Data Destruction Contract Clauses Are a Hot Topic

Morgan Stanley’s recent payment of $60M to settle a civil proceeding for failing to properly dispose of customer data is a reminder of the importance of knowing applicable data disposal laws and drafting appropriate data destruction clauses in technology agreements.

Sources of Obligations

The sources of obligations to destroy or dispose of personal data are myriad. Direct and indirect federal requirements include the Gramm-Leach-Bliley (“GLB”) Interagency Guidelines Establishing Information Security Standards, the GLB Safeguards Rule, the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, the HIPAA Security Rule, and the Fair and Accurate Credit Transactions Act Disposal Rule. Unfair and deceptive acts and practices laws, both federal and state, may also apply. In addition, at least 35 states have unique data disposal laws.

Common law negligence, invasion of privacy, and unjust enrichment are just a few other claims that may be brought against companies failing to properly destroy personal information. And, apart from these requirements, technology agreements typically include provisions requiring deletion or return of confidential information.

The data disposal requirements are not simple or easy to navigate, either. Numerous companies besides Morgan Stanley have suffered lapses, including, for example, American United Mortgage Company, Cornell Prescription Pharmacy, FileFax, CVS Pharmacy, Searchtec, Home Depot, and RadioShack.

Data Destruction Tips for Technology Customers

That said, for customers contracting for technology services or products that require the use or availability of personal data, several steps are available to reduce  data disposal risks.

  • Know what personal information destruction and disposal laws apply. Must the destruction efforts be reasonable or must the data be rendered unreadable or undecipherable? Must the data also be unusable?
  • Include agreement provisions requiring the vendor to destroy (or return) the data upon request and, in all cases, upon termination or expiration of the agreement. Add that, upon request, the vendor certify or acknowledge the destruction. Follow through on this requirement.
  • Contractually require the vendor to qualitatively destroy the information so that it is permanently irretrievable, unreadable, inaccessible, and indecipherable. Mandate that paper media be shredded, disintegrated, incinerated, pulverized, or pulped.
  • Include in the contract a right to audit the vendor’s data disposal or destruction and ensure that the vendor’s obligation to establish and implement reasonable security measures aligns with the data destruction requirements.

Data Disposal Tips for Technology Vendors

For technology vendors, which may also have legal obligations to destroy or dispose of data, contractual and operational mitigations also exist.

  • Before contracting, know the personal information destruction and disposal laws that apply. For example, is the vendor a business associate under HIPAA?
  • Proactively include language in the agreement permitting vendor destruction or disposal of the data.
  • Utilize best industry practices to destroy or erase the data – even if the technology agreement does not require it.
  • Segregate each customer’s personal data from other customers’ data, to facilitate discrete and expedient destruction or disposal.

These mitigations for technology customers and vendors are even more important, given the volume and dynamic nature of data destruction and disposal requirements and corresponding challenges for these companies.

Cyber Insurance: No Lifeline for Enterprise Technology Customers

Recent major cyber attacks have kickstarted a cyber insurance buying frenzy. However, because cyber insurance coverage is unpredictable on many levels, it is critical that technology customers take meaningful steps to address insurance risks and to contract appropriately with their technology vendors.

Cyber Insurance Challenges

Cyber insurance sounds great on paper but is difficult to implement effectively. Policies notably are not uniform or standard in providing coverage for particular occurrences, parties, or losses. Even within a particular insurance provision, contract language is unpredictable and varies widely across insurers. For example, cyber attacks initiated by state actors may or may not be covered, depending on whether the attack is considered terrorism, an act of war, or a warlike action.

Moreover, insureds and insurers routinely disagree as to the coverage and intent of cyber insurance policies. Litigation involving Mondelez, Payless Shoesource, Alorica, National Bank of Blacksburg, Sony, Target, and SS&C Technologies is just the tip of the iceberg. As for pace, let’s just say that two months ago, Home Depot filed suit against three insurers to seek to obtain coverage under its policies in connection with the massive date breach it suffered seven years ago.

