For lawyers including data privacy and security provisions in contracts they put together for clients, they first have to clarify what definition of “data” their clients’ information falls under. Different laws govern based on the type of information, and there’s no one-size-fits-all agreement template that will work for every client.
The Colorado Bar Association presented a CLE Wednesday in its Business Document Drafting Series titled “Five Things You Must Know Before Drafting Intellectual Property, Privacy and Data Security Provisions.” Moderated by Davis Graham & Stubbs associate Otto Hanson, the panel included DGS partner Trent Martinet, Lewis Bess Williams & Weese director Deborah Howitt and Koenig Oelsner Taylor Shoenfeld & Gaddis attorney Christopher Achatz.
The CLE used a hypothetical business-to-business software license agreement to demonstrate key considerations in drafting data security and privacy provisions because software licenses will nearly always contain such sections. The panelists used the mock contract to detail topics relevant to those provisions such as data sharing, data obtained from another party, terms required by privacy laws, drafting a privacy policy and other miscellaneous tricky considerations.
“Everyone’s got a software license template, but tailoring it to your client, being thoughtful about each of these words is really where we can help our clients — And part of where the fun is,” Achatz said. “We’re making it up, we’re determining the bounds of that license.”
The panelists said the interests of lawyers’ clients will differ based on the party — in the panelists’ example, the software licensor or licensee — the lawyer represents in the transaction. Warranties and indemnifications are two examples. A warranty guarantees the product or service the customer receives performs as promised. It can also protect against back-door access or harmful code contained in software.
Warranties also may tie into indemnification provisions for customers in the case of intellectual property infringement. Martinet said he would caution clients against making a representation to customers that their product absolutely does not infringe on the intellectual property of a third party. Technology advances so rapidly, he said, that it’s difficult to know for sure that there hasn’t been any infringement.
“If you’re independently creating it, that’s a good first step. You’re probably not infringing someone,” Martinet said. “But you just never know when you’re going to run afoul of someone’s patent.” In the case of infringement, he said, sellers would have an indemnification obligation to their licensees, which would hold them harmless from liability. Licensees would have an indemnification claim even if they do not have a breach of warranty claim due to the infringement. Sometimes a customer’s indemnity will be stipulated as their “sole and exclusive remedy” against infringement liability.
The definition of data to be kept secure varies based on the law governing it. Data covered that can vary greatly by state law can include username and password combinations or biometric data.
“You’re always worrying about those definitions,” Achatz said. Distinctions between definitions can get as nuanced as confidential information, customer information, customer personal data, sensitive personal information and aggregated information, he said.
“All of these have different legal standards that apply to them through the different statutes,” Achatz said. “Among these different laws that we’re mentioning, they have different legal significance depending on what term you use and how you define it.”
Howitt explained the European Union’s General Data Protection Regulation, which went into effect Friday and also applies to U.S. companies doing business in the region, covers “anything relating to an identifiable natural person.”
“It’s extremely broad,” she said. “It could be a photo of a person or a voice recording or pretty much anything. So defining what is the data in contracts like this is pretty important.”
In considering use restrictions, Achatz said a central consideration is what the core product is. A pen with no special functions would have different usage implications than a “smart pen” enabled with wi-fi or firmware, he said.
Howitt said privacy and security overlap quite a bit under relevant laws. Some federal regulations include HIPAA to govern safekeeping medical information, the Gramm-Leach-Bliley Act covering privacy and security of financial information and the Federal Trade Commission overseeing commerce practices.
But there is no federal law generally governing consumer information security across all industries. All 50 states now have data breach notification laws, meaning companies have to comply separately with the law in each state in which they do business.
“It’s kind of a crazy patchwork of a lot of different laws that you need to comply with on the privacy side in the U.S.,” Howitt said.
— Julia Cardi