adam's notes

Information Security Terms in Contracts

  • several information security issues to consider in any cloud computing contract
  • important for both contracting parties to understand the scope of data that they must protect in a contract:
    • How data is defined
    • How data is used
    • How data is protected
    • How the parties meet their legal and regulatory requirements

Data Definition and Use

  • must understand the type of data that they might transfer back and forth
  • contract must:
    • have clear terms that define the data owned by each party
    • clearly define data that must be protected
    • specify how they can use any data that they share
      • does not use its data in a way that violates privacy policies
      • limits on the vendor’s own use of the data
      • specify what the parties cannot do with certain types of data
    • specify what happens to the data when the contract ends

General Data Protection Terms

  • entity may want to specify particular data protection terms in a contract
    • more specific than data use terms
    • include terms that state the specific administrative, technical, and physical safeguards that a vendor must use
    • trying to guarantee a minimum level of confidentiality, integrity, and availability
  • entity could include the following contract terms to ensure a minimum level of information security protection:
    • Data transmission and encryption requirements
    • Authentication and authorization mechanisms
    • Intrusion detection and prevention mechanisms
    • Security scan and audit requirements
    • Security training and awareness requirements
  • can use resources to specify appropriate controls:
    • NIST
    • International Organization for Standardization (ISO)
    • International Electrotechnical Commission (IEC)
  • Sometimes laws or regulatory controls will influence the relationship covered by a contract
  • Massachusetts and Nevada have laws that require the personal information of state residents to be encrypted in certain instances
  • terms that a contract should have to address regulatory requirements include:
    • GLBA language if financial data is used or transmitted between the parties
    • HIPAA language if health information is used or transmitted between the parties
    • Family Educational Rights and Privacy Act (FERPA) of 1974 language if student information is used or transmitted between the parties
    • Language addressing notification requirements if the vendor experiences any type of information security incident or event involving the contracting entity’s data
    • Language protecting the intellectual property rights of each party
    • terms that require the vendor to cooperate with security incident investigations
    • terms that require each party to assist the other with third-party litigation that occurs because of the contractual relationship

Graph View

Backlinks