Employers’ engagement and use of various types of vendors has expanded recently, to include vendors who assist with office re-entry screening and contact tracing as employees return to work during the COVID-19 pandemic. The service agreements that are negotiated and executed for this purpose should sufficiently address data privacy and security considerations related to employee personally identifiable information (PII). This is necessary for any service provider or vendor agreement. In the absence of a federal law governing data security and breach notification of employee PII, employers must comply with increasing state and local legal requirements to ensure the protection of employee PII which employers obtain in the normal course of employment. Many states have breach reporting laws that apply to data held by employers, such as employee social security numbers. Other states, such as New York, have laws encompassing PII breach reporting and mandating certain data protections. For example, the New York Stop Hacks and Improve Electronic Data Security Act (“Shield Act”) requires employers to implement a cybersecurity program providing protective measures for New York resident-employees’ PII.
Employee PII, however, does not reside solely within an employer’s information systems. For example, in order to provide employees with payroll and benefits services, employers often engage and transmit employee PII to third party service providers to process transactions. As a result of relying on vendors, often, the PII resides in the third party systems, and may be further transmitted, processed and stored in a cloud environment or on other subcontractor or agent systems.
Therefore, it is incumbent on employers to address data privacy and security provisions when negotiating service provider agreements for any service in which PII will be collected, transmitted, processed and stored. In the context of employee benefit plans governed by ERISA, plan fiduciaries should also ensure benefit plan service provider and vendor agreements are similarly reviewed and negotiated as part of a broader governance policy. Any existing service provider and/or vendor agreements that have not been updated for such provisions should also be revisited and amended accordingly.
These issues are commonly addressed in a data privacy and security addendum to service provider agreements. When drafting or reviewing a data privacy and security addendum (or incorporating such provisions into the main body of a service agreement), the employer should consider the following:
- Where are the employees and what privacy and security regulatory regime will apply? Initially, employers must consider whether the data privacy and security addendum in the agreement addresses only the United States or other foreign jurisdictions. Employers should ensure that the addendum addresses the privacy and security considerations of all the employees.
- What type of data is being collected? Will the service provider be collecting data protected by HIPAA or other sensitive health information? Will it collect financial information? Drafting broad provisions will help protect all of the information collected.
- Does the employer have a template agreement? Providing the first draft allows the employer to affirmatively state its expectations for protection of the data. Even if a vendor wants to use its own template as a starting point, having a template allows the employer to keep track of provisions that are important so that it can include them in the vendor’s template.
- Who should review the data privacy and security addenda? In addition to the business team and counsel responsible for the engagement, it is often helpful to have the employer’s privacy counsel review. In addition, the team should include the employer’s IT staff in the review process.
- What protections are described by the vendor? As noted above, if the employer has a template, it can easily compare the protections of the vendor to what the employer expects of vendors. The employer should also consider having the IT department conduct additional diligence to ensure that the vendor’s representations are accurate.
- Has the data privacy and security addenda appropriately restricted further use and disclosure of the data collected? Ensuring that the vendor is not making any secondary use of the data, unless explicitly approved by the employer, is another key consideration. Further, the agreement should contain language requiring the vendor to comply with all applicable privacy and security laws. In addition, the employer should consider whether to include provisions required under the California Consumer Privacy Act (“CCPA”) or similar applicable statutes to: (a) designate the vendor as a “service provider” and therefore subject it to certain limitations and protections under the CCPA; and (b) ensure that the employer knows of all uses the vendor may make of the data so that the employer can provide adequate notice to its employees. Employers should also ensure that there are provisions which adequately address the duty to preserve evidence (which includes electronically stored data) in the event of any litigation.
- Will the employer prohibit offshore data storage or processing? If so, the contract should say so explicitly.
- Are there other data transfer restrictions that should apply? As above, these should be explicitly stated.
