Data breaches are becoming increasingly common and there have recently been some high-profile New Zealand data breaches in both the public and private sectors. These breaches have highlighted the fact that even large organisations with sophisticated systems can become victim to data breaches. Data breaches can range from human error to sophisticated and malicious cyber-attacks.  

While you may have adopted robust data security measures, you can still be vulnerable to data breaches where your data is shared with third parties, including your service providers. It’s important to ensure that your contracts with these third parties address how your data will be protected and what happens if there is a data breach.  

In this article, we discuss key considerations to address in contracts to provide for appropriate protections for your data and expectations on the response to data breaches.

We have referred to service provider arrangements below, but the considerations outlined apply to any contract involving the sharing of your data with another party.

If you are a service provider providing services requiring you to access or otherwise handle data on behalf of your customers, you will want to be aware of the concerns and protections your customers will be looking to address, and proactively address them or be prepared to provide them with assurances on these matters.

What data? What purpose? What rights and obligations?

One of the first considerations when deciding what protections are required in your contract is identifying what data the service provider will have access to. For example, it is typical for service providers to have access to information such as employee information, customer information, financial information, proprietary information and other confidential information.

Different categories of data may require differing levels of protection, and the level of responsibility that each party should bear in the event of a data breach could depend on the rights and obligations that the service provider has in relation to the information.

At a minimum, your contract should include:

• Confidentiality - A confidentiality clause that requires each party to keep the other party’s confidential information private.
• Purposes of Use - Provisions that clearly set out what purposes the service provider can use information for - is it just for the limited purpose of providing services to you (for example, data storage)?  Or, will the service provider also have rights to use the information for its own purposes (for example, data analytics)?
• Compliance - If the service provider will hold personal information, a requirement to comply with the Privacy Act 2020 (Privacy Act) and any other applicable privacy legislation, as well as an obligation to help you to comply with your obligations, such as assisting you to answer requests by individuals for access to their personal information.
• Access - Limiting access to your data to only those of the service provider’s personnel who need to have access to it.
• Security - A general obligation that the service provider protects your data with such security safeguards as are reasonable in the circumstances, together with details of any specific security policies or security measures that you expect your service provider to comply with.  Consider also the requirement for regular independent certification or audits verifying the service provider’s compliance with its security obligations.
• Retention and Deletion - A requirement to return or delete data when it is no longer needed.  

Including these obligations is also important to demonstrate that you have taken appropriate measures to protect any personal information that you make available to the service provider, as required by information privacy principle 5 of the Privacy Act.

As well as including these contractual protections, we recommend undertaking a robust diligence process when selecting a service provider, including verifying the service provider’s own data handling and security policies.

What happens when the worst-case scenario occurs?

Your contract should address what the service provider is required to do if there is a data breach or breach of confidentiality obligations. Some of the key considerations are:

• Be clear about the scope of a data breach - Your contract should be clear about what constitutes a data breach.  While breaches involving the misappropriation of personal information are usually the focus of such discussion, you should consider whether breaches involving other valuable corporate information should be within scope. Any definition of data breach at a minimum should include privacy breaches, as that term is defined in the Privacy Act, which includes:

o unauthorised or accidental access to, or disclosure, alteration, loss or destruction of, the personal information; or

o any action that prevents the relevant agency from accessing the personal information on a temporary or permanent basis.^[1]

• Notification - Your service provider should be required to notify you of any data breaches with details of what has happened, and what data has been compromised.  The timing of notification should be immediate or as soon as practicable. If the data breach involves personal information, then the mandatory data breach reporting requirements of the Privacy Act 2020 could apply.  If a notifiable privacy breach^[2] occurs notice is required to be given to the Privacy Commissioner as soon as practicable after the breach has been identified.  The Privacy Commissioner has an expectation that notification will occur within 72 hours of the agency becoming aware of the breach.^[3]
• Assistance, remediation and mitigation - You should specify what you expect the service provider to do if a breach occurs, for example:

o providing assistance to help you comply with any obligations you have relating to the breach, eg assisting with notifications to the Privacy Commissioner and affected individuals;

o remedying and mitigating the effects of the breach; and

o taking action to prevent future breaches.

Your service provider will want to carefully consider these obligations in light of the scope of the service they are providing and the extent of their role in causing the data breach.

• Liability limit - Depending on the significance of the data held, you should consider whether the service provider’s liability for data breaches should be subject to the contract’s general limitation of liability or whether a super cap or potentially unlimited liability should apply. This is often a matter of negotiation and involves consideration of who is best able to manage the risk. Accordingly, having a thorough understanding of the likely losses you would suffer in the event of a data breach and the mitigations that are in place will be important to having an informed discussion with the service provider on this point.

Including these types of clauses in your service provider contracts will help you be prepared if a data breach does occur so that you and your service provider know your respective responsibilities and liabilities.

Get in touch

If you would like to learn more about anything discussed in this article, how it could affect you or assistance in drafting these types of clauses, please get in touch with one of our experts.