Decision-Making Concerns

Of concern, then, enterprise technology customers frequently base their decision to accept cyber-related contractual indemnities and limitations of liability from their vendors based on the mere fact that the vendors – or the customers – have cyber liability insurance. The customers often accept the risks without evaluating the vendors’ purported policies and without revisiting their own coverages based on the particular technology transaction. Even obligating the vendor to implement reasonable security measures is not enough.

Contractual and Operational Mitigations

The following contractual and operational tips may help enterprise customers identify and mitigate cyber liability insurance related risks under their technology agreements.

  • Read your policies. Technology customers should carefully review and evaluate their insurance policies, including their cyber liability policy, to determine the extent of coverage for the cyber risks for the particular technology transaction and vendor. In some cases, standard business policies (such as property insurance, crime insurance, or commercial general liability coverage) may include cyberattack losses.
  • Summarize your policies for internal stakeholders. Your technology contract negotiation team will be much better able to assess applicable cyber risk for a particular technology transaction if they know the specific scope and extent of your own cyber and other insurance policies.
  • Monitor policy changes. The technology agreement should require the vendor to provide prompt notice of changes in the vendor’s insurance coverages. The agreement should establish that vendor breaches of insurance provisions specifically give rise to customer termination rights.
  • Increase insurance coverages. When the customer’s business team insists that the particular technology vendor is the best resource for the deal, but the vendor does not have adequate cyber insurance, the customer should consider obligating the vendor to procure sufficient coverage, even if only for the particular transaction. Be aware, however, that the vendor may seek to burden the customer with the cost of the additional coverage.

And, do keep in mind that businesses commonly underestimate the cyber coverage they need to mitigate cyber risks.

Is Your Technology Non-Compete Enforceable?

Frequently, software license agreements, cloud agreements, and other technology contracts include restrictive covenants or non-compete clauses that prohibit a customer from using the vendor’s technology to develop competitive or substantially similar products or services. The court in Triage Logic Management and Consulting v. Innovative Triage Services examined the issue and provided a road map for saving such provisions. Hint: Like online terms and conditions, careful contracting is critical.

Triage Logic Case

In Triage Logic, the software vendor sued the customer for contracting with a third party to develop software similar to the vendor’s licensed product. The vendor-customer agreement prohibited the customer from “develop[ing] similar software, services or product offerings substantially similar to the System” described in the agreement. The clause expressly survived the termination of the agreement.

The court concluded that the non-compete provision contradicted state antitrust law and, thus, was unenforceable, based on the particular restraint being indefinite and perpetual. Applicable state law barred the court from reforming the restrictive covenant to make it enforceable.

State Law Does Matter

Because the Triage Logic case was decided under North Carolina law, it invites comparison to other state laws. For example, under the Texas Free Enterprise and Antitrust Act of 1983, a covenant not to compete is enforceable if it is ancillary to or part of an otherwise enforceable agreement and contains reasonable and limited parameters as to time, geography, and scope. Unlike North Carolina law, the Texas statute requires courts to reform covenants that are not reasonable and limited.

A covenant not to compete is enforceable under Delaware law if it meets general contract law requirements, is reasonable in scope and duration, advances a legitimate economic interest, and balances equities. Delaware courts may, but are not required to, reform otherwise unenforceable provisions. New York law imposes a “simple rule of reason” analysis to non-compete provisions in ordinary commercial contracts (such as license agreements). New York permits blue-penciling of non-compete provisions only when the unenforceable portion of the provision is not essential, among other requirements.

Help is Available

When negotiating a non-compete clause in a technology agreement, technology vendors should consider the following drafting tips to increase the likelihood that the restrictive covenant is upheld.

  • Duration. A perpetual or otherwise excessive duration for a non-compete provision is unlikely to be enforced, whether the duration is identified in the clause, itself, or the provision expressly survives agreement termination.
  • Pencil Color. If the governing state law does not afford blue-penciling or equitable reformation, the non-compete provision may be salvageable if the contract includes a clear and permissive severability clause. Even if the governing law favors reformation, avoid a severability clause that merely instructs deletion of the offending provision.
  • Express Rescue. To seek to save a non-compete clause from unenforceability, include express fallback positions in the contract to operate if primary terms (such as those regarding duration, scope, and geography) are held invalid.
  • Purpose. A restrictive covenant stating a blanket prohibition, rather than one being specifically limited to competitive conduct, is less likely to be held enforceable.

