Cyberspace, Cybersecurity and Information Technology Contracting in Canada: Developing Effective IT Service Agreements

As organizations shift their business models to take advantage of technology advances such as mobile computing and cloud storage, they expose themselves to the growing specter of cyberattacks. The risks are high: business disruption, destruction and theft of data, including personal and confidential information, theft of money, and damage to reputation, trust and goodwill. The legal repercussions can include regulatory action and fines, and shareholder and class action lawsuits.¹ To make matters worse, cyberattacks are proliferating, and it appears that no organization is invulnerable.²

The situation is exacerbated by the growing spotlight on the issue, with increases in press attention, regulatory scrutiny, shareholder activism, and litigation (including class actions).³ Because an increasing amount of personal information is being stored online, the Office of the Privacy Commissioner of Canada (OPCC) has stated that privacy protection increasingly relies on effective cybersecurity implementation.⁴ Failure to effectively secure cyberspace could result in an aggregate financial impact of approximately $3 trillion by 2020.⁵

Because much of the information generated and stored in cyberspace is kept under the control of third-party providers, the strength of the information technology (IT) service agreements between the client and third-party IT service providers or vendors (collectively, IT Service Providers) often hired by the client to manage the client’s electronic data is a key element of addressing cybersecurity, especially those provisions geared towards prevention, response, mitigation, and remediation.

However, all stakeholders must realize that legal departments cannot, and should not, draft IT service agreements in a vacuum. A fulsome contract that addresses the prospect of cyber-attack involves the participation of stakeholders across an organization, including legal, IT, risk management, human resources, audit, public relations and communications.

Although the legal department is one of many contributors to the contract, it is more than just another brick in the (fire)wall. It is the mortar that holds many bricks together. The role of the commercial IT lawyer is to pull the various bricks together and form them into a contiguous whole using the IT services agreement.

This Special Report explains the fundamentals of developing an effective IT services agreement, which legal departments can accomplish by understanding their client’s unique cybers-risk profile, helping their client perform due diligence on the IT Service Provider, and using contractual provisions in a thoughtful, effective manner.

Understanding the Client’s Cyber-Risk Profile

The first part of building an effective IT services agreement is understanding the client’s cyber-risks. This requires taking into account the client’s industry, what data the client will be collecting and for what purpose, and how that data will be collected, processed, and stored. The client’s cyber-risks can be fully understood only if the nature of the client’s company and the intended application of its IT solution are properly addressed.

Nature of the Client’s Company

The nature of the client’s company will drive much of the process involved in addressing its IT issues. If the client’s business is in an industry with a regulatory framework that dictates certain cyber-protection measures, the IT service agreement will have to comply with the existing and emerging regulations of the relevant oversight bodies. A client that is a publicly traded company is in the same boat. For example, if a client is in the financial services industry in Canada, the legal department must consider the directives of the Office of the Superintendent of Financial Institutions, the Investment Industry Regulatory Organization of Canada, and the Canadian Securities Administrators. If that same client is publicly traded, the legal department must also consider the application of the rules of the exchange (or exchanges) under which that client’s shares are traded, and the rules of the relevant provincial securities commission.

Further, if the client operates in multiple jurisdictions, each jurisdiction’s mandates must be met. Grasping the extent of those mandates may be made even more difficult, depending on the extent of the client’s operations in each jurisdiction. For example, if the client collects data in one jurisdiction, processes it in a second, and stores it in a third, the legal department will be obliged to examine the privacy and cybersecurity legislative schemes in each, and the interaction between the provisions of all three.

Nature of the Client’s IT Needs

Factors that should be addressed regarding the client’s IT needs include whether the IT solution being created is meant to operate between businesses, or between businesses and customers; whether the client will be handling personal information, such as personal health information, that might bring existing and evolving privacy protection laws into play; and whether the IT solution will involve third-party components such as hosting or payment providers.

Getting to Know the IT Service Provider

Doing proper due diligence on the IT Service Provider offering the solution under the IT services agreement is an essential part of getting a “best of breed” contract in place. The structure and components of the IT Service Provider’s solution, and the IT Service Provider’s capabilities and certifications, risk management practices, and financial wherewithal, are all elements that should be explored.

