Skip to Content

Drafting Effective Data Privacy and Security Provisions for Service Provider Agreements

11.19.2014

As the financial and reputational risks associated with a data security breach have grown in recent years, it has become more important for insurers, administrators, broker-dealers, agencies and other companies to include strong and effective controls on data privacy and security in the contracts they execute with service providers.

Moreover, state and federal rules implementing standards for safeguarding customer information established under the Gramm-Leach-Bliley Act (“GLBA”) provide that insurance licensees, broker-dealers and other financial institutions must require their service providers to implement “appropriate measures” to protect the security of customer information. The GLBA standards which apply across all lines of insurance business, do not state specifically what appropriate measures regulated entities must take.

In addition, federal rules implementing the Health Insurance Portability and Accountability Act (the “HIPAA Rules”) require health insurers and other covered entities to hold their service providers to certain specific contractual standards for data privacy and security. These standards are reflected in the business associate agreement covered entities and business associates are required to execute.

This article reviews some of the key provisions governing data privacy and security that should be included in any service provider agreement and offers recommendations for ensuring that these provisions establish appropriate controls. It does not cover all of the provisions required under a HIPAA business associate agreement but does note certain areas where contracting parties may want to build in greater protections than those mandated by the HIPAA Rules.

Restrictions on Use and Disclosure
Defining the permissible uses and disclosures of personal information handled by a service provider is, of course, central to protecting the confidentiality of such information. For many contracts, a statement that the provider may use and disclose personal information only as necessary to perform the agreed upon services is sufficient for this purpose. However, where a service agreement encompasses a narrow, clearly defined set of services, it may be possible to state with specificity the permissible uses of and disclosures of personal information. Defining permissible uses and disclosures with specificity provides greater protection to the disclosing party.

For its part, outside of the business associate context, the service provider may want the contract to state explicitly that disclosure is permitted for certain additional purposes—for example, as required by legal process or otherwise required by law. The disclosing party may want to include the right to seek a protective order or other appropriate remedy before any disclosure required by law is made and the right to receive reasonable cooperation from the service provider in pursuing such a remedy.

The service provider also may want to reserve the right to use and disclose personal information for activities reasonably necessary to its own operations such as security audits and to prepare for and defend itself in actual or anticipated legal proceedings. In addition, the service provider may want to seek the right to de-identify personal information and allow free use of information that has been de-identified.

Data Security 
It is common for service provider agreements to state data security requirements in general terms—for example, by requiring the provider to protect the data under a reasonable security program that is in accordance with industry standards and complies with applicable law. Such a provision should specify that the provider must maintain reasonable and compliant administrative, technical and physical safeguards to protect against unauthorized destruction, loss or alteration of data as well as unauthorized use, disclosure or access to the data.

It is important that data security standards be stated in a way that requires the service provider to maintain reasonable protections as risks change and technologies evolve. In some cases, however, it may be appropriate to establish specific security measures for a particular relationship. Such measures are best developed in consultation with security experts and are beyond the scope of this article. In some cases, specific standards may be mandated by a third party—for example, companies that outsource their payment card processing operations to a service provider must ensure that the provider complies with Payment Card Industry Data Security Standards.

Data Breach Notification and Response
The service agreement should state with specificity the types of security incidents that require the service provider to notify the principal. The agreement also should state how soon after discovery of an incident notice must be given and the information that should be included in the notice, such as the nature of the incident, the personal information involved, the individuals affected, the date on which the incident occurred, the date on which the incident was discovered, and what steps the service provider has taken in response.

The laws of many states require a service provider that maintains personal information on behalf of another party to notify the principal of any security breach. Similarly, the HIPAA Rules require business associates to provide notice of security incidents and breaches to the covered entity or upstream business associate, as the case may be. But the duty to provide notice under these laws is limited to particular circumstances and particular types of personal information. For example, many state laws require notice only when a breach involves computerized data and then only when certain types of data are involved, such as a Social Security number, driver’s license or other ID number or account number coupled with an access code. An effective security breach provision should require notice from the service provider under a sufficiently broad range of circumstances that the principal is made aware of significant security incidents and can evaluate for itself whether the incident rises to the level where notification of individuals, law enforcement authorities or regulators is required by law or advisable for other reasons.

To offer another example, under the HIPAA Rules whether a “breach” has occurred requiring a business associate to give notice to its covered entity or upstream business associate is, at least in part, a subjective determination. The covered entity or upstream business associate may want to define the circumstances triggering notice under the service contract more specifically so that it can decide for itself whether a breach has occurred.

The service agreement also should require the service provider to collect and preserve evidence concerning any breach, including documentation concerning response to the incident and actions taken to mitigate the breach, and cooperate in the investigation and response to any breach. In addition, the agreement should require the service provider to indemnify the principal for liabilities and costs arising in connection with the breach, including legal fees and expenses associated with investigating and mitigating the breach; providing notice to affected individuals, law enforcement agencies, and regulators; providing credit monitoring services; staffing call centers to answer customer inquiries; and responding to government investigations.

Audit Rights
The service agreement should give the principal the right to audit the service provider’s security program and compliance with applicable privacy and security laws. Service providers may want to place certain reasonable limitations on audit rights—for example, the agreement might specify that the principal may audit no more frequently than once annually or after a reportable security incident or where there is other reasonable cause to believe the service provider is not maintaining reasonable security controls or complying with law.

Return or Destruction of Information Following Termination
HIPAA business associate agreements must require the business associate to return or destroy all protected health information if feasible and if this is not feasible, continue to protect the information and limit further uses and disclosures to the purposes that make return or destruction infeasible.

Service provider agreements for non-HIPAA business should contain a similar provision and, regardless of the business is HIPAA or non-HIPAA, the principal may want to define the circumstances under which the service provider may retain a copy of personal information following termination with some specificity rather than allowing retention under the rather vague standard of infeasibility. The principal also may want to state that it makes the decision of whether the service provider returns or destroys the data and specify that whatever action is taken, it will be at the service provider’s expense.

Other Issues
Service providers often seek to limit their liability, usually based on a multiple of annual fees, and with a waiver of liability for incidental or consequential damages. Given the financial risk associated with a breach of personal information, principals will want to carve out liability arising from a data breach from any agreed upon limitation of liability.

Insurance for data breach risks has become widely available in recent years. Principals may want to require their service providers to maintain such insurance. Because the coverage available under such policies can vary considerably, the service provider agreement should specify the required coverage and appropriate limits.