On the other hand, customers seeking to defeat the application of a non-compete clause should do the opposite….

Browse-Wrap, Click-Wrap, and In-Between

For decades, online service providers and web and mobile site owners and operators have sought to bind their users to contractual terms and conditions by way of click-wrap, browse-wrap, and similar methods. For nearly as long, these parties have fought over the enforceability of such online contracting efforts. The path to an enforceable online contract should be clear by now, right?

You’d think so. Yet, even today, the formation of these agreements continues to be litigated.

Click-Wrap Enforceability: Winners and Losers

The keys to binding click-wrap and browse-wrap agreements include notice, clarity, and assent. Generally speaking, a “click-wrap” agreement is one where the user must expressly manifest assent, typically by affirmatively ticking an “I agree” tick-box. A “browse-wrap” agreement, on the other hand, is one purporting to bind the user merely by being posted to the site or online service the user is accessing or using.

In Dohrmann v. Intuit (9th Cir. 2020), Intuit successfully defended the enforceability of its TurboTax click-wrap terms. The terms were conspicuously hyperlinked from the TurboTax online sign-in page, which required the user to click a sign-in button to proceed to use the service. There were three hyperlinked sets of terms, each of which appeared immediately below the sign-in button and was in a different color than the surrounding text. 

In other cases decided in the past two years, some online vendors have been equally successful (see Skillz, GoSmith, and United Parcel Service), while others have not (see Huuuge and SquareTrade).

Clear Your Path to Enforceability

What can make an online agreement easier to enforce?

  • Choose click-wrap over browse-wrap, requiring the user to affirmatively tick a box to manifest assent to the terms. Require the user to scroll through the terms or visit the pages where any hyperlinked terms appear, before the user is able to manifest assent.
  • Conspicuously call out the existence and effect of the online terms. Do not require the user to scroll down the page to see the call-out. Use a font size that is no smaller than, and has a different color than, the surrounding text.
  • State the existence of any hyperlinked terms in close proximity to any “I agree” button or other tool for manifestation of user assent. Avoid hyperlinks within hyperlinked terms, and do not require the user to proceed through multiple web pages to ultimately get to the actual terms.
  • Require assent to the terms when the user is first engaged by the site or online service, rather than after the user sets up an online account or receives online services. Don’t just ask the user to read the terms – mandate that the user read them.
  • Maintain back-office technology that reliably and accurately records each user’s assent to the online terms, including the date of assent and the form of terms assented to.

Thank goodness no one said shrink-wrap terms….

Contracting Conundrum: “Reasonable Security Measures”

In technology contracts between customers and vendors, it is common to obligate one or both parties to implement “reasonable security measures” to protect applicable data and information. Typically, the obligation is a function of risk allocation or legal requirements. The recently enacted (and more recently amended) California Consumer Privacy Act’s authorization of a private right of action against businesses that fail to implement reasonable security procedures and practices highlights the issue. But, what are “reasonable security measures?” And, which contracting party decides?

The Market Speaks

Often, technology contracts merely reference, but do not explain, reasonable security measures. A contract may require a party simply to “implement reasonable security measures” to safeguard applicable information. Alternatively, a contract may obligate the party to “implement reasonable security measures as required by applicable law” or to “comply with applicable data privacy and security laws, including those regarding security measures.” Both customers and vendors can find these examples appealing.

Pushing the Envelope

Less often, but frequently when the technology transaction involves financial services companies, the contract may impose more stringent requirements based on statute or regulation. For example, the vendor may be obligated to “implement administrative, technical, and physical safeguards to insure the security and confidentiality of customer records and information, to protect against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.”

Similarly, technology contracts involving healthcare information can mirror applicable federal regulations and obligate a party to “implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the information.” For EU personal data, the Standard Contract Clauses (which will likely soon change) may be invoked.

Although usually advocated by technology customers, because these more specifically stated obligations track legal requirements, they are often acceptable to the customers’ vendors.

Breaking the Envelope

In a few cases, customers or vendors may choose to sidestep the vagueness of the above options. For example, agreements with ties to California may explicitly reference the 2016 California Data Breach Report, which specifically states that an organization’s failure to implement all twenty controls in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security. When payment card information is in scope, the contracting vendor may be directed to comply with the PCI Data Security Standards.

