 2301 et seq.
Rhode Island R.I. Gen. Laws § 11-49.2-1 et seq.
South Carolina S.C. Code § 39-1-90, 2013 H.B. 3248
Tennessee Tenn. Code § 47-18-2107
Texas Tex. Bus. & Com. Code §§ 521.002, 521.053, Tex. Ed. Code § 37.007(b)(5)
Utah Utah Code §§ 13-44-101 et seq.
Vermont Vt. Stat. tit. 9 § 2430, 2435
Virginia Va. Code § 18.2-186.6, § 32.1-127.1:05
Washington Wash. Rev. Code § 19.255.010, 42.56.590
West Virginia W.V. Code §§ 46A-2A-101 et seq.
Wisconsin Wis. Stat. § 134.98
Wyoming Wyo. Stat. § 40-12-501 et seq.
District of Columbia D.C. Code § 28- 3851 et seq.
Guam 9 GCA § 48-10 et seq.
Puerto Rico 10 Laws of Puerto Rico § 4051 et seq.
Virgin Islands V.I. Code tit. 14, § 2208
State Data Breach Notification Laws –
Common Provisions
• Common Provisions
• Who must comply?
• Who is covered?
• State resident consumer
• What information (PII) is
covered?
• Name combined with SSN,
account no., drivers license
no.
• What triggering or
breaching event?
• Unauthorized acquisition of
data
• What notice
requirements?
• Timing or method of notice
• Who must be notified
• Exemptions (e.g., for
encrypted information)
• Penalties, enforcement
authorities and remedies
13
State Data Breach Notification Laws --
Differing Standards • Vary by State and circumstances of the breach
• Definition of “personal information”
• Who must comply?
• Notification triggers
• Notification to AG or other state agency
• Manner of notification
• Data format: hard copy files vs. electronic only
• Safe harbor for encryption
14
2014 Amendments to California Data
Breach Notification Law • Amendments effective January 1, 2015. Modifies the current data breach
notification statutes in two primary respects.
• First, if a business “maintains” personal information about a California
resident (expansion from owns or licenses), the business must “implement
and maintain reasonable security procedures and practices appropriate to the
nature of the information, to protect the personal information from
unauthorized access, destruction, use, modification, or disclosure.”
• Becomes a proactive law.
• Second, where the notifying entity was the source of a breach involving the
disclosure of Social Security or driver’s license numbers, and “if any” offer to
provide identity-theft prevention or mitigation services is made, it must be
made at no cost to the affected person for no less than 12 months along with
all information necessary to take advantage of the offer.
• Also adds prohibition on sale, advertisement for sale or offer of sale of an
individual’s social security number.
15
Data Security Laws
• Several states, including California, Massachusetts, Connecticut and Nevada, have enacted laws requiring that companies take certain steps to protect the security of personal information that they collect, use and maintain.
• Massachusetts regulations requires that companies (including out-of-state) who own, license, store or maintain personal information about a MA resident must comply with strict requirements to safeguard such personal information.
• Required Comprehensive Written Information Security Program (for both paper and electronic information)
• Required Encrypt personal information of MA residents that is (i) on portable devices (e.g., smartphones, laptops), (ii) stored in portable media (e.g., memory sticks, DVDs), or (iii) transmitted over a public or wireless network
• Companies subject to the MA regulations must take reasonable steps to ensure their third-party service providers that have access to personal information of a MA resident will comply with the MA regulations.
• Contracts with third-party service providers must require compliance with the MA regulations.
16
State Laws Mirroring FTC Act, and
Supplementing G-L-B and HIPAA • Laws that mirror FTC Act and other consumer protection
statutes, prohibiting unfair or deceptive business
practices.
• Laws supplementing G-L-B and HIPAA which do not
preempt more protective state laws that are not
inconsistent.
17
State Laws – Medical Information Laws • A number of states, including California and New Jersey, have adopted statutes specifically aimed at
the protection of medical information.
• New law in New Jersey, signed into law on January 9, 2015 and becomes effective August 1, 2015.
• Applies to health insurance carriers, including health service corporations, hospital service
corporations, and health maintenance organizations authorized to issue New Jersey health
benefit plans.
• Bars such health insurance carriers from collecting a patient’s name linked with his or her Social
Security number, driver’s license or other state identification number, address, and other
identifiable health information unless this data is encrypted or otherwise unusable by an
unauthorized third party.
• Law requires security measures to extend beyond a simple password and mandates that health
insurance carriers implement safeguards that render the data unreadable, undecipherable, or
otherwise unusable by someone who can bypass the password protection.
