Emerging Contract Law Issues

New developments in internet-based products and services are causing people and organizations to think more about information security. People and entities must take steps to protect and secure information at the same time as information is being shared more than ever before. Entities use contracts to make sure that their own data, and the personal information of their customers, is protected when it is shared.

Sometimes the law requires a contract. For example, both the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) require covered businesses to enter into contracts with their third-party service providers to protect data. These contracts hold the third parties accountable for the minimum levels of data privacy and information security protection that those laws require for certain types of information.

Entities also enter into these contracts voluntarily when they use new services or buy new products. The importance of including data security terms in these contracts continues to grow. The newest development in internet-based products and services that highlights information security issues is cloud computing.

Cloud Computing

The definition and limits of cloud computing are still evolving. Cloud computing is a type of computing where both applications and infrastructure capabilities can be provided to end users through the internet. Through cloud computing, entities no longer have to own their own computer hardware and infrastructure. They can purchase these services from cloud service providers. They only pay for the infrastructure and applications that they need. FIGURE 11-1 is a basic cloud computing diagram.

Cloud computing is not just for businesses. Individuals also use cloud computing services. For example, Yahoo! Mail is a cloud service. Google’s G Suite of services are cloud services. So is Mozy’s online computer backup service. Cloud computing has its beginnings in the Software as a Service (SaaS) model. In the SaaS model, a vendor hosts a web-based application and provides that application to its customers. The customers then purchase access to the hosted application. The entities access these services over the internet. The SaaS vendor hosts the applications and maintains the infrastructure necessary for running the application.

Cloud computing consumers can purchase infrastructure services such as data storage, backup facilities, and data processing. Cloud computing also includes the purchase of applications traditionally provided under the SaaS model such as email services. Cloud computing is attractive to many entities. Gartner, Inc., estimates that companies will spend $266 billion on cloud services in 2020.²⁹

Many organizations believe that using cloud computing will help them save money on information technology (IT) costs. Cost savings include not spending money upfront on data centers, electricity, equipment, and physical security. It also might help save money on IT staff. Cloud computing is seen as scalable with the organization’s own growth. An organization purchases only the services it needs at a fixed point in time. It can always buy more cloud services when it needs them. Buying cloud services can be faster than building the organization’s own IT infrastructure.

Cloud computing leads to situations where an entity’s data is not stored on its own physical computing infrastructure. This makes information security practitioners (and lawyers) nervous. The 2019 U.S. Federal Cloud Computing Strategy includes security as one of its three focus areas.³⁰ Information security concerns about cloud computing include:

• Loss of control of data, leading to a loss of security or lessened security
• Loss of privacy of data, potentially because of aggregation with data from other cloud consumers
• Dependency on a third party for critical infrastructure and data-handling processes
• Potential security and technological defects in the cloud provider’s infrastructure
• No control over the third parties that a cloud vendor might contract with
• Loss of an entity’s own competence in managing IT infrastructure security

There also are legal concerns about cloud computing. Contract law governs a cloud computing relationship. Disputes over the terms of the contract could be costly to resolve. They also could take too long to resolve. A lengthy dispute about critical services could harm a business and affect its ability to operate.

Another legal concern about cloud computing is where data and infrastructure are physically located. Local law might control how entities handle data. Questions of who owns the data also could be influenced by the law of the state where data is located, assuming that the data is actually stored in the United States. Location of the data could have an impact on how that data is provided in response to a public records request, subpoena, or court order. There also could be different rules for how that data must be secured. It also could affect how companies should respond to a breach of the systems used to store their data.

Information Security Terms in Contracts

Entities entering into contracts for cloud computing services need to consider several items from a law and information security standpoint. A cloud computing consumer will want to make sure that a cloud computing provider physically protects the cloud computing infrastructure that holds the consumer’s data. A cloud computing consumer also will want to make sure that the cloud computing provider follows good information security practices and protects the security of any data on that infrastructure.

There are several information security issues to consider in any cloud computing contract. These same themes also can be considered in any contract where an entity’s data might be stored, processed, transmitted, or handled by another party.

It is important for both contracting parties to understand the scope of data that they must protect in a contract. The parties must think about the following:

• How data is defined
• How data is used
• How data is protected
• How the parties meet their legal and regulatory requirements

Data Definition and Use

Both parties to a contract must understand the type of data that they might transfer back and forth because of their relationship. A contract must have clear terms that define the data owned by each party. The parties also must clearly define data that must be protected.

It is also important for the parties to clearly specify in the contract how they can use any data that they share. An entity will want to make sure that its vendor, or cloud computing provider, does not use its data in a way that would violate its privacy policies. An entity also will want to make sure that there are limits on the vendor’s own use of the data. For instance, a vendor should not be able to share the entity’s data with other third parties without permission. Finally, the contract should specify what happens to the data when the contract ends.

Data use terms also should specify what the parties cannot do with certain types of data. For example, if credit card information is transmitted as part of a cloud computing contract, that contract should require the vendor to comply with the Payment Card Industry Data Security Standards.

General Data Protection Terms

An entity may want to specify particular data protection terms in a contract. These terms are more specific than data use terms. For instance, an entity may want to include terms that state the specific administrative, technical, and physical safeguards that a vendor must use. When an entity includes these types of terms, it is trying to guarantee a minimum level of confidentiality, integrity, and availability.

An entity could include the following contract terms to ensure a minimum level of information security protection:

• Data transmission and encryption requirements
• Authentication and authorization mechanisms
• Intrusion detection and prevention mechanisms
• Security scan and audit requirements
• Security training and awareness requirements

Contracting parties can use resources developed by the National Institute of Standards and Technology (NIST) to make sure that a contract includes the appropriate controls. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) also have prepared information security controls guidance.

Compliance With Legal and Regulatory Requirements

Sometimes laws or regulatory controls will influence the relationship covered by a contract. This happens when the data or processes used between the parties falls within the scope of a particular law. GLBA and HIPAA were already mentioned as two federal laws that pull certain types of data and relationships into their scope.

State laws also could be implicated. For example, Massachusetts³¹ and Nevada³² have laws that require the personal information of state residents to be encrypted in certain instances. This requirement would need to be specified in a contract in order to ensure that a vendor meets it.

Additional terms that a contract should have to address regulatory requirements include:

• GLBA language if financial data is used or transmitted between the parties
• HIPAA language if health information is used or transmitted between the parties
• Family Educational Rights and Privacy Act (FERPA) of 1974 language if student information is used or transmitted between the parties
• Language addressing notification requirements if the vendor experiences any type of information security incident or event involving the contracting entity’s data
• Language protecting the intellectual property rights of each party

An entity also will want to make sure that a contract contains terms that require the vendor to cooperate with security incident investigations. This is so the entity can meet its regulatory requirements. A contract also must have terms that require each party to assist the other with third-party litigation that occurs because of the contractual relationship. For example, a contract should state that the vendor will assist the entity with any litigation against the entity that arises because of a breach of the security of the vendor’s systems.

As new technologies emerge and are developed, the rules for using that technology will become very important. One way that entities can establish rules is through contractual agreements.