Contractually Defining Information Custody Transfers

KEY TAKEAWAYS:

• Information custody transfers are far more ubiquitous and riskier than most organizations appreciate.
• From a legal and regulatory perspective, “access to” equals “custody of.”
• There are specific elements and contractual assurances upon which all organizations should insist when transferring personal or proprietary information.
• Failure to obtain the appropriate assurances from any vendor accessing proprietary information undermines the ability to defend intellectual property rights in court.
• Recognizing and responding to information custody transfers is one of the most neglected areas of information management.

Due to the proliferation of data protection and privacy regulations, as well as the proliferation of data security breaches headlines, the topic of information custody transfers is commonly thought of in the context of personal information.

The fact is, however, every organization transfers custody of both personal and proprietary information on a daily basis.

“REGULATED” INFORMATION CUSTODY TRANSFERS

Regulated information custody transfers (RICTs) occur every time an organization (data controller) gives service providers (data processor) access to personal information for safekeeping or processing. They are inevitable, since all data controllers routinely rely on any number of data processors to conduct business. As a result of this inevitability, all data and privacy protection regulations impose a regulatory expectation on data controllers to demonstrate due diligence in the selection of data processors and to execute a data processor contract.

Among the data processors that are subject to such selection due diligence and contracts are:

• IT managed service providers (MSP)
• Background screening firms and credit reporting agencies
• HR, payroll, billing, and collections services
• Data back-up, records storage, imaging, and data destruction services
• IT asset disposal and computer recycling companies
• Trucking firms, couriers, or parcel delivery services
• Website hosts and fulfillment firms

Far and away, the most common problem associated with regulated transfers is the failure of either the data controller and/or the data processor to acknowledge the regulatory nature of the relationship.

For instance, most organizations fail to recognize their regulatory obligations regarding the selection and contracting of MSPs. At the same time, many MSPs fail to understand or openly resist their regulatory standing due to ignorance of the regulatory concept and/or the mistaken idea that the regulations do not apply to their services.

The fact is that any third-party service provider who will be given possession of or access to personal information by a data controller is technically considered by regulators to be a data processor, and the data controller, therefore, has a regulatory obligation to treat them as such.

While the RICTs referenced above are largely local or regional, they can also be international. The cross-border transfer of regulated information is more complex, insofar as regulations afforded the citizens of one region may not be enforced in another. As a result, considerable due diligence and additional contract language is needed, and these will be discussed of a forthcoming blog dedicated solely to the topic of International Information Custody Transfers.

“Collaborative” Information Custody Transfers

While RICTs involve the exchange of or access to personal information, Collaborative information custody transfers (CICTs) refer to the exchange of proprietary information is exchanged or shared with service providers.

While there are no regulatory requirements related to the protection of proprietary information, when an organization fails to take reasonable steps to safeguard it, that organization risks losing the ability to defend its intellectual property ownership rights in court. The many precedents for this are based on the principle that a company cannot rely on the court to defend intellectual property if it is not itself protecting it. Stated more succinctly, for the court to recognize intellectual property, the owner must show they were treating it like intellectual property.

Consider these everyday scenarios in which proprietary information is shared with service providers.

1. ABC Manufacturing has designed a major packaging innovation for one of its products. To implement the innovation, it shares it with the vendor making its boxes. The box company immediately sees that this packaging innovation may be able to attract new customers some of which compete with the manufacturer that brought them the idea in the first place.
2. ABC Manufacturing uses two national long-haul trucking companies to deliver all its products. Both trucking companies, therefore, have information on amounts of product shipped and to which customers purchased it, both of which would be very valuable to ABC’s competitors.
3. The cleaning service hired by ABC Manufacturing to tidy up the offices in the evening has access to the cluttered desks, wastebaskets, secure shredding consoles and stored records.

If ABC is like most companies, the contracts with these vendors do not stipulate an obligation to hold ABC’s information in strict confidence. Equally important, it is even more unlikely that ABC’s contracts require these vendors to screen and train their employees or to have written agreements with those employees specifying their data protection requirements. And it is equally doubtful that ABC requires vendors like the trucking companies or the box manufacturer to provide information on their IT network security, information management and disposition practices.