• Law applies to all end-user computers, such as desktops and laptops and mobile devices, and
all data and information transmitted via public networks.
• The NJ bill signing came a little more than one year after Horizon Blue Cross Blue Shield suffered
the theft of two laptops that contained varying amounts of personal data on more than 839,711
policyholders, including names, demographic information, addresses, birth dates, some Social
Security numbers and certain medical information.
• Law is supplemental to HIPAA
18
State Laws – Record Disposal Laws
• Several states, including California, New Jersey, New York and
Delaware, have enacted laws requiring proper disposal of tangible
and intangible records containing personal information.
• New Delaware law, effective January 1, 2015
• Covers “commercial entities,” defined broadly, including non-profit entities
• Commercial Entities must take all reasonable steps to destroy or arrange for the
destruction of personal identifying information in its custody and control by
shredding, erasing, or otherwise destroying or modifying it so that the information is
entirely unreadable or indecipherable.
• Consumer who suffers actual damages may bring civil action and court may award
treble damages
• Authorizes administrative enforcement proceedings
• Exemption for entities subject to G-L-B, HIPAA, Federal Credit Reporting Act
19
State Laws Protecting Personal
Information of Students • Laws include enhanced privacy requirements for school
districts that are relevant to education technology
companies that provide services to school districts.
• Address student data privacy in a number of ways,
including restricting with whom student data may be
shared, restricting which data may be collected, requiring
school districts to adopt data-retention and security
standards, and requiring the publication of data collection
indices that explain each element of student data that
school districts collect.
20
State Laws Protecting Personal
Information of Students • Several new state laws also require specific provisions
regarding student data privacy to be included in any
contract between a school district and a third-party
service provider.
• In Louisiana, agreements with contractors must include, among
other matters, provisions for privacy and security audits by the
district as well as data breach planning, notification, and
remediation procedures.
• In California, such agreements must include, among other matters,
procedures for parents and legal guardians to review and correct
personally identifiable information held by the contractor.
21
State Laws Protecting Personal
Information of Students
• California’s Expanded Student Data Privacy Regime
• Student Online Personal Information Protection Act (SOPIPA) recently enacted in California and
taking effect on January 1, 2016, is not limited to services provided directly to schools.
• SOPIPA applies stringent privacy rules to any operator of websites, Internet services, or mobile
applications with actual knowledge that the services are used primarily for “K–12 school
purposes” and were designed and marketed for K–12 school purposes.
• SOPIPA prohibits, among other actions, using student data for targeted advertising on the
service; using any information collected, including persistent unique identifiers (such as
persistent cookies), for targeted advertising on any other site or service; and selling student data.
SOPIPA also imposes certain data security and deletion requirements on covered services.
• “K–12 school purposes” is defined as any purpose that customarily takes place at the direction of
a K–12 school, teacher, or school district or that aids in the administration of school activities.
• Accordingly, even if an online service is not provided directly to schools, if it is used by K–12
students or fills a traditional school function, it may be subject to the restrictions. Services
subject to SOPIPA may therefore include some social networks, collaboration tools, study aids
(such as flashcard apps or other mobile education apps), note-swapping services, and message
boards, among any other tools that a school might use or benefit from.
22
Some More State Laws
• Card transaction laws. Several states, including
California, New York and Massachusetts, have enacted
laws that limit the collection of personal information in
connection with payment card transactions.
• Social Security number laws governing the collection,
use, protection, disclosure and sale of Social Security
numbers.
23
Constantly Changing State Laws
• At least 23 states introduced or considered security
breach notification legislation in 2014. Most of the bills
provided for amendments to existing security breach laws.
• At least 11 states enacted some type of breach legislation
for businesses, educational institutions or government in
2014.
• Kentucky in 2014 became the 47th state to have a breach
law.
24
2015 Proposed Amendments to New
York Law • In mid-January 2015, New York’s attorney general proposed
amendments to his state’s data security laws, which would:
• require companies to put into place certain strong technical and physical security measures to protect the data they hold,
• amend the state's existing breach notification law to include within the definition of “private information” the combination of an email address and password, an email address in combination with a security question and answer, medical data such as biometric information and health insurance information,
• create a safe harbor from liability for companies that adopt and attain certification that they have effectively implemented heightened security standards, and
• provide a shield for companies that share forensic reports with law enforcement officials by ensuring that the disclosure does not affect any privilege or protection.
25
New Federal Legislation? • In remarks at the FTC on January 12, 2015, and in his State of the
Union Address on January 20, 2015, President Obama called for the
passage of the Personal Data Notification & Protection Act, which
would:
• Create a single national standard for security breach notification
• Businesses would have 30 days to notify affected individuals of a security
breach.