Thorough due diligence of an IT Service Provider will involve more than the legal department. Again, stakeholders such as IT, human resources, corporate risk management, and audit need to do their part by asking the right questions regarding the IT Service Provider.

The legal department can help drive this combined effort by ensuring that it understands several key elements of the IT Service Provider’s operation. Having the IT Service Provider complete a questionnaire describing its privacy and security measures may be helpful toward this end.

In particular, the legal department should know the state of the IT Service Provider’s security framework, and the policies and procedures it has in place to maintain the integrity of that framework, beginning with line items as straightforward as whether the IT Service Provider performs background checks on its employees, and including a determination of whether the IT Service Provider will permit penetration testing and other exploration of vulnerabilities.

The legal department should confirm the location of the IT Service Provider’s facilities, including those used to process and store data, and confirm that all facilities are audited for industry-recognized internal controls, such as Canadian Standards on Assurance Engagements (“CSAE”) and Statement on Standards for Attestation Engagement (SSAE). As a part of this confirmation, the legal department should check that the IT Service Provider performs internal audits and is willing to share the results with the client, and that the IT Service Provider has disclosed to the client any claims made against its cyber-risk insurance in the last five years.

The legal department should also be aware of the true allocation of risk under the IT services agreement in terms of representations and warranties, indemnities, and liability. For example, the type, terms and limits of the cyber-risk insurance held by the IT Service Provider can vary significantly. If they are inadequate, risk-allocation arrangements such as available damages may be less favourable than initially thought.

In selecting an IT Service Provider, here are some questions that might be asked related to data privacy and protection:

• Under what circumstances can the IT Service Provider use the client’s data? Ensure that it is only for the purposes for which the client’s organization has obtained consent.

• Is data to be held “in trust” for the client customer? A customer’s data should remain its data.

• In what circumstances is the IT Service Provider permitted to disclose information without the client’s consent? It should be only in very limited specified circumstances.

• What happens if the IT Service Provider discloses information without client consent? Does the client have a remedy? Consider including a liquidated damages provision for any disclosure without consent — it is often difficult to quantify the harm resulting from the disclosure of information.

• Is the IT Service Provider under a requirement to resist, to the extent lawful, an order to disclose information without client consent?

• Is the IT Service Provider under an obligation to cooperate with the client in any regulators’ investigations (e.g., privacy commissioner, financial oversight body) and to not deal with any regulators related to client information without your organization’s participation?

• What security safeguards does the IT Service Provider have in place? Which standards does the provider meet? How often is it audited and by whom?

• Are the confidentiality, security and privacy undertakings in the IT services agreement acceptable? Those should be excluded from the general limit of liability (for direct and indirect damages) or, if not completely excluded, at least breaches of those provisions should attract a higher liability limit from the IT Service Provider.

• Does the IT Service Provider have different classified data restrictions with corresponding safeguards?

• Where is client data going to reside? This is particularly important to understand if the client’s business is in a regulated industry or the client is a public entity.

• What happens to client data on termination? What are the IT Service Provider’s obligations when the IT service agreement terminates? When the data is deleted, it is it really gone? What is the transition out process? Is the migration path workable, should the client decide to change IT Service Providers?

• If the client’s business receives a withdrawal of consent, how will the IT Service Provider deal with that?

• Will the client be able to provide a customer with access to its data on request?

Cybersecurity and IT Service Providers

It is as important for a business to ensure that its third-party IT Service Providers create and abide by sufficient security controls as it is for a business to create and abide by its own security controls. Data breach reporting obligations are the responsibility of both the third party and the company that provided the information: A breach by either is the company’s breach.

In Canada, the OPCC sets out the concept of “a comparable level of protection” in Schedule 1 of the primary federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA):

An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.⁶

In the OPCC’s “Privacy Toolkit”, the following steps are recommended when transferring information to third parties:

• name a person to handle all privacy aspects of the contract;

• limit use of the personal information to the purposes specified to fulfil the contract;

• limit disclosure of the information to what is authorized by your organization or required by law;

• refer any people looking for access to their personal information to your organization;

• return or dispose of the transferred information upon completion of the contract;

• use appropriate security measures to protect the personal information; and

• allow your organization to audit the third party’s compliance with the contract as necessary.⁷

Additional security provisions should include:

• validation and auditing of employee access to information classified as sensitive or critical;

• background checks on the IT Service Provider’s personnel who will, or are reasonably anticipated to, have access (including remote access) to any client property, the client IT environment or to any premises, hardware, software or systems; and

• an obligation for the IT Service Provider to logically segregate electronic data from any information of the IT Service Provider and its other customers.