As an example of how neglecting these issues can be problematic, several years ago a major manufacturer, which was itself spending thousands of dollars per year to securely destroy proprietary information, discovered that many in its local tooling companies and equipment suppliers were casually putting that same information in their dumpsters. Prior to this discovery, the manufacturer had nothing in its vendor contracts or purchase orders that addressed information security, access control and secure destruction. Not only did this make the manufacturer’s trade secrets easily accessible to competitors, had there been a serious challenge to that manufacturer’s intellectual property rights, this lapse in ensuring such vendors had agreed in writing to protect the information would have undermined its right to claim intellectual property protections.

Though the motivation for contractually defining RICTs and CICTs differ, both call for the same two structural elements: demonstrated selection due diligence and appropriately constructed contracts.

Demonstrated Selection Due Diligence

While data controllers dealing with regulated personal information are aware of the need to have some form of due diligence in hiring data processors, many do too little, many fail to properly categorize them, and many would be unable to point to a written process by which such due diligence was exercised.

The situation is very different for organizations hiring service providers in the non-regulated environment. The fact is that when hiring suppliers, subcontractors, trucking companies, and, yes, even cleaning services, the organization does little if any due diligence related to the service providers’ sensitivity or preparedness for information protection, such as criminal screening, training, written employee agreements, etc.

This is a mistake. All service providers have the potential to access proprietary information at some point and their information protection posture must be verified and, if necessary, augmented.

Appropriately Constructed Contracts

All relationships between organizations and its vendors warrant a contract that stipulates appropriate security be exercised in the care of information.

On occasion, such an organization may deliberately default to the service provider’s terms and conditions (T&Cs). This is a legitimate option provided such T&Cs include the appropriate information provisions and regulatory linkages. Only then will be deemed sufficient from a compliance perspective and/or to establish that a firm’s intellectual property merits the court’s protection.

Whether defaulting to T&Cs or creating a specific contract, however, here is a list of provisions organizations should mandate:

• A recital stipulating the service provider’s understanding it will receive regulated and/or proprietary information and the inherent fiduciary responsibility to protect the same.
• A definition of the point at possession of or access to regulated and/or proprietary information takes place and the obligations of such transfers.
• Specific requirements regarding the safeguarding and final disposition of the information, including a copy of the written information protection policies and procedures specifically referenced in the contract. (Note: It would take another article to describe what service provider policies and procedures should include. Such an article, titled, “The DNA of Data Processor Information Security Policies and Procedures” will be published here in December.)
• Linkage to relevant regulations as determined by the nature of information transferred, for instance, where Protected Health Information is transferred, there must be a reference to the HIPAA Security, Privacy, and Enforcement Rules, as well as to HITECH’s Data Security Breach Notification requirements. Increasingly, service providers are compelled to comply with all data protection and privacy regulations, wherein, if broadly stipulated as such within a contract, an itemized list of relevant regulations is not necessary.
• A requirement to annually provide evidence of stipulated certifications.
• A requirement to inform the data controller of any data security breach without delay once it is discovered.
• A requirement for the service provider to respond to regulatory obligations to facilitate and respond to Data Subject Requests.
• A specific dollar amount to which the service provider will be held responsible for damages cause due to lack of professional services fulfillment, and clear evidence of indemnification for that amount.
• A requirement to inform the data controller of any change to the insurance policy’s manuscript, or of any depletion in the professional liability coverage amounts available over the duration of the contract due to a successful claim.

A Vigilant Mentality

For most readers, the guidance provided here calls for a new way of viewing all service providers, whether they have access to regulated personal information or information that would be useful to the competition.

The good news is that such vigilance, whether it is required by regulations or by the need to protect intellectual property rights, is relatively straightforward. In fact, it is really not much different.

In both cases, selection due diligence should be demonstrated, examining things like criminal background screening, access control, employee training and confidentiality agreements, and, where relevant, information management and network security precautions and, in both cases, contracts should specify their potential access to sensitive information and their fiduciary obligation to prevent unauthorized use.