The GDPR and Changes to E-Discovery Vendor Agreements (Part I)
Typically, a client obtaining e-discovery services enters into an agreement with an e-discovery vendor. Such agreements may be for a single provision of services, but if the client is a regular client of the vendor, the parties will often enter into a master agreement that sets forth key legal and business terms, with a statement of work drafted for each provision of services setting out the particulars of that engagement.
June 28, 2018 at 01:41 PM
8 minute read
Editor's note: This is the first in a two-part series.
Typically, a client obtaining e-discovery services enters into an agreement with an e-discovery vendor. Such agreements may be for a single provision of services, but if the client is a regular client of the vendor, the parties will often enter into a master agreement that sets forth key legal and business terms, with a statement of work drafted for each provision of services setting out the particulars of that engagement.
Recently, parties are adding a separate set of provisions: obligations arising from the European Union's General Data Protection Regulation (GDPR) (EU) 2016/679, a regulation in EU law that took effect on May 25, and which addresses both data protection and privacy for all individuals within the European Union and the export of personal data outside the EU. In this month's article, I will discuss how the requirements of the GDPR have resulted in changes to client/vendor e-discovery agreements.
|Standard Master Agreements
Standard master agreements address many disparate issues. They designate the services provider as the vendor and the services recipient as the client, and identify who within each organization represents it, where the organization is located, who receives communication, and so on. They describe, usually as generally as possible, the scope of the services to be provided and the rates of payment for each service.
Agreements can drill as deeply as their creators wish. Topics they cover include:
- Whether the deliverable meets acceptance criteria and, if it does not, what vendor must do to cure the error;
- How acceptance criteria can change, making something previously acceptable now unacceptable or previously unacceptable now acceptable;
- What information produced by a party is confidential, and how such confidentiality may be lost;
- Whether vendor and its personnel will have to be subject to background checks and, if so, the terms of those checks (e.g., how far back must they go);
- What cost, in addition to the cost of services, must the client bear (e.g., costs of hard drives and other equipment, cost of travel, taxes);
- What must be stated in invoices, how long client has to pay undisputed amounts, to whom are they addressed;
- What causes an agreement to be terminated, e.g., a violation of an important requirement, and the consequences of termination;
- Other standard clauses, such as those pertaining to indemnification, vendor covenants, force majeure, a general vendor obligation to enforce data security, the ability of vendor personnel to do their jobs, the vendor's obligation to carry insurance and the minimal limits of that insurance, the client's warranties that it will cooperate with the vendor and that it has the authority to present the data (to the vendor, to the court, etc.) as elsewhere described, each party's representation that it has the legal power and authority to enter into and perform under the agreement, each party's retention of the exclusive ownership of all right, title, and interest in and to any intellectual property created by or for such party prior to or independent of the agreement (background IP), the vendor's assurance that it will not incorporate its background IP or any third party's intellectual property into any deliverable without the client's prior written approval, the client's position as the sole and exclusive owner of the work product or “work made for hire,” the vendor's assignation of all right, title, and interest in the work product to the client and its granting to the client a perpetual, irrevocable, nonexclusive, royalty-free, fully-paid, worldwide license (with the right to transfer and to sublicense through multiple tiers) under all of the vendor's intellectual property rights in any background IP used in or incorporated into any work product to use, reproduce, prepare derivative works of, distribute, publicly perform, publicly display and otherwise use the work product without any restriction.
It should be noted that while standard master agreements treat confidentiality and other topics addressed by agreements that specifically address GDPR requirements, standard master agreements usually do so by relying upon typical, noncontroversial discussions of the topics, while GDPR requirements usually involve reliance upon well-accepted standards or protocols. For example, while standard master agreements have for decades required that data recipients—often narrowed to vendors only—keep data “confidential” in a generalized sense, GDPR agreements, when setting forth confidentiality requirements, rely upon the GDPR and the strictly measurable concepts of which it is comprised, such as strict measurements of confidentiality as set forth by the International Organization for Standardization (ISO).
|GDPR-Based Agreements
Unlike standard master agreements, GDPR-based agreements include sections that track carefully the specific responsibilities and commands of the GDPR and make their discharge a part of the agreement. GDPR-based agreements provide innumerable examples of this strategy. Here are some overall strategies:
- Written Requirements. While standard master agreements usually define a concept and then state how it applies, e.g., “Confidential Information is any information that the client provides to the vendor and which the vendor cannot release to any third party absent the explicit, written direction of the client,” GDPR-based agreements will refer to definitions, rules and commands stated in the GDPR and note that the Parties must follow such. It is quite common for GDPR-based agreements to require that Vendors implement a comprehensive written information security program (“CISP”) that complies with the terms of the GDPR. It is also common that GDPR-based agreements require subcontractors, i.e., contractors providing services to Vendors, to follow the same security program or one almost identical to it but adopted to fit the particulars of the sub-contractor.