• Businesses would not need to notify affected individuals if “there is no
reasonable risk of harm or fraud” to the affected individuals.
• Businesses would be required to notify individuals directly and provide media
notification in any state with more than 5,000 affected individuals.
• Businesses must notify “an entity designated by the Department of Homeland
Security” within 10 days of discovering the breach.
• Preemption of state security breach notification laws
26
New Federal Legislation? • Proposed Personal Data Notification & Protection Act would:
• Encourage cyber threat information sharing within the private sector and between private sector and federal government
• President Obama’s proposal encourages the private sector to share “appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center” (“NCCIC”).
• The NCCIC would then share the cyber threat information with (1) appropriate federal agencies and (2) Information Sharing and Analysis Organizations (“ISAOs”), which are developed and operated by the private sector.
• Businesses that share the cyber threat information they acquire would be granted “targeted liability protection.”
• Enhance law enforcement’s ability to investigate and prosecute cyber crimes
27
New Federal Legislation?
• Tug of war?
• Financial industry tradegroups pushing for the Personal Data Notification and
Protection Act because preemption of state data security breach notification laws
would require (and enable) retailers and other businesses to meet a single national
standard.
• Industry groups also backing the Personal Data Notification and Protection Act as it
will promote sharing of cyber threat information between private and public sectors
because threat of litigation reduced.
• Some State Attorney Generals and privacy advocates are against because some
State laws are more protective.
• President Obama also proposed a federal Student Digital Privacy Act
modeled on California’s SOPIPA.
28
Related Contract Provisions for
Commercial Contracts
• More and more of the commercial contract is related to
the Customer’s data and the corresponding rights,
obligations and liabilities of the Vendor and Customer.
• What contract provisions are required?
• Depends on the particular facts and circumstances of the
relevant transaction, taking into account:
• What types of data will be accessed/processed/hosted?
• Consider the sensitivity – Personal Information? Protected Health
Information (PHI)? Sensitive Personal Information? Business-
sensitive information?
29
Data Definitions • Data
• Not only the data as provided by Customer – also any data accessed by Vendor and any data resulting from Vendor’s performance of the services
• Will Vendor will have data of Customer’s clients or other third parties?
• Personal Information (Subset of Customer Data) • Identifies a person (e.g., name, address)
• Authenticates a person (e.g., passwords, PINs)
• Subset: “sensitive personal information,” such as SSN, financial account numbers, other government-issued IDs
• Subset: protected health information (PHI) under HIPAA
• Vendor should provide protection of Customer’s data commensurate with the level of sensitivity of the data
• Confidential Information • Include Customer Data in definition of Customer Confidential Information
• Personal Information as “exception to the exception” from the definition of Customer Confidential Information
30
Data Security Plan
• Maintenance of data security plan
• Meeting requirements of law
• Meeting requirements of Customer policy?
• Meeting requirements of Vendor policy?
• Meeting requirements of Industry standards? Data security
standards (such as ISO; ITIL; PCI DSS)?
• Enhancement over time to keep pace with the foregoing;
lessons learned; sensitivity of data
• Addressing, among other things:
• Physical security, commensurate with data sensitivity
• Logical/system security, to avoid compromise of confidentiality through
commingling
• How data is segregated
31
Data Security Plan • Maintenance of data security plan
• Addressing, among other things:
• Access by authorized personnel only
• Regular monitoring of intrusion detection system and reporting
• Encryption (e.g., for transfers outside firewalls)
• Use of mobile devices and storage (e.g., laptops, tablets, USB
drives, back-up tapes), including whether use is permitted
• Enhanced standards for Personal Information, including PHI
• Employee privacy and security training
• Notice of changes by Vendor – Customer consent required?
32
Response to Data Security Breach
• Required response to data security breach
• Response
• Report
• Remediation
• Notice required by law
• Credit monitoring required by law/policies
• Other requirements under law/policies
• Responsibility for costs, fines
33
Compliance
• Compliance
• Definition of “Laws”
• Definition of entities that issue “Laws”
• Build in new and modified laws
• Check your definition of privacy laws
34
Compliance • Compliance
• Allocation of compliance and monitoring obligations between Parties
• Vendor Laws: Vendor must monitor and comply (at Vendor’s cost)
• Customer Laws: Customer must monitor; Vendor must comply (at whose
cost?); Customer may issue “Compliance Directives” to Vendor
• Where to allocate specific privacy laws (e.g., HIPAA, G-L-B, EU Data Privacy
Directives)?
• Remember certain specific laws – for example, contracts with third-party service
providers that receive, store, maintain or process personal information of a MA
resident are required to protect it as required by the MA Regulations.
