Contract Drafting and Management: Developing

Provisions to Mitigate Security, Compliance,

and Technology Risks

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

THURSDAY, JUNE 25, 2020

Presenting a live 90-minute webinar with interactive Q&A

Monique N. Bhargava, Partner, Loeb & Loeb, Chicago

Kari S. Larsen, Partner, Perkins Coie, New York

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-877-447-0294 and enter your Conference ID and PIN when prompted.

Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately

so we can address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the ‘Full Screen’ symbol located on the bottom

right of the slides. To exit full screen, press the Esc button.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the link to the PDF of the slides for today’s program, which is located

to the right of the slides, just above the Q&A box.

• The PDF will open a separate tab/window. Print the slides by clicking on the

printer icon.

FOR LIVE EVENT ONLY

Legal and Regulatory Framework

• CCPA and other state privacy / security laws

• Gramm-Leach-Bliley (“GLB”) and other financial privacy regulations

• Health Information Portability and Accountability Act (HIPAA) and state health information regulations

• Biometric information privacy laws

• Federal Trade Commission Act• Fair Credit Reporting Act (“FCRA”) and Fair and Accurate

Credit Transactions Act (“FACTA”)• Cross Border law (“GDPR”)

• Education sector laws

• Minor data privacy protections

5

Where Do We Start?

• Data mapping• Defining data collected• Identifying sources of data• Assessing how data is used• Assessing how data is shared

• Vendor assessment and contracts

• Security assessment and testing

• Data incident response plan

6

Define the Data –What’s Personal?

Traditionally, in U.S. law, Personally Identifiable Information (PII) was defined as information that can be used alone, or in conjunction with other information to identify a specific person, including:

• Basic Contact Information• e.g., First and Last Name, Phone Number, Email Address, Mailing Address,

etc. • Retail Delivery Report

• Non-public Personally Identifiable Information (GLBA), which is any information:

• (1) that a consumer provides to obtain a financial product or service (e.g., name, address, income, Social Security number, etc.);

• (2) that results from a consumer transaction (e.g., account numbers, payment history, loan or deposit balances, and credit or debit card purchases), or

• (3) that is otherwise obtained in connection with providing a financial product or service

(e.g., information from court records or a consumer report).

7

The Definition of What’s “Personal” is Expanding • California Consumer Privacy Act (CCPA):

▪ “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

• General Data Protection Regulation (GDPR):• “Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an

identifiable natural person is one who can be identified, directly or indirectly.

8

Unique Device ID

Persistent Identifiers

Employment and Education

Data

PreciseLocation Data

Biometrics Sensory DataAudio

Recordings

Define the Relationship

Where does the data originate from?

• From client, vendor, or third party

Who owns the data?

• Joint Control

• Client owned

• Vendor owned

• Third party owned

Who is storing and transmitting

data?

9

Common Contractual Issues

Data use

Data sharing

Network access

Security protocols

Cross-border transfer

Liability for security incidents

10

Define the Legal Obligations

California

• Specific required language for Service Providers

• Restrictions on use and sale• Certification of understanding

• Reasonable security protocols

NY SHIELD Act

• Requires security safeguards to be specified by contract

General Data Protection Regulation

• Specific data processing provisions required

• Cross-border transfers may require standard contractual clauses

11

California Consumer Privacy ActService Providers versus Third Parties – Important Distinction

• Service Providers are: • Hired to perform services.

• Handle personal information to perform services

• Sign a contract with CCPA required provisions

• Third parties are everyone who is not:• The business, or

• A Service Provider limited by contract from using or disclosing personal information for any purpose beyond the defined scope of service

• If no CCPA compliant contract, Service Provider could be treated as a Third Party

12

NY SHIELD Act

• Expands the Definition of "Private Information“ to include biometric information and username/email address in combination with a password or security questions and answers. It also includes an account number or credit/debit card number, even without a security code, access code, or password if the account could be accessed without such information.

• Expands the Territorial Application of the breach notification requirement to any person or business that owns or licenses private information of a New York resident.

• Imposes Data Security Requirements to require companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. This includes implementing a data security program containing specific measures, including risk assessments, employee training, vendor contracts, and timely data disposal.

13

Global Data Handling Regulation (GDPR)

• What is the GDPR?

• Data Protection law for persons located in EU (is not limited to EU residents)

• Applies to a US-based company when it is processing personal data of a person LOCATED in EU.

• Vendor contracts required• Article 28 requirements

14

What is the Proper Allocation of Risk?

15

Client Wants to be Indemnified for:

•Violation of laws•Security Breach incidents

•Failure to comply with obligations

•Third-party services/data/tools

•Materials and claims supplied by Agency

Vendor Wants to Limit Indemnification to:

•Intentional acts, gross negligence, or wilful misconduct

•Material failure to maintain the described security protocols

•Pass-through indemnification to the extent received

Client Wants to Limit Indemnification to:

• Intentional acts, gross negligence, or wilful misconduct

Vendor Wants to be Indemnified for:

•Violation of laws

•Improper provision of data•Failure to comply with obligations

•Third-party services/data/tools

•Risks client has opted to take•Client supplied Information

•Client modifications/scope of use

What Are the Types of Damages?

