I had today’s column dealing with confidentiality provisions all set to go. However, given the Baylor Law School fiasco, I changed topics to another very contentious issue in business-to-business terms and conditions negotiations: data security. I will take some liberties with the factual scenario of the Baylor data release in order to make the issue more relevant to those of us in-house.
Let’s assume that instead of an employee of Baylor’s admissions office allegedly being responsible for the data release, it was an outside contractor who had been hired to perform data collection for Baylor. Let’s further assume that the contractor acted negligently in releasing the information. Finally, let’s assume that Baylor’s legal counsel vetted the Agreement and Statement of Work (“SOW”) between Baylor and the contractor, and included a data security provision. What should happen now that prospective students’ personal information, including LSAT scores and GPA, are in the public domain? I would begin by stanching the bleeding and assessing the damage….
I am sure that at some point you, either as a law student or long time practitioner, have been asked by a friend or family member who feels that they have been legally wronged, “Do I have a case?” My answer, more often than not, is “How were you damaged?” In the majority of scenarios, my resulting analysis is that the person does not in fact “have a case.” Many wrongs can cause upset, but unless there exists remediable damage, there may not be recourse through the legal system. In the Baylor case, the answer may well be that there is in fact no tangible damage to either the students or the institution. There may be short term damage to Baylor’s reputation, but will this incident really cause a future law school applicant who fits the Baylor profile to not apply to Baylor? There is also potential embarrassment to the students whose information was released, but long term damage? I don’t think so. Further, the students’ social security numbers were not released which will hopefully lower the risk of identity theft leading to financial damage.
Hopefully, the Agreement’s data security clause called for the contractor to notify the school as soon as practicable upon notice of the security breach. The next step should have been for the parties to discuss in good faith the ramifications of the breach in terms of damages, and ultimately remediation. The industry standard for these situations, especially in cases of releases of financial information, has become largely one of notice to all persons whose information has been released, and then some period of credit reporting paid for by the breaching party. I predict that something along these lines will be the result of the Baylor issue. While certainly embarrassing for the institution, and perhaps for the students (though I’d not really complain if I was the person with 4.09 GPA), this issue will likely fade into the sunset relatively soon.
Now, backing up to the negotiation stage of a data security provision, what should both parties look for in a prospective agreement? I’ve already alluded above to the buyer’s stance; notify me of the problem, work to rectify, and then pay for whatever remedies to which we agree. For the outside contractor, be wary of lawyerly “weasel” terms such as “agree to pay the injured parties reasonable expenses.” This language allows the buyer to inform the seller just how much they’ve been harmed. The term “reasonable” is always up for debate, and what if the buyer decides their reputation has been harmed, they’ve lost profits, and they hired an expensive lawyer to assess their position and on and on. The better practice is to agree to a bilateral methodology of the proactive steps to take in the event of an emergency.
There are also reputational risks for both parties. The very recent release of millions of card users’ information by Visa and MasterCard potentially harms not only the card brands, but the issuing banks as well. Not to mention the contractor (yet to be named) who was responsible for the leak, and the card users themselves. It is imperative to get a handle on the problem as soon as possible. Showing your customers that your company has done everything possible to avoid potential damage can go a long way to avoiding a public relations debacle.
The simple fact remains that at this point in our technological development, data breaches will occur, information will be released, and the current best practice is to prepare for the inevitable.
After two federal clerkships and several years as a litigator in law firms, David Mowry is happily ensconced as an in-house lawyer at a major technology company. He specializes in commercial leasing transactions, only sometimes misses litigation, and never regrets leaving firm life. You can reach him by email at [email protected].