• Language can be simple – e.g., that the vendor is required to comply with
applicable Laws (and new or modified Laws), and that the MA Regulations
are covered by the definition of “Laws”
• Right to audit the vendor’s compliance
• Requirement that the vendor return or destroy all personal information
upon termination
• Requirement to provide prompt notification of breach
35
Compliance
• Compliance
• Compliance with Policies
• Vendor policies (including changes)
• Customer policies (including changes)
• Can they be aligned?
• Is it feasible for Vendor to adjust its policies on a customer-specific
basis?
• Can Customer be comfortable relying on Vendor’s policies?
• Mandatory change control – costs of changes –
potential for vendors to look to spread costs of major
change
• Timing for implementing change
• Responsibility for fines
36
Derivative Data, Access, Return and
Destruction • Vendor right to derivative data
• Aggregated and de-identified data.
• Does Customer have the right to give Vendor the right under applicable privacy policies, contracts, laws, etc.?
• Access and Return of data
• Access in response to customer requests (may be required by HIPAA and other laws)
• Access and preservation for discovery purposes
• Access to respond to requests by law enforcement or governmental authority
• In what format? Any need for conversion assistance?
• Destruction of data
• In accordance with the requirements of applicable laws, policies, contracts, etc.
37
Audit and Compliance Certifications
• Audit
• Vendor cooperation with audits, including with regulatory audits
• SSAE 16
• Audit of the design and/or effectiveness of Vendor’s controls; results in
audit report that Vendor may share with its customers.
• Can apply even if the data in Vendor’s possession does not affect
Customer’s internal control over financial reporting – choice of type
(SOC 1 vs. SOC 2).
• Quality/compliance certifications (e.g., ISO/IEC)
• Payment Card Industry (PCI) Compliance Report
38
Liability
• Limitations on Liability
• Contract will typically contain:
• Disclaimer of consequential and other indirect damages
• Direct damage cap
• Certain exceptions to the disclaimer and/or cap
• Key issue is how direct claims by Customer and Vendor
indemnification obligations for breaches of data security, confidentiality
and compliance obligations under the MSA are treated under the direct
damage cap and disclaimer of indirect damages.
• “Pre-defined” direct damages
• Costs of data breach remediation.
• Indemnified losses.
• Governmental fines and penalties
39
Indemnification
• Vendor defense and indemnification of Customer from and against third
party claims (including regulators or individuals whose data has been
disclosed), and associated liabilities and costs arising from:
• Breach by Vendor (or its subcontractors) of Vendor’s data security or
confidentiality obligations under the contract
• Indemnification obligations are typically a pure exception to the disclaimer
of consequential damages.
• Indemnification obligations for data security and compliance obligations
often challenged as pure exception to the direct damages cap.
40
Liability for data breach
• Let’s break it down – what are the major areas for
damages exposure
investigating breaches
remediating systems
restoring data
recreating data
data breach notifications and remediation requirements with
respect to the individual and regulators
41
Liability for data breach
• What we are seeing (and it is not consistent)
• Unlimited or enhanced liability if the supplier was in
breach of its obligations
• May depend on the type of data (is there a lot of PI or
PHI)
• May depend on the encryption or other solution
requirements
42
Liability for data breach
• Supplier is not “in breach” but
• Data is residing on the supplier’s systems or under the supplier’s control
• Should the customer have to prove a breach for supplier to be liable?
Where it gets contentious
• investigating breaches
• remediating systems
• restoring data
• recreating data
• data breach notifications and remediation requirements with respect to the individual and regulators
Maybe differentiate by
type of damage:
43
Additional Key Topics
• Service locations and subcontracting
• Where is the data? Customer’s locations, Vendor’s locations,
Subcontractor locations, DR/BCP sites, “Cloud” locations – where are
the servers, both for data storage and processing?
• Who has the data and are they subject to the same contract
requirements?
• Contract flow-down requirements in subcontracts
• Background check requirements
• Governing law vs. laws that apply due to data type/source/location
• Considerations for companies that provide services directly to schools
based on applicable State laws
44
For more information
Visit our blog: Sourcing@MorganLewis Sourcing@MorganLewis updates lawyers and sourcing professionals
on the latest developments and trends affecting outsourcing,
technology, and other commercial transactions.
Recent topics:
• Usage Rights in Software License Agreements
• 2015’s Outsourcing Trends to Watch
• New Jersey Law to Impose Encryption Obligations on Health Insurance
Carriers
• Microsoft Challenges U.S. Government on Warrant for Data Stored
Overseas
http://blogs.morganlewis.com/sourcingatmorganlewis/
45