Companies receive, create, and store a wide range of information, some of which is proprietary and some of which could be subject to privacy laws and other statutes or regulations. As a result, it is important for companies to make sure that their information is protected and handled appropriately when placed into the hands of a third party vendor or service provider. Too many times, companies entrust their information to third parties relying on goodwill or the reputation of the third party without exercising further due diligence. Companies are often surprised to learn that the contracts they signed with the third parties really offer inadequate or possibly even no protection for their information. This article will discuss some contractual protections your company should consider when sharing information with a third party.
Due to the value of certain information to companies, information should be treated as an asset, meaning companies should protect their information by preventing third party claims of ownership. One of the basic ways to protect ownership of information is to include contractual provisions stating as such. This is especially vital in a situation where the third party vendor or service provider will be processing and/or creating additional information based on a company's proprietary information or ideas. Due to intellectual property laws, the creator of certain information may automatically have a right of ownership or interest in such information. So, it is important that companies are proactive in their contracts with third parties and identify what information they expect to own at the end of the relationship.
One of the most popular contractual provisions used in protecting information is a confidentiality clause or stand alone confidentiality agreement. These are not one-size-fits all, however. First and foremost, these clauses often differ in what constitutes confidential information subject to protection. Some agreements may require information to be marked as "confidential" in order to be subject to protection. This marking requirement poses a problem for companies that are not in the habit of marking confidential information as such and poses a problem for information that is provided verbally. In other agreements, the definition of confidential information may be limited only to a specific document, software program, or subject matter, and as a result, other company information that genuinely is proprietary is not protected. So it is critical that the definition of confidential information is closely scrutinized so ensure it covers what will actually be provided to the third party.
Secondly, confidentiality agreements typically differ in what is considered exceptions to the obligation of confidentiality. Generally, there should be exceptions to confidentiality requirements such as information that is already in the public eye (through no fault of the third party vendor, of course) and information that must be disclosed by law. In other words, if a company has already made certain information public, then the third party should not be obligated to hold that information in confidence. While on one hand not all agreements will include these exceptions, on the other hand we see agreements that include very broad and ambiguous exceptions. For example, we often see exceptions for information that is "independently created" by the third party. It is difficult to comprehend, though, what it means to be "independently created" in some situations where the information is created by the same person(s) that handled confidential information. We all know that it is not possible to unlearn something.
Some other ways confidentiality agreements may differ include the level of protection required, the allowable use of the confidential information, the time period for which the information must be protected, and the return or destruction of any confidential information when the relationship with the third party ends. Depending on the goods or services provided by the third party and the nature of the information provided to the third party, the amount of protection required and other aspects of these confidentiality requirements may change.
C. Information Security
In addition to the above mentioned considerations, it is important that companies consider what information security requirements should be met by third parties collecting, storing, and/or processing confidential information, including personally identifiable information. Personally identifiable information is generically defined as information that can be used to identify a person, such as name, address, email, social security number, phone number, etc. Companies often collect this information for their customers and use third parties to process the information and store it. Poor information security controls by the third party vendor or service provider, however, increase the risk of a security breach and therefore the risk of an unwanted disclosure of customer information. Such disclosure may trigger significant fines and penalties under various states' privacy laws and require a significant amount of time and resources remedying the effects of the disclosure, including reputational harm.
Certain information security requirements may be legally required of companies and their third party vendors, whether by statute or contract. For example, the Heath Insurance Portability and Accountability Act (HIPAA) requires companies that are using a third party to collect or store protected health information enter into a Business Associate Agreement which includes an obligation that the third party abide by certain HIPAA security requirements. Similarly, when a third party will be handling credit card information, an obligation to follow PCI requirements should be considered. Companies may also desire the ability to audit the third party's security controls. Ultimately, whether it is a certain type of information security standard, compliance with a certain law, or a right to audit, companies should ensure their agreements meet their information security needs and satisfy any legal requirements.
D. Limitations of Liability
A final point, but very important one, pertains to limitations of liability in agreements. Many agreements include clauses that impose limitations on one party's potential liability to the other party. These clauses can prevent a third party vendor or service provider from being liable for certain types of damages such as consequential damages or lost profits, and can limit the dollar amount that the third party vendor or service provider can be liable for to the companies they are servicing. In fact, some agreements may state that the third party cannot be liable for any damages whatsoever. Therefore, even if a company is provided with the ownership, confidentiality, and information security protections it desires, those protections may be meaningless if there is little to no liability of the third party in the event of a breach.
In conclusion, prior to providing company confidential information (including personally identifiable information) to a third party, it is important to assess the nature of the relationship including what information the third party actually needs, the sensitivity of the information that will be provided, and any applicable legal requirements, and then engage an attorney to make sure the agreement adequately meets the company's needs. One word or phrase can make all the difference in an agreement, and no company wants that difference to be one that costs it its reputation, competitive advantage, goodwill, or bank account.