- Audits. Standard master agreements generally simply set requirements, but GDPR-based agreements typically also include several means of auditing to determine whether those requirements have been and are being met. Those means typically include the following.
- Third Party Auditing. Vendors will bring in third parties to audit IT, digital security, the backgrounds of those with access to client data, and so on, so as to ensure not simply that all potential security weaknesses are audited, but that they are audited by third parties who can be objective in assessing the vendor's security steps.
- Auditing of Subcontractors. Subcontractors, as with vendors, will be audited, so that their trustworthiness does not rest simply on the unsubstantiated guarantees of vendors, the reputations of the subcontractors, or any other untestable basis.
- Audit Time Periods. GDPR-based agreements typically require that audits be conducted at least yearly, and can be conducted more frequently. The temporal boundaries are set so that Vendors cannot be considered “compliant” by agreeing to audits but, because no temporal requirements are set, are always considered to be compliant even if no audit is actual conducted.
Physical Security
GDPR-based agreements usually highlight physical security, describing qualifications with great specificity. This description is, typically, very lengthy, and often combines with descriptions of other types of security, since today such types easily mix together (IT security, for example, easily mixes with physical security). Physical security requirements generally include the following.
- Confidential Information must be physically secured against unauthorized access in accordance with industry best practices and acceptable standards. The vendor must ensure that all confidential Information will be masked or otherwise concealed to prevent unauthorized viewing by individuals passing by when displayed on any visual output device.
- The vendor's CISP must provide for a security access system, which may include identification badges, logging access, security personnel monitoring and camera surveillance, in alignment with industry best practices and otherwise acceptable standards. The vendor's CISP must also include standards for mitigating the impact of a fire outbreak by having appropriate fire suppression mechanisms.
- The vendor's co-located data centers must implement at least the following enhanced access control for access to computer rooms within a facility that houses information systems used by the vendor (vendor information systems or VIS) hardware”: picture identification badges of analysts; 24/7 security guards monitoring entrances to the facility where confidential information is accessed, stored, processed or destroyed; identity verification using government issued IDs of outsiders entering the facility; electronic access control, using badge or access cards, to any facility where confidential Information is accessed, stored, processed or destroyed; enhanced access control for access to computer rooms within a facility that houses VIS hardware; camera surveillance (CCTV) with active monitoring or integration into a detection system; and, vendor-occupied office floors with electronic access control using the principle of “least privilege” to any computer rooms within vendor's office that house VIS hardware, meaning that vendor personnel must have at least the lowest permission levels that they can be assigned that does not prevent them from completing their assigned tasks. There may be no windows or other exterior access points present within such computer rooms. Vendor must have procedures in place to verify that receipt and delivery of hardware and other equipment are authorized.
In next week's column, I'll discuss some vulnerabilities, SOC audits and additional security requirements when it comes to GDPR compliance.
Leonard Deutchman is vice president, Legal for KLDiscovery. Before joining KLDiscovery, he was a chief assistant district attorney at the Philadelphia District Attorney's Office, where he founded the Cyber Crime Unit and conducted and oversaw hundreds of long-term investigations involving cybercrime, fraud, drug trafficking and other offenses.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllImmunity for Mental Health Care and Coverage for CBD: What's on the Pa. High Court's November Calendar
5 minute readRule 126(b) Citations to Unpublished Opinions: Some of Us Still Don’t Get It
6 minute readProposed 'Bulk Sensitive Personal Data' Rule and the DOJ’s Comprehensive National Security Regulations
7 minute readThe Importance of Plaintiffs Not Letting Defendants Dictate Settlement Tax Strategies
9 minute readTrending Stories
- 1Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 2Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 3Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 4Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
- 5'It Refreshes Me': King & Spalding Privacy Leader Doubles as Equestrian Champ
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250