Risk Mitigation

Closeup photo of two people shaking hands

Data Controller/Data Processor Contracts #3:
Indemnification

January 15, 2024
Posted in

There may be no more confusing and misunderstood area of controller-processor contracts than insurance and indemnification. Controllers often expect processors to accept liability, while ignoring the quality (or existence) of processors’ underlying insurance coverage. Processors, on the other hand, often buy insurance products that provide minimal or no protection to meet those controller expectations. This…

Read More
A closeup image of a person's hands holding a pen and signing a document. A lock icon floats in the foreground.

Data Controller/Data Processor Contracts #2:
Regulatory Alignment

August 17, 2023
Posted in

This is the second blog in an ongoing series examining the often-overlooked nuances of data controller/data processor contracts. Regulatory alignment is one of the primary reasons regulations require contracts between data controllers and data processors. And, yet, despite its primacy, many contracts make the mistake of establishing this linkage with an overly simplistic clause stating…

Read More
A closeup image of a person holding a pen and preparing to sign a document

Data Controller/Data Processor Contracts #1:
Applicability

July 17, 2023
Posted in

This blog explains why and when organizations should require contracts with service providers that have access to customer or employee personal information. One of the most underappreciated aspects of data controller/data processors contracts is when they are needed. This results from either 1) a lack of awareness of their necessity, or 2) the failure to…

Read More
Yellow background with the silhouette of someone blowing a whistle.

How to Mitigate the ITAD Whistleblower Challenge

April 16, 2023
Posted in

A series of recent Security and Exchange Commission (SEC) announcements point to the increasing risk of whistleblowers stemming from improper IT asset disposal (ITAD) practices. First, over the past year, the SEC has issued a number of statements and proposals indicating its intentions to hold organizations (and boards) under its jurisdiction accountable for cybersecurity. At…

Read More