It is important to note that the matters set out in this section are best practices for all organizations. However, in the case of third-party IT Service Providers, these measures should form part of the contract in order to ensure the “comparable level of protection” required by the OPCC.

The IT service agreement’s governance framework must contain a very clear accountability framework for the management and escalation of data integrity and security concerns and incidents. Building in preventative and anticipatory response mechanisms is paramount.

Effective Use of Contractual Provisions

Having established the client’s cyber-risk profile and completed thorough due diligence on the IT Service Provider, the legal department should be in a position to tailor data breach prevention, response, mitigation, and remedy provisions to best prepare the IT services agreement. Most of the provisions discussed below will be familiar to legal counsel. However, they will need to be selected and woven together to achieve the greatest effect.

Provisions in contracts with third-party IT Service Providers should address the following issues:

Data Stewardship

Contractual provisions must ensure that the third party’s role as a data steward is clear. It is best practice to include a provision to the effect that the third party is taking on responsibility for the appropriate management and protection of the information at issue.⁸

Data Minimization

The IT service agreement should contain fulsome records management provisions in respect of retaining, storing, and disposing of particular records. An organization collecting unnecessary or extraneous information is equally responsible for safeguarding that data. Organizational policies and third-party contracts should both recognize that information that does not provide the organization with an advantage should be disposed of: If the information is not in the client’s or the IT Service Provider’s possession, the client cannot be held responsible for its loss in the event of a breach.⁹

Data Retention and Destruction

Data retention policies are an important aspect of the above-noted principle of data minimization. The legal department should ensure that there is a policy in place dictating the length of time information must be maintained, and that provides for its disposal. Many data breaches are caused by organizations’ failure to adequately erase data; even severe physical damage to hard drives can be insufficient to erase data.¹⁰ Organizations should employ proper data-wiping software to ensure information has in fact been erased. Contracts with third-party IT Service Providers should specify whether data will be disposed of at the end of the contractual term, whether data is to be transferred back to the organization, and the method by which data is to be transferred or destroyed.¹¹

Data Classification

Data classification is a simple way to ensure adequate preparation for a data breach. If data is properly classified, the organization will quickly know the extent and the severity of a breach, which informs the required response, in terms of actions to be taken and the timeline in which these actions must be taken.

There can be substantial variance in data classification strategies due to the wide variety of data that organizations generate and retain.¹² Generally, companies should classify certain types of data, including account data, personal data, or commercially valuable data. Ideally, an organization should have a classification system in place such that, in the event of a breach, the organization knows whether a swift and severe response is required (for example, where credit card or social insurance numbers have been accessed), or where the required response is much less drastic (for example, where names and phone numbers have been accessed). Organizations should also know the location of data, as this impacts its vulnerability. “Data in motion”, such as data communicated over networks, or on laptops, phones, or other devices, faces an extremely high risk of loss or theft.¹³

Outsourcing Provisions

The IT service agreement should be very strict on the IT Service Provider’s ability to outsource services — inclusion of a clause may be necessary to ensure that any parties in possession of data have a “comparable level of protection” as required by PIPEDA.¹⁴ Any such outsourcing agreement should be in writing and contain provisions that enable the IT Service Provider to comply with the obligations set out in the agreement, including those relating to confidentiality, privacy, security, background checks, ownership, use and license of intellectual property and data, and auditing.

The IT Service Provider should covenant to comply with applicable data security-related policies and standard operational procedures driven by client policies. In this context, these include policies that address information system security, facility security, including off-site facilities used via cloud storage devices or similar, business continuity planning and disaster recovery, and appropriate use and access controls, including a device management plan to deal with the higher risk “data in motion”, such as laptops, smartphones, and iPads.¹⁵

Ownership Provisions

Ownership provisions must reserve to the client all rights in, and to, the client’s confidential information, the client’s data (in particular, data provided by the client, or collected or generated by the IT Service Provider as part of the provision or receipt of the services, or in order to comply with any applicable law), the client’s technical information, records, and all components of the client’s environment and systems.