• “Direct” • Damages which, in the ordinary course of human experience, can be expected to naturally and

necessarily result from a breach

• These damages are presumed to have been foreseen or contemplated by the parties as consequences of a breach

• “Consequential” or “Special” Damages• Damages that arise out of special circumstances, not ordinarily predictable

• May not be obvious to one of the parties in advance without communication of the other party’s special circumstances

• “Incidental” • Expenses or commissions in connection with effecting cover and any other reasonable expense

incident to the delay or breach

16

Common Exclusions

• Exclude consequential, incidental, indirect, damages

• Exclude lost profits/revenue and/or reputational harm• Do not assume that these are consequential damages

• Carve-outs to Exclusions• Indemnification

• Confidentiality

• Data Breach/Privacy

• Consider liability in the context of insurance limits

17

Unenforceable Exclusions

• All damages, particularly in sales contracts• Whitesell Corp. v. Whirlpool Corp., 2012 WL 3631491 (6th Cir. Aug. 23, 2012)

• Agreement clause precluded recovery of damages arising from “any performance or breach,” which effectively barred all damages and deprived the plaintiff of any adequate remedy

• Court found the clause to be contrary to contract law requiring that sales contracts must provide at least minimum adequate remedies

• Gross negligence

• Willful misconduct or intentional wrongdoing

18

Lost Profits

• Courts have held that “lost profits” can be either direct or consequential damages

• The important question is whether the lost profits would follow naturally and necessarily from a breach of the contract

• direct lost profits → generated from an agreement between the contracting parties

• consequential lost profits →generally dependent upon an agreement with a nonparty

• Thus, lost profits should be a separate category from consequential damages

19

Ways to Limit Liability Outside the Limitation of Liability Provision

IndemnificationRepresentations and

Warranties

TerminationObligations/Services

description

20

Thank You

Monique (Nikki) Bhargava

Partner, Advanced Media & Technology

Loeb & Loeb LLP

mbhargava@loeb.com

312-464-3358

21

| © 2019 Perkins Coie LLP

KEY CONTRACT TERMS TO CONSIDER

Risk Mitigation Strategies

Address circumstances where broader economic challenges could affect strict compliance with payment terms, such as providing limited

extensions and waiver of late fees.

Payment Terms

What happens if opportunity for physical inspection or potential for accepting delivery is impaired?

Acceptance of Goods, Risk of Loss,

Transfer of Title

If courts are closed, parties can provide clear process for resolution remotely by the parties.

Alternative Dispute Resolution

22

| © 2019 Perkins Coie LLP

Risk Mitigation Strategies

Address worst-case liability as between the parties to the agreement in advance.

Limitations of Liability, Liability Caps,

Liquidated Damages

Adopt clear parameters for when parties can suspend performance, the duration of the suspension, and when it will expire.

Suspension

Address how the parties can agree to defer milestones and when they can return to the regular milestone schedule.

Milestones

Adopt flexible delivery windows or non-binding delivery estimates, anagreed process for substituting goods and services, and procedure to

permit prioritizing orders and/or reassign personnel among customers.

Delivery Terms

KEY CONTRACT TERMS TO CONSIDER

23

| © 2019 Perkins Coie LLP

KEY CONTRACT TERMS TO CONSIDER

Risk Mitigation Strategies

Adopt special disclaimers for addressing potential technology issues, force majeure, the duration of a health crisis, to render performance “as is/with all

faults” or to address alternate performance possibilities.

Disclaimers

Adopt more flexible opportunities to cure alleged breaches during health or technology crises if ability to cure is impaired but not infeasible.

If infeasible, then flexibility is inapplicable.

Termination for Cause

Adopt agreed safety practices for personnel performing services, require other party personnel visiting premises to comply with

health and safety policies, permit removal for non-compliance or evidence of symptoms, cooperate with contact tracing.

Health and Safety

24

| © 2019 Perkins Coie LLP

KEY CONTRACT TERMS TO CONSIDER

Risk Mitigation Strategies

As a service provider, mitigate risk by providing credits as sole remedy for service level failures attributable to pandemic (e.g., network congestion, if

applicable). As customer, consider bonuses or penalties for not meeting service levels, be specific with excuses for non-performance.

Service Levels

Consider tying material changes in law to alternative dispute resolution process where parties can mutually agree to amend or terminate due to

pandemic-related changes in law affecting performance, for example.

Governing Law

Require (adopt) a plan to address reductions in force, supply chain disruptions, and macro adverse changes to the relevant market,

along with notice requirements when invoked.

