Privacy and Data Security Considerations in Contracts

When negotiating a contract which involves personally identifiable information (PII) or other types of confidential data, it is essential to consider a multitude of privacy and data security controls. First, what is the collection, processing, sharing, retention, and destruction of data procedure; and how these procedures may be subject to federal, state, and/or international legal obligations. Second, how to reduce legal and regulatory risks surrounding the collection and generation of data, and accessing and sharing of data.

This Article provides a general overview of major privacy and data security laws in the United States, which are important to consider in starting a business or signing a contract involving sensitive data.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Privacy Rule protects the privacy of individually identifiable health information. The HIPAA Security Rule sets national standards for the security of electronic-protected health information, and the HIPAA Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unsecured protected health information. If your organization is a covered entity, and has recently experienced a breach, contact our firm to find out how to handle the post-breach procedures and notifications.

State Data Breach Notification Laws. All 50 states and the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have data breach notification statutes.

California Consumer Privacy Act of 2018. The California Consumer Privacy Act (CCPA) requires companies which fall under the scope of this Act to execute written agreements with third party data processors to prohibit the selling, retaining, using, or disclosing the Personal Information subject to the agreement.  

The Fair Credit Reporting Act (FCRA). The FCRA governs companies’ use of data to determine creditworthiness, insurance eligibility, suitability for employment, and to screen tenants for credit-reporting problems.  

The Gramm-Leach-Bliley Act (GLBA). The GLBA requires institutions that offer consumers financial products or services (such as loans, or investment advice) to explain their information-sharing practices and to safeguard sensitive data.  

The Children’s Online Privacy Protection Act (COPPA). COPPA imposes various requirements on the operators of websites and online services (including mobile apps) that are directed to children under the age of 13 if these services collect, use, or disclose children’s personal information, or have actual knowledge that such children’s personal information is being collected, used, or disclosed. If your company’s target audience includes children under 13 years of ago, contact us to find out what notice criteria is needed under your privacy policy.