The international explosion of data privacy and security regulations now impacts almost all IT and software companies and the clients they service. From GDPR in Europe to United States Federal Regulations under HIPAA, GLBA, and CMMC, to now ever-expanding litany of states passing laws patterned after California’s CCPA .
As a result, cybersecurity provisions have become a vital element of data processing agreements and master services agreements. For businesses that utilize third-party vendors to manage data, the cybersecurity provisions of data privacy agreements are critical for providing assurance that controls will be comprehensive and compliant.
The challenge with complying with these laws is service providers rarely know where their customers are doing business. They have to assume that their customers are doing business in all states to make sure the data processing terms in their customer contracts are compliant with these state laws.
Summary of the most recent state laws The Utah Consumer Privacy Act (UCPA) , for instance, which went into effect on December 31, 2023, has largely drawn its language from privacy acts in states like California, Colorado, and Virginia. However, only businesses earning $25M+ in revenue are subject to the UCPA , and must either “control or process the data of 100,000 or more Utah consumers annually,” or have 50% of revenue from the sale of personal data while controlling or processing “the personal data of 25,000 or more Utah consumers.”
Additionally, the Texas Data Privacy and Security Act (TDPSA) , is reported to be more “business-friendly” than similar laws passed in California and Colorado. Since the TDPSA has no threshold for data or revenue like the UCPA, it is expected to “apply broadly and impact a significant percentage of companies doing business in the state.” The TDPSA is also “unique among state privacy laws in prohibiting otherwise-exempt small businesses from selling sensitive personal data without consent.”
The TDPSA goes into effect on July 1, 2024, as does Oregon’s new comprehensive data privacy law . While similar to those passed by Utah, Colorado, and Virginia, it “applies to any business…[doing] business in Oregon and controls or processes the personal data of at least 100,000 Oregon residents or at least 25,000 Oregon residents while deriving at least 25% of its revenue from the sale of personal data.” It does not, however, “apply to employment or B2B data.”
Understand your requirements under the law Data privacy is an emerging concept that legislators and regulators are still working to address. Yet, some regulations already exist that impose responsibilities and requirements on certain businesses.
The EU’s GDPR — which has been in place since 2018 — includes several provisions related to data privacy, such as requirements that businesses take security steps involving data encryption, breach notification, and the appointment of data protection officers who are responsible for ensuring compliance. The GDPR applies to data regarding EU residents, which means US-based companies may be subject to its requirements.
The CCPA , for example, contains provisions on cybersecurity that companies doing business in California must comply with when handling state residents’ data. The CCPA requires “reasonable security measures,” which are considered to include steps such as encryption, multi-factor authentication, and employee training. Many other states, including New York, Virginia, Colorado, and Connecticut, have data privacy protection statutes similar to California’s.
One of the biggest mistakes companies make in this area is assuming a privacy agreement along with a detailed explanation of security measures is not required for their operations. While laws are not in place in every jurisdiction, those in place, such as the GDPR, can have far-reaching compliance implications. A solid agreement will help insulate both service providers and regulated entities from liability and provide consumers with the information they need to weigh risks.
Assess vendor risk Outsourcing data management has become common in the business world, especially as the volume of data companies collect has grown exponentially. Additionally, data management companies may be outsourcing certain data management functions. To ensure the highest levels of transparency, data privacy agreements should include detailed and up-to-date explanations of the various parties involved in data management and the security controls they employ.
The ideal service provider contracts will fully disclose all the vendors being used on the client’s behalf. Links should be provided to each vendor’s terms and conditions as well as their data privacy and management policies. The waiver should stipulate that under all circumstances, the business understands the sole remedy for any injury resulting from an act or omission by a third-party service provider will be to pursue that third party, with any right to bring a case against the provider waived.
Have a breach incident response plan The cybersecurity provisions of a data privacy agreement will generally address the steps being taken to prevent an incident. However, in today’s sophisticated threat landscape, incidents should be considered inevitable. Consequently, businesses must ensure agreements include information on steps to be taken when an incident occurs.
Providing a detailed breach incident response plan is an important element of a data privacy agreement. The GDPR requires steps to be taken to minimize the impact of security events. The CCPA requires that companies inform California residents and the California Attorney General if a breach has occurred. A breach incident response plan can lay out the steps for responding to a breach in a way that ensures compliance and minimizes impact.
A response plan should include the designation of an incident manager who will oversee the company’s actions in the aftermath of a breach. Steps immediately following a breach could include getting experienced attorneys and forensic investigators involved, as well as the possibility of involving law enforcement agencies. Companies that do not have the internal skills to manage a breach response should outsource it to a competent third party.
Utilize cyber liability insurance To ensure the highest level of protection in the event of a security incident, B2B companies should require all of their vendors and partners to have cyber liability insurance. Data privacy agreements can confirm the use of insurance and provide links to explanations of the protections it provides. Ideally, insurance will address the possibility of mishaps at all phases of the data management process and make sure those who are affected by incidents will be made whole through insurance.
The prevalence of cyberattacks is on the rise. In 2016, ransomware attacks aimed at gaining access to data occurred once every 40 seconds. In 2021, they occurred every 11 seconds.
Any company that collects data from another business must acknowledge the growing risk and protect its data — and its reputation — by ensuring that effective controls are in place. Data privacy agreements and the cybersecurity provisions they outline are critical components of those controls.
Robert Scott — Robert Scott, Chief Innovator at Monjur , provides a cloud-enabled, AI-powered legal services platform allowing law firms to offer long-term recurring revenue services and unlock the potential of their legal templates and other firm IP redefines legal services in managed services and cloud law. Recognized as Technology Lawyer of the Year, he has led strategic IT matters for major corporations, specializing in cloud transactions, data privacy, and cybersecurity. He has an AV Rating from Martindale Hubbell, is licensed in Texas, and actively contributes through the MSP Zone podcast and industry conferences. The Monjur platform was recently voted Best New Solution by ChannelPro SMB Forum. As a trusted advisor, Robert Scott navigates the evolving technology law landscape, delivering insights and expertise.
Copyright © 2024 California Business Journal. All Rights Reserved.