Monitoring

It may be worth specifying the process by which, and the extent to which, monitoring of the third-party IT Service Provider is necessary. Best practice for the contracting organization is to ensure that the third party’s security protocols are being followed and thus the information is not at risk.

Validation and Auditing of Employee Data Access

It is important to validate and audit employee access to information classified as sensitive or critical, and ensure that technology used, such as cloud storage services, conform to the organization’s data governance policy. The organization’s data governance policy should include appropriate use and access controls, including a device management plan to deal with the higher risk “data in motion”.

Personal and Confidential Information

In the process of establishing optimal cybersecurity, it is vital to keep in mind the underlying purpose and principles at play. As the OPCC has stated, the methods used to ensure cybersecurity should never be so extreme, regardless of their efficacy, that they violate the privacy rights and interests of the people whose data is being protected.¹⁶

Although privacy obligations are, to an extent, mandated by legislation, the IT service agreement can and should impose comparatively greater obligations, and should be quite prescriptive. Personal information should be included in the definition (and obligations surrounding) confidential information, but should go further to address access and disclosure requests, jurisdictional restrictions on movement and storage of personal data, security and protection against anticipated threats, loss, theft, unauthorized access, disclosure, copying, use, modification, disposal, and destruction.

Confidentiality obligations under the IT service agreement need to be fulsome, and should, among other things, include the ability to disclose such information to regulators, the obligation that IT Service Provider personnel with access to such information be trained in handling and protection processes, and that destruction methods for such information are secure and reliable, and include shredding, burning or electronic erasure.

Breach Notification

Loss of data suffered by the third party is loss of data suffered by the contracting organization. This means the contracting organization is responsible for complying with legislative mandatory breach notification provisions if an IT Service Provider suffered the breach.

Organizations should ensure that their IT Service Providers use reasonable safeguards to protect personal information from security breaches. Safeguards should be appropriate to the sensitivity of the information. In the unfortunate event that a breach does occur, it is important to ensure the IT Service Provider will cooperate with your organization to satisfy any regulatory requirements, such as any breach notification requirements. Thus, it is prudent to include provisions addressing notification in the event of a breach when negotiating an IT service agreement with a cloud provider.

In Canada, at present only Alberta’s and Manitoba’s privacy laws require mandatory breach notification in the private (non-health) sector. With the passing of the Digital Privacy Act¹⁷ into law on June 18, 2015, the federal private sector privacy legislation, PIPEDA, was amended to require mandatory breach reporting to both the Privacy Commissioner and the affected individuals. However, the mandatory breach notification provisions set out under the Digital Privacy Act are not yet in force.

Under Alberta’s Personal Information Protection Act¹⁸ (“PIPA”), organizations are required to notify the Alberta Privacy Commissioner whenever there exists a real risk of significant harm to an individual as a result of a breach. By contrast, under Manitoba’s Personal Information Protection and Identity Theft Prevention Act¹⁹ (“PIPITPA”), organizations are obligated to notify the individual directly if personal information is lost, accessed or disclosed without authorization. This is different than the mandatory privacy-breach notification required under PIPA, where organizations are required to first notify the province’s Privacy Commissioner, and not the individual.

In addition, the Digital Privacy Act amended PIPEDA to require organizations to report security breaches involving personal information under their control which “creates a real risk of significant harm to an individual”.

Contracts with third-party IT Service Providers should clearly set out their responsibility to notify the contracting organization in the event of a breach, to ensure that all parties are in compliance with applicable privacy legislation.

The IT services agreement should also have a prescriptive provision detailing what is to happen in the event of any actual or suspected security breach or any critical industry threat that has strong potential to result in a security breach. The IT service agreement should include express, positive obligations on the IT Service Provider to promptly provide the client with incident notifications — including for data security breaches and privacy breaches.

