Part 3 of 3: Exchange, Processing, and Disposal of Data
After establishing the definitions and applicable regulations, the agreement should establish the expectations for data exchange, processing, and disposal. Depending on the sensitivity of the data, encryption in transit or storage may be appropriate. The parties to an NDA often place restrictions on the processing of data once received, including the individuals or functions that will have access and whether the data may be reused for other activities such as testing or aggregation with other sources. Generally, business partners establish a “least privileges” model where only those with a need-to-know have access to perform only the agreed upon activities.
The parties should also stipulate their expectations for data return or destruction upon termination of an NDA. The expectations for data return or destruction will be typically molded by a party’s desire to keep compliant with the particular data handling law or regulation to which the party is subject. For example, a health care concern will be focused on complying with HIPAA destruction requirements and financial entities will devote their energies to figuring out 16 CFR § 314.2(c) (i.e. “the administrative, technical, or physical safeguards you use to . . . dispose of . . . customer information”). Since the service provider will also be asked to comply with such laws or regulations, it is in a their best interest to be sensitive to the specific data destruction requirements imposed on the disclosing party, so that the service provider can either confirm that its data destruction policies would comply with the disclosing party’s particular requirements, be in a position to develop a data destruction policy to meet with the disclosing party’s requirements, or, knowing that it cannot or will not comply, have an awareness to try to negotiate out this requirement.
There may be a temptation to assume that meeting the data destruction requirements of one statutory/regulatory framework will be sufficient to meet other frameworks. This is not always the case. A comment by the US Federal Trade Commission in its final rules to 16 CFR § 314 (commonly known as the “Safeguard Rules”) raises this point, if indirectly, in addressing the idea that complying with the Fair Credit Reporting Act, HIPAA or the Fair Debt Collection Practices Act should automatically mean compliance with the Safeguard Rules, “[T]he Commission does not intend to impose undue burdens on entities that are already subject to comparable safeguards requirements . . . [h]owever, because such other rules and laws do not necessarily provide comparable protections in terms of the safeguards mandated, data covered, and range of circumstances to which protections apply, compliance with such standards will not automatically ensure compliance with the [Safeguard] Rule.”
** This is the last part in a three-part series which comprise an abridged version of the article “Thoughts on Contracts and Information Security,” written by Daniel Garrie and published in the Los Angeles Daily Journal. To request a PDF of the complete article, please contact Law & Forensics.