Tech & Sourcing @ Morgan Lewis


We have already discussed the increase in data breaches and the need to include data breach provisions in outsourcing contracts, but what should those provisions cover? Below is a list of questions you should ask when choosing how your outsourcing contract will address data breaches:

  • What happens when one party discovers a breach? Typically, the obligation would be to promptly report the breach’s occurrence to the other party, thoroughly investigate what happened, and then disclose the results to the other party.
  • Who must notify affected individuals and government authorities? 48 states and many foreign countries now have laws requiring notification to individuals whose information is potentially compromised in a data breach. Your contract should specify who has the obligation to make and pay for this notification. Typically, the notification to an individual has to look like it is coming from the entity with whom the individual has a relationship so that it has meaning.

    For example, assume John Smith does all his banking with First National Bank, which, in turn, outsources the processing of his information to Big Outsourcer. Assume further that Big Outsourcer experiences a data breach. If John Smith receives a notice from Big Outsourcer, which is a name he does not know or recognize, he is likely to ignore it. But if he receives a notice that looks like it came from First National Bank, he recognizes the name and pays attention. It makes the most sense for Big Outsourcer to arrange and pay for the notification effort, all with First National Bank’s approval and consent.

    Also keep in mind: the laws requiring notification to individuals also require notification of government authorities and/or consumer reporting agencies so your outsourcing contract should include provisions on that as well.
  • Who has control over the content of communications? Public communication and public relations issues are a central component of managing any breach. Your contract should clearly specify who has responsibility to generate the content of proposed communications and which party has approval rights and control.
  • Who will interact with law enforcement? Data breach events often are the result of criminal actions. In many instances then, a data breach will involve interacting with law enforcement agencies, such as the FBI, the Secret Service, or local police. It is important to establish a single efficient chain of communication with law enforcement.
  • What will the insurance requirements be? Insurance companies now offer cyber insurance to cover the costs associated with a data breach. Many outsourcing contracts will require the service provider to obtain cyber security insurance to cover the costs of a data breach event.

Morgan Lewis lawyers regularly advise on data breach provisions in outsourcing contracts and have many standard contractual provisions to address these issues.