In addition to breach notification provisions, it would be prudent for organizations to consider indemnity and limited liability clauses to reduce the risks associated with security breaches, as discussed in more detail below.

Risk Allocation

Risk allocation provisions are an important aspect of an IT services agreement. The interplay of representations, warranties, indemnities and liability is hotly contested in the area of cybersecurity because the jurisprudence is emerging, and because the consequences can impact all aspects of the business, and lead to regulatory fines and penalties, class actions and shareholder actions.

The IT service agreement should contain a provision limiting the liability of the client in the event of a breach suffered by the third-party IT Service Provider and identifying the extent of any indemnity the client intends to offer the IT Service Provider. The IT service agreement should also require that the IT Service Provider carry appropriate cyber-insurance, including privacy liability coverage and cyber-liability coverage, which will include coverage for losses due to failure of network security, failure to safeguard against a breach caused by hacking or viruses, unauthorized release of or failure to protect personal information, theft of hardware on which data is stored (including first-party losses related to the costs of crisis management, data restoration or recovery, credit monitoring, loss of revenue and extra expense business interruption stemming from an event, and for regulatory fines and penalties and third-party losses related to claims made by affected third parties).

The damage caused when a breach occurs, while evident, can in some cases be amorphous and hard to quantify (such as damage to reputation and goodwill), leading to potential difficulties regarding direct versus indirect damages and what is reasonable in a commercial agreement.

There is no “market standard” that has been established to help the parties to an IT services agreement guide their negotiation of risk allocation. However, one possible approach might be to create a defined set of damages that would be available in the event of a breach of privacy, rather than using the general categories of direct/indirect. These may be uncapped, or subject to a “super-cap” — that is, a multiple of the general liability cap under the IT service agreement.

Examples of such defined available damages are:

• the reasonable cost of providing required notice of the security breach to individuals affected by the unauthorized acquisition and/or misuse of personal information;

• the reasonable cost (including legal fees) of providing required notice to government agencies, credit bureaus, and/or other required entities;

• the cost of providing individuals affected by the unauthorized acquisition and/or misuse of personal information with credit protection services designed to prevent fraud associated with identity theft crimes for a specific period not to exceed 12 months, to the extent the misuse or disclosure of the affected individual’s personal data could lead to a compromise of the data subject’s credit or credit standing;

• reasonable call center support for affected individuals for a specific period not to exceed 30 days;

• reasonable fees associated with computer forensics work required for security incident investigations; and

• non-appealable fines or penalties assessed by governments or regulators for the IT Service Provider’s failure to comply with its defined privacy and/or security obligations and directly attributable to the service provider’s unauthorized disclosure or misuse.

Audit

The audit provisions in the IT services agreement should address the retention, access to, return and destruction of a defined scope of audit information. Audits should be permitted to be undertaken by the client, its representatives, and by governmental/regulatory overseers of the client’s industry. The IT Service Provider itself ought to be obliged to carry out (and share the results of) internal, annual audits of information security and controls. In many cases, the IT Service Provider’s service delivery centers will also be subject to internal control audits by a third-party accounting firm — such as SSAE 16 Type II audits — including Service Organization Control (SOC) 2 reports, which focus on a business’s non-financial reporting controls, as they relate to security, availability, processing integrity, confidentiality, and privacy of a system.

Conclusion

As the contents of cyberspace fill with more, and more valuable, information, and the malicious parties who may profit from its theft grow more sophisticated, companies can expect that the risk and cost involved with protecting the personal information that they use, process, and store will grow significantly. The cost of a breach may be exorbitant, and potentially fatal.

In such an environment, it is all the more vital for companies to identify and work with competent IT Service Providers of data solutions, and use best practices when negotiating the terms of the IT services agreement.

This Special Report should aid that process through its explanation of the fundamentals of developing an effective IT services agreement via understanding of a client’s unique cyber-risk profile, due diligence of the IT Service Providers selected by the client, and using contractual provisions in a thoughtful, effective manner.

Roland Hung is an associate at McCarthy Tétrault LLP, Calgary. He may be contacted at rhung@mccarthy.ca. The author wishes to acknowledge the contributions to this Special Report of Clarke Ries, a former Articling Student at McCarthy Tétrault LLP, Calgary.