/Docs/G/WorldCC/ContractPrinciples-CmA/Principle/DataSecurity/0.md
  Source views: Source JSON(ish) on GitHub (VSCode)   Doc views: Document (&k=r00t): Visual Print Technical: OpenParameters Xray
DATA SECURITY AND PRIVACY
  1. Introduction
    The contracting principles in this document have been developed with and are endorsed by the International Association of Contract and Commercial Management (WorldCC) and are referred to as the “WorldCC Contracting Principles.” They are intended to serve as an industry-adopted set of guidelines to support either the drafting of applicable contract clauses or the negotiation of applicable terms and conditions between a supplier and a customer. These principles are intended to reduce or eliminate the need for negotiation on these issues and shorten cycle time to signature. Participants who accept these WorldCC Contracting Principles are free to use them on a case by case basis and as they deem appropriate; however, it is expected that the benefits of their use will be maximized when both parties to a transaction agree to rely on them and draft the relevant clauses accordingly. In addition, these principles are not intended to constitute formal legal advice.
  2. Definitions
    The following definitions apply to these WorldCC Contracting Principles:
    • Personal Data” means personal data (such as personally identifiable information and credit card information) and other highly sensitive data (such as passwords) of a customer or its clients that are in the possession of or accessible by the supplier. Depending on the originator, nature, and location of the data being processed, the definition of Personal Data may be modified to take into account applicable law (for instance, data subject to HIPAA, the European Data Privacy Directive, GDPR, or PIPEDA).
    • Data Non-Compliance” means a failure by the supplier to comply with its obligations regarding the handling or safeguarding of Personal Data under the contract or under data protection/privacy laws or regulations applicable to the supplier.
    • Data Loss” means
      1. the improper use or disclosure of Personal Data by the supplier,
      2. unauthorized access by the supplier’s employees or by third parties to Personal Data held by or accessed through the supplier, or
      3. the loss by the supplier of media on which Sensitive Date is held.
      (Not all Data Losses result from a Data Non-Compliance, such as where hacking takes place despite the supplier’s compliance with all applicable obligations.)
  3. General Concepts
    The following concepts form the basis for the more detailed WorldCC Contracting Principles that follow:
    • A security environment should be based on the assumption that failures may occur and should provide for multiple layers of protection to guard against high-impact Data Losses. Contract terms should, where possible, provide specificity with regards to the types of Personal Data being exchanged, the permitted uses of such Personal Data by the supplier, and any sharing or re-transmission of the Personal Data required by supplier.
    • Contract terms should reflect a balance of cost and benefit in the security environment. Customers and suppliers can more effectively reduce operational risks of Data Losses by focusing on (and clearly delineating) their respective security obligations rather than by focusing solely on supplier liabilities in the event of a Data Non-Compliance.
    • The extent to which a supplier will conform to particular industry security standards or will meet custom/more exacting requirements is a commercial issue that should be negotiated based on the size and scope of the deal (including particular security safeguards) and the nature of the solution (e.g., whether a standard multi-customer environment or a custom-built solution). The allocation of liability for Data Non-Compliance should be a function of the outcome of those business-to-business discussions.
    • The same liability principles should apply to Data Non-Compliance as all other potential breaches under an agreement – liability should be based on sufficient proof of a breach, should be proportionate to fault, and should reflect a fair allocation of risk as agreed to by the parties.
    • The obligation to mitigate damages – whether claimed by a party to the contract or by a third party - should apply, either pursuant to governing law of the agreement or as explicitly stated in the agreement.
    • In respect of Personal Data, other types of confidential information may be subject to contractual confidentiality obligations but are not considered Personal Data within the scope of this Principles document.
  4. WorldCC Contracting Principles
    • Scope of Personal Data Protection Obligations
      • The supplier’s ability to re-transmit Personal Data, if applicable, and the Supplier’s permitted use of Personal Data should each be clearly described in the agreement.
      • The supplier’s data security obligations should be clearly and accurately described based on the role it will perform and should focus on functions and tasks, not outcomes.
      • Customers should be expected to undertake reasonable steps to safeguard their own Personal Data (such as encryption or regular backups) to mitigate against potential losses and resulting damages.
      • The supplier should specify the security standards to which its operations adhere by reference to specific industry standards (such as ISO 27001, PCI-DSS, etc.) or otherwise, and the supplier should provide applicable certifications upon request.
    • Compliance with Laws and Regulations
      • Each party should comply with the data protection/privacy laws, regulations and mandatory industry standards (such as PCI-DSS) that apply to its own operations and activities. Except where Supplier is obligated to provide specific compliance activities, the supplier should not be expected to be responsible for compliance with data protection/privacy laws that apply to the customer’s operations and activities, but should take commercially reasonable actions to assist the customer in facilitating such compliance. Where required by law or regulation, the supplier and the customer will promptly enter into any additional agreements or file any additional materials required for compliance (for example, EU model clauses).
      • When appropriate, the customer’s data protection/privacy compliance activities that are included in the scope of supplier’s services should be clearly stated within the contract to avoid misunderstandings or gaps in responsibilities.
      • The contract should provide an equitable mechanism to modify the supplier’s contract obligations (and charges, where appropriate) based on changes to data protection/privacy laws applicable to the supplier and/or customer.
      • Suppliers should not be expected to provide customers with independent compliance audit reports that contain highly sensitive information and are generally not created for dissemination. Rather, the parties should adopt an alternative process by which their respective experts can meet to share appropriate information to give the customer assurances relating to security controls. In cases where customers have obligations to provide regulators with suppliers’ compliance documentation or where laws or regulations permit regulators to audit suppliers’ compliance with security standards, the contract should address those situations and provide for appropriate safeguards for the supplier’s information and operations.
    • Allocation of Liability for Data Losses
      • A supplier should be liable in the event of its Data Non-Compliance but should not be expected to act as an insurer or guarantor of the customer’s security environment. A supplier should be accountable only for Data Losses that result from its Data Non-Compliance. If a Data Loss results from multiple points of failure, the supplier should be held responsible only to the extent the loss is the result of its Data Non-Compliance(s) (shared fault = shared risk).
      • For service offerings where the supplier has only incidental access to Personal Data (e.g., business contact information for customer employees) and the risk of damages are small, the supplier’s liability for a Data Non-Compliance should be subject to the standard contract limitation of liability (such as a cap at a fixed dollar amount or a multiple of average monthly charges).
      • Where the supplier is operating within the customer’s security environment or has significant access to Personal Data, it would be appropriate for the supplier to be subject to higher liability caps for a Data Non-Compliance.
      • The contract’s general exclusion of indirect, consequential or similar categories of damages should apply in the case of Data Loss. However, it may be appropriate to identify discrete categories of covered damages for which the supplier will be liable (subject to caps), such as cost of breach notifications, credit monitoring, data recovery (unless a customer’s failure to back up its data in a reasonable fashion gave rise to the loss), and regulatory fines. These exclusions and covered categories of liabilities should also apply to supplier’s indemnifications for third party claims attributable to a Data Non-Compliance.
Recommended Clause:
Data Security
{_P1} shall maintain an information security system and protocol to protect {_P2}'s information from unauthorized access, disclosure or misuse. {_P1} shall
  1. maintain adequate physical controls and password protections for any server or system on which any Data may reside,
  2. encrypt any Data that is in transmission, and
  3. encrypt any Data located on any storage media.