Increasingly more common, a technology customer – or vendor – may expressly set out detailed, bespoke security measures. The contractual statement of these measures can range from one, to three, to five or more pages.

Clearly, there are many ways for contracting parties to reach agreement on applicable security measures to be implemented under a technology contract. Be sure that what you sign up for works best for your company – all costs, risks, and consequences considered.

Post-COVID Help for Corporate Legal Departments

Updating in-house contract templates and negotiation playbooks is not sexy, nor is it directly related to a particular revenue-generating transaction. However, it may be an efficient way to address the increased pressure on in-house counsel to close more deals in less time – with fewer in-house resources and with smaller outside counsel budgets – brought on by COVID-19.

Your peers are already doing it.

Precarious State of In-House Transaction Support

Drafting and negotiating contracts is much more challenging since the outbreak of COVID-19. According to a recent Altman Weil survey, 44% of Legal departments plan to cut their 2021 budgets. HBR Consulting’s 2020 Law Department Survey reveals that 84% of Legal departments are experiencing increased workloads and 18% are planning layoffs.

The Legal departments surveyed did, however, identify responsive measures. HBR Consulting reported that 70% of Legal departments have adopted templates for standard contracts and that 32% of departments plan (or have begun) to implement negotiation playbooks.

Contract Templates and Negotiation Playbooks to the Rescue

Any investment in developing, or merely updating, contract templates or negotiation playbooks is likely to pay off. The following contract issues are appearing more often and in a new light. Expedite your negotiations by proactively formalizing your attack (and fallbacks).

  • Force Majeure. More frequently, force majeure clauses are no longer only two or three sentences, but are much longer. They now often additionally address notice timing, notice details, and minimum duration of non-performance for an event to qualify as force majeure.
  • Changes in Laws. Changes in laws provisions are becoming more common. Customers and vendors are reacting to the prospect of unforeseen legislative and regulatory activity and are looking to avoid having no contractual mechanism to deal with events like the passage of the future version of California’s consumer privacy law or the invalidation of the Privacy Shield.
  • Business Continuity and Disaster Recovery. Often secondary to force majeure, now more contracts are requiring ongoing and uninterrupted performance even in disaster situations. Many agreements now tie these (new) obligations to force majeure rights.
  • Remote workers. Working remotely is likely to last long beyond the pandemic. For both vendors and customers of technology, new contract terms and terminology addressing remote access and use are gaining traction as to software licensing, cloud access, and other technology user-based provisions, as well as cyber security commitments.
  • Data Security. More customer template contracts are including comprehensive data security terms. Although previously common among customers in financial services, healthcare, energy, and other regulated industries, more vendors are seeing template schedules and detailed provisions from non-regulated entities.

You don’t need to do a front 4½ pike into the deep end of the template and playbook pool to reap benefits. Wading into the shallow end will still generate meaningful returns.

Trade Secret Owners Beware (and Contract Carefully)

A recent Third Circuit court case rattled current thinking as to trade secret owners’ authority to enforce rights in their intellectual property. Fortunately, the case provided a path for trade secret owners to fully preserve their enforcement rights when making available their trade secret technology to their customers.

In short, the court held that those merely possessing a trade secret may be able to sue for misappropriation – that is, enforcement rights are not exclusive to the owner of the trade secret.

Non-Owner Possessors of Trade Secrets May Bring Suit

This case (Advanced Fluid Systems v. Huber (3rd Cir. 2020)) is an appeal of a federal district court case in which Advanced Fluid Systems (“AFS”) sued Kevin Huber and others for unauthorized use of trade secrets related to hydraulic technology. Huber took trade secret information from his employer, AFS, presented it to an AFS competitor, Livingston & Haven (“L&H”), then used the information, himself, in a new business he set up to compete against AFS and L&H. Although AFS brought the trade secret suit, AFS did not own the trade secrets in question. Instead, the trade secrets were owned by a third party that indirectly acquired them from AFS. Huber was an engineer on the AFS team that designed and developed the trade secret technology.