Business Continuity Plan

25

| © 2019 Perkins Coie LLP

KEY CONTRACT TERMS TO CONSIDER

Risk Mitigation Strategies

Adopt duty for one or both parties to provide status reports of whether circumstances are affecting performance, e.g., pandemic. Detail how and

whether challenges should be disclosed to the public. Consider technology solutions for compliance obligations.

Confidentiality and Reporting Obligations

Consider whether standard reps and warranties may be affected. For example, a party committing to perform services on-site should consider

the impact that closing borders could have on a rep that the party has obtained all authorizations and permits required to provide the services.

Representations and Warranties

Review insurance policies and work with insurance counsel to ensure adequate coverage and specify expected coverages of other party for breaches,

unforeseen circumstances, pandemic, etc.

Insurance

26

| © 2019 Perkins Coie LLP

PRACTICAL CONSIDERATIONS

• Remote working will almost certainly become a permanent fixture of modern life for many.

• Companies must adjust to this new reality by adjusting how compliance programs are managed, including how incidents are reported, investigated, and resolved.

• Companies will need to maintain their culture of compliance by preserving open communication with their employees, and by messaging from the top that compliance remains a top priority.

• There are some practical things companies can do to ensure their compliance programs and procedures remain effective when employees work from home.

Remote Work – Risk Mitigation

27

| © 2019 Perkins Coie LLP

REPORTING

• Remote working has the strong potential to tamp down informal reporting of potential compliance issues—the sort of issues that are discovered around the “water cooler,” as opposed to through a formal report

• Now is also the time to make sure compliance reporting systems—particularly those systems that operate by phone or email—are up and running, and to remind employees that those systems are available even when they are working from home. While many employees now prefer the internet over telephones to report ethics concerns, data shows that a substantial segment of the population still logs cases by phone. If an employee calls and is not able to get through, they may feel discouraged and not end up reporting the issue at all.

• As the “social distance” between employees—and, in particular, recent hires—becomes greater, maintaining social norms of “if you see something, say something,” becomes more difficult, but not impossible. The clearest solution is to insist that the lines of communication between managers and subordinates remain open. Encourage managers to periodically check in with their subordinates more often than they would in person. Find creative ways to instill these norms in new employees, like requesting existing employees to help “mentor” new employees on how to conduct business ethically, or including compliance and ethics subjects in existing mentorship programs. Innovative technology solutions can assist

with surveillance and supervision.

Remote Work – Risk Mitigation

28

| © 2019 Perkins Coie LLP

HANDLING OF COMPANY INFORMATION

• Make sure to have a documented policy that requires employees to use firm approved systems and applications to conduct business for the company. Chances are most businesses already have one—but just in case, consider these recommended measures, and make sure to issue reminders of the policy periodically.

• Install and maintain authentication requirements to secure access to company information and systems.

• Define minimum expectations for the use and protection of company information (“need to know” principle carries beyond the office).

• Subject to the duration of the telework, consider automatic reminders when accessing company systems or networks that require consent before use. Include this in any overall compliance training designed to address minimum expectations for teleworking.

• Consider defining a process for hard copy records (what's allowed, what's not, what must be submitted, what can be destroyed, etc.), together with recordkeeping, confidentiality and data privacy requirements.

• When issuing litigation or investigation holds, remind employees to also look in their home office and on any personal device on which they may have stored company documents.

Remote Work – Risk Mitigation

29

>

>

>

| © 2019 Perkins Coie LLP

IoT devices will be automating data collection in a “trustless” environment.

AI will be processing data, including personal data, between different systems.

Existing privacy policy/notice regimes likely unsuited for disparate collection and processing, must be assessed and updated.

Technology Can Provide Transparency and Trust

30

>

>

>

| © 2019 Perkins Coie LLP

Blockchains create transparent, immutable records.

Digital ledger technology has the capability to create trust amongst disparate IoT network stakeholders, may be solution for certain recordkeeping and reporting obligations.

Blockchain offers a new “trust framework” with potential ability to preserve privacy.

Trust in a Trustless Environment

31

>

>

>

| © 2019 Perkins Coie LLP

Cloud computing can help meet IT needs and may have IT performance, innovation, cybersecurity, and cost savings benefits. May have to consider regulatory compliance issues, following or revising compliance policies and BCDR requirements.

Increasingly seeing cloud-based AI cybersecurity tools. Users must assess whether cyber tools are consistent with any legal, regulatory and compliance obligations and understood by applicable regulators.

Remote training, supervision/surveillance and auditing technologies.

Other Technology Solutions

32

QUESTIONS?

33

KARI S. LARSEN

PARTNER

PERKINS COIE, LLP

1155 AVENUE OF THE AMERICAS, 22ND FLOOR

NEW YORK, NY 10036-2711

D. +1.212.261.6866

E. KLARSEN@PERKINSCOIE.COM

W. WWW.PERKINSCOIE.COM

34