- If the vendor is using a third party cloud service, how has the vendor ensured that cloud service is secure? The employer should request information on that cloud vendor and the vendor’s security practices, including where data is stored. In addition, the employer may want the vendor to indemnify the employer for bad acts or breaches by the cloud vendor.
- Is the service agreement with the Employer Group Health Plan such that HIPAA applies? If so, the employer will want to ensure that a compliant business associate agreement is included in the agreement. Often the business associate agreement is in addition to, not instead of, other privacy and security protections described in an addenda.
- Does the vendor try to rely on confidentiality provisions? Confidentiality provisions generally are not as stringent and specific in terms of protection of the employee data and rarely describe the security procedures that are in place or need to be in place. Employers should expect a privacy and security addendum.
- Does the service agreement address a breach response plan? The parties should define how the event of any data breach will be handled. For example, define breach remediation and notification procedures, required timeline, and which party pays costs. Employers should negotiate the right to review breach communications before they are distributed to participants. Plan sponsors and fiduciaries should also ensure that they have an emergency response game-plan in place that meets standards under applicable law to communicate any data security breach to participants, beneficiaries and appropriate authorities.
- How does the data privacy and security addenda address indemnification and has the vendor attempted to carve out indemnification for data privacy and breach issues? These provisions should be reviewed and negotiated to contractually address risk between the parties for data privacy and security issues and the extent to which it will be redirected to third parties. It may be necessary to coordinate any indemnification provisions set forth in the addenda with indemnification provisions that are set forth in a main body of a service agreement. Often service agreements will provide for indemnification but then carve out events that may be significant, such as breaches of personal information. Indemnification should also be sought for bad acts of any agents or subcontractors. Employers should determine initially what approach they want to take, and understand that in some cases, it may mean they choose a different vendor.
- How should the employer address attempts by the vendor to limit liability? Most service agreements will include a limitation of liability provision. It is important to ascertain whether the limitations of liability can carve out caps as they might apply to cybersecurity breaches. At a minimum, negotiate away caps on costs for breach notification and remediation costs.
- Does the agreement include a right to audit? Establish parameters for auditing third party systems, conducting penetration testing or receiving information regarding same, receiving initial and updated Service Organizational Control reports, receiving security program updates, and rights to make any related requests based on such an audit or review.
- Does the agreement include guarantees for the employer? If a vendor offers a customer guarantee, it would be prudent to specifically incorporate it into the service agreement.
- Does the agreement include flow down provisions that encompass agents and subcontractors? The employer will want to negotiate service agreement privacy and security terms that also apply to any service provider agents and/or subcontractors including with respect to destruction of data.
- What happens upon termination of the agreement? The employer should factor cybersecurity considerations and related provisions into scenarios when services may be terminated, especially with regard to transmission, storage and destruction of data.
- What type of cyber insurance coverage does the vendor maintain? The employer may want to include a provision in the agreement that requires the vendor to maintain a certain level of cybersecurity insurance. Additionally, the employer may want to request certification of same.
- What is the preferred choice of law for the agreement? The employer should consider whether to include all applicable laws. For example, an employer in the US may want to have an agreement that follows US requirements to maintain data in accordance with applicable states laws regardless of where data is managed, but include provisions that would encompass international laws when necessary.
- Will the vendor provide employees with access to any special apps or tools? Some apps may have a combination of financial, retirement plan and health plan tools which may require review under a broader array of privacy laws, HIPAA, and state law requirements. In addition, some apps may automatically collect information from the employee’s phone, such as geolocation, IP address, operating system etc. If so, the employer should ensure that the app adequately informs employees of the data collected, and determine how to address if an employee does not want such information collected. For example, consideration should be given to whether the service could be provided through another communication tool.
The current environment is complicated but it will become ever-more complex. Employers need a well-defined protocol of handling employee data in compliance with applicable law and must ensure those policies are followed by its third-party service providers.
For more information, please contact:
- General Counsel / Chief Privacy Officer