The Third Circuit Court upheld the lower court’s reasoning that a party asserting a misappropriation claim under Pennsylvania’s version of the Uniform Trade Secrets Act (the “UTPA”) must only show lawful possession of the trade secret, not ownership. The proprietary aspect of a trade secret arises from its secrecy, not from the underlying trade secret information, itself. Trade secret ownership is not irrelevant, but it is not the only interest subject to trade secret protection.

What Law Applies?

Texas and Delaware trade secret laws (like Pennsylvania’s, here, but unlike New York’s) are similar to the UTPA. For owners of trade secrets, if you want to limit or bar your trade secret licensee from taking legal action against third parties to enforce rights related to your owned trade secret, you should add appropriate language to your license agreement.

Blockchain: Mind Your Contract Terms

As noted in a recent BBC article, the distributed ledger technology known as blockchain has been hyped for many years as the solution to countless transaction ills. However, to date, its principal purpose has been to support cryptocurrencies. That said, there are valuable, non-cryptocurrency uses for the technology, including to manage supply chains, to track inventory, and to establish and maintain verifiable transaction records. Businesses are increasingly considering and adopting blockchain – thus requiring their legal counsel to prepare to contract for this burgeoning technology.

As more fully discussed in a previous blog post, there are several key issues to consider when contracting for blockchain technology.

  • Because many blockchain technologies are based on open source software, and users of technologies built using open source software can be subject to various restrictions and requirements, take care to identify and review all applicable open source license terms.
  • Blockchain products are still new, which means that they may not be as well-tested or debugged as mature technologies. For blockchain vendors and customers, consider appropriate contract terms addressing support, maintenance, and performance warranties for early-stage products.
  • Blockchain’s purported unparalleled ability to protect the integrity and confidentiality of data and records does not abrogate the needs to carefully examine how the technology treats data and records and to review applicable privacy and security obligations.
  • Blockchain is technology – with a unique spin. Technology contracting expertise is wholly relevant when drafting, reviewing, and negotiating blockchain technology agreements, particularly terms regarding technology rights and obligations, intellectual property, representations and warranties, indemnities, and limitations of liability.

One Technology Agreement + One Separate Non-Disclosure Agreement = One Mess

The current COVID-19/coronavirus crisis has forced many companies to buy or sell new technology under a previously unseen sense of urgency. While this speed is critical – and absolutely understandable – take care to ensure that today’s deal structure does not undo tomorrow’s benefit. This is especially true as to non-disclosure and confidentiality issues.

If your corporate contracting practice involves establishing a non-disclosure agreement (or confidentiality agreement or NDA) with a potential technology customer or supplier, and then later contracting under a different agreement for the actual business you wish to transact with the other party, now is the time to examine whether that practice is achieving its objectives. As recently learned by one technology supplier, in these cases the terms of the NDA may be rendered ineffective by the subsequent technology contract. iSentium v. Bloomberg Finance (S.D.N.Y. 2020).

iSentium, a technology vendor, entered into a pre-transaction NDA with Bloomberg, pursuant to which Bloomberg considered whether it was interested in iSentium’s artificial intelligence technology. The parties later entered into a technology contract covering Bloomberg’s purchase and use of iSentium’s technology. Both the NDA and the commercial contract included confidentiality terms. iSentium later sued Bloomberg for misappropriation of iSentium’s confidential information. The district court dismissed iSentium’s action based on a one-year limitations period stated in the commercial contract, despite that the NDA included no such limitation. In reaching its decision, the court highlighted the merger provision and precedence language in the commercial contract.

Read the Technology Agreement and Non-Disclosure Agreement

It is not uncommon for a company to have a pre-transaction non-disclosure agreement and a separate commercial agreement with a business partner. However, in many cases, the two agreements are not carefully read together and end up including inconsistencies that are not clearly addressed in the later commercial agreement. Sometimes the commercial agreement is wholly silent as to the existence of the NDA. Other times, the commercial agreement incorporates by reference the inconsistent NDA. In still other cases, like in iSentium, the commercial agreement expressly merges the inconsistent separate NDA.

Inconsistencies between the NDA and commercial agreement can reach matters such as, for example, specific confidentiality requirements, governing law, indemnification, limitations of liability, representations and warranties, disclaimers, and dispute resolution. Often, the inconsistencies may arise after having had to negotiate a suboptimal NDA, as discussed in an earlier blog post.

