Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/616113
JANUARY 2016 14 INHOUSE Q U I Z ANSWERS YOUR RANKING? ■ One correct: might be time to brush up ■ Two correct: not bad, but some further work needed ■ Three correct: very well done, but not perfect ■ Four correct: excellent 1 (B) A "strict liability" standard of care may be imposed; in other words, the confi dentiality provisions could be amended to add that the service provider will not disclose the confi dential information of the company and must keep it strictly confi dential — by doing so, the service provider is liable for a breach of confi dentiality even if it complies with the standard of care regarding safeguarding the confi dential information. The other provisions mentioned such as inspection rights are useful, but the key provision is the standard of care. 2 (D). (A), (B) and (C) are fi ctional. SSAE 16 (Statement on Standards for Attestation Engagements Number 16) are audit standards established by the American Institute of Certifi ed Public Accountants that contain provisions geared toward service organizations such as IT service providers. Audits are obtained by service providers to, among other things, help demonstrate that they have adequate contracts and safeguards when they host data belonging to their customers. Service providers are often reluctant to provide security audit rights in favour of a company. As an alternative, the company will gain some comfort if the service provider obtains and provides to the company third-party audit reports prepared in accordance with third-party standards such as SSAE 16 audit standards. The contract could include a provision that such reports are provided to the service provider. This SSAE 16 standard provides for "SOC 1 Reports", "SOC 2 Reports" and "SOC 3 Reports", and the reports fulfi ll different functions. 3 (C) It depends on the contract. The service provider's standard contract will typically contain limitations and exclusions of liability in the service provider's favour. They usually consist of a "monetary cap" regarding all liability under the contract (often expressed as a total of fees paid to the service provider over a certain period of time), and an exclusion regarding consequential and indirect damages that may include an express exclusion regarding loss of data. Many IT service contracts are drafted so that the limitations and exclusions of liability apply to indemnities and, therefore, a robust indemnity may in fact be undermined. A company may seek to negotiate "carve-outs" regarding the exclusions and limitations of liability that apply to breach of confi dentiality provisions and indemnifi cation for the breaches. With respect to the "monetary cap", a service provider may not be willing to accept a carve-out that provides for unlimited liability, but the service provider may accept a substantially higher monetary cap than with other contractual claims. It depends upon the bargaining strength of the parties. It is important to pay attention to the express provisions of a force majeure clause so that it is clear the extent to which, if any, the service provider may avoid liability for cybersecurity risks notwithstanding any other provision of the contract. 4 (D) All are useful except for traditional insurance provisions. Traditional insurance policies do not cover data loss or damage due to a security breach. "Cyber insurance" is an evolving form of insurance that is helpful with respect to security breaches. Cyber insurance is especially important if the service provider is a small company that may not be in a position to adequately compensate the customer for a loss. Provisions may be inserted so that data may be hosted only within a specifi ed geographic area, putting the company in a position to assess the risks. If the data is hosted outside of Canada, the company should consider, among other things, whether the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure (especially if the data includes personal information) that are suffi ciently rigorous. The agreement may contain one or more security schedules that deal with IT security requirements and policies (data storage, data retention, malware protection, etc.) that help manage security risk. A DAILY BLOG OF CANADIAN LEGAL NEWS LEGALFEEDS.CA FEEDS LEGAL POWERED BY V O T E D BEST NEWS BLOG CLAWBIES 2014