The inconsistencies frequently create ambiguities or vagueness that can impair or deny a party’s ability to enforce the deal or the rights it thought it had. They also can require significant expense and executive and management time to address, and they can unnecessarily occupy the energy and efforts of internal Legal resources to resolve.

Make Sure the Technology Agreement and Non-Disclosure Agreement are Consistent

There are several ways to address the problems created by inconsistencies between a separate technology agreement and non-disclosure agreement. A few include:

  • Don’t be silent. Include in the technology agreement language explicitly stating that all inconsistencies, ambiguities, and conflicts between it and the NDA will be resolved in favor of the technology agreement – whether or not the NDA is integrated into or merged with the technology agreement. Identify silence on a matter in the NDA as a conflict.
  • Set a clear path. Specifically provide in the technology agreement which confidential information is controlled by the terms and conditions of the technology agreement and call out which confidential information is governed by the NDA.
  • Terminate the NDA. Ensure that the technology agreement addresses, in all respects, the relevant confidentiality and other terms, and then include language in the technology agreement that terminates the NDA’s prospective effect.
  • Apply all terms. State in the technology agreement that its applicable terms (including, for example, limitations of liability, governing law, and dispute resolution) apply to the NDA and the exchange of confidential information under the NDA, despite anything different in the NDA.

This is not an exhaustive list of options. Which (and whether any) alternative works for you may depend on any number of factors or considerations.

Most importantly, to avoid a situation where (1) you have an NDA and a separate, later technology agreement covering the same subject matter, but (2) you might not be able to enforce the agreement you want to enforce due to conflicting or inconsistent terms, carefully read the two agreements and clearly and unequivocally state the resolution of the conflict or inconsistency in the later technology agreement.

License Restrictions: Covenants or Conditions?

The focus of the First Circuit Court’s opinion in Photographic Illustrators v. Orgill (1st Cir. 2020) was whether a sublicense may be granted by implication and whether, under the facts of the case, the sublicensor (Osram Sylvania, Inc.) actually granted an implied license to the sublicensee (Orgill, Inc.). However, the foundation of the case hinged on whether the sublicensable license granted to Sylvania by the principal licensor (Photographic Illustrators (“PIC”)) was subject to a covenant or a condition.

In the applicable license agreement, PIC expressly granted Sylvania a sublicensable license to use certain PIC photographs to market Sylvania’s lightbulbs. A separate agreement provision required Sylvania to include an attribution notice when publishing the licensed photos. Sylvania granted Orgill, one of its distributors, the right to use certain PIC photos, but Orgill did not include the requisite notice when publishing the photographs. Critically, if the notice requirement was a condition, Sylvania’s grant of the license to Orgill exceeded the scope of PIC’s license to Sylvania, and Sylvania would be exposed to copyright infringement claims for its grant to Orgill. On the other hand, if the notice requirement was a covenant, Sylvania’s grant to Orgill would be a breach of contract, instead of copyright infringement. This covenant-versus-condition issue applies beyond copyright licenses and includes software licenses, technology agreements, and countless other contracts under which use rights are granted.

Whether a contractual use limitation or requirement is a covenant or a condition is important for several reasons:

  • If the limitation or requirement is a condition applicable to rights granted in respect of copyrights, trade secrets, or other intellectual property, failing to satisfy the condition potentially gives rise to an infringement or misappropriation claim, the damages for which often exceed the damages available for breach of a contract covenant.
  • If the limitation or requirement is a condition, the contract’s termination provisions may not provide an express right to cure the failure, thus likely giving the licensor greater termination rights than if the limitation or requirement is a contract covenant.
  • Contractual limitations of licensee liability frequently exclude licensee violations of the license grant, more so than licensee breaches of contract covenants.
  • Especially when the licensed material includes third-party intellectual property, licensors often require licensees to contractually indemnify the licensors for violations of the license grant. Less frequently do licensors extend these indemnification obligations to breaches of contract covenants.

Whether you are a licensor or licensee under a particular contract, be sure to consider if license conditions, or covenants, are in your best interest.