USA Law and Practice Contributed by: Jeffrey Harvey, Randall Parks, Andrew Geyer and Cecilia Oh, Hunton Andrews Kurth LLP
Exceptions to the consequential/indirect damages waiver and damages cap are also subject to intense negotiation. Typical exceptions include indemnifica - tion claims, gross negligence and wilful misconduct, breaches of confidentiality, and breaches of other material terms of the outsourcing agreement (eg, services not to be withheld, compliance with the law, and failure to obtain required consents). Although an exception for gross negligence and wilful misconduct is sometimes subject to negotiation, many states do not allow a party to disclaim liability for such con - duct as a matter of public policy. Also, owing to the enormous potential liability exposure related to data breaches involving personal information, many provid - ers will not agree to unlimited liability for such breach - es. Instead, they will propose a “super-cap” for such damages, which is usually a multiple of the general damages cap. 4.4 Implied Terms Implied terms – such as warranties for fitness for a particular purpose, merchantability, and non-infringe - ment – are typically disclaimed by the provider and only the express terms in the agreement apply. 4.5 Data Protection and Cybersecurity In addition to required content that must be included in contracts pursuant to the CCPA and similar state privacy laws, businesses also are generally required to provide reasonable oversight and management of their service providers that process personal informa - tion. Federal Level At the federal level, under the FTC’s Safeguards Rule, financial institutions must require relevant service pro - viders to agree contractually to maintain appropriate safeguards to protect non-public personal informa - tion. Pursuant to HIPAA’s Privacy Rule, which gov - erns a covered entity’s interactions with third parties (“business associates”) that handle PHI in the course of performing services for the covered entity, the busi - ness associates’ obligations with regard to PHI are dictated by contracts with covered entities, known as “business associate agreements” (BAAs). BAAs must impose certain requirements on business associates – for example, using appropriate safeguards to prevent
use or disclosure of the PHI other than as provided for by the BAA. State Level At the state level, certain state laws require business - es that disclose personal information to third parties to require those entities to contractually maintain reasonable security procedures. Regulations in Mas - sachusetts, for example, require that covered busi - nesses contract with service providers in addition to taking reasonable steps to “select and retain third- party service providers that are capable of maintaining appropriate security measures to protect... personal information”. Additionally, under the CCPA, businesses must enter into contracts with service providers that include a number of restrictions and obligations. By way of an example, the contract must prohibit the service pro - vider from: • selling or sharing the personal information; • combining the personal information that the service provider receives from (or on behalf of) the busi - ness with personal information that it receives from (or on behalf) of another person or persons – or personal information that the service provider col - lects from its own interaction with the consumer – except for limited permitted purposes; and • retaining, using or disclosing the personal informa - tion either: (a) outside the direct business relationship between the service provider and the business; or (b) for any purpose other than for the business purposes specified in the contract, including retaining, using or disclosing the personal infor - mation for a commercial purpose other than as specified in the contract or as otherwise permitted by the CCPA. The CCPA also includes requirements for contracts with “contractors” and “third parties” (each as defined in the CCPA). Also, as noted in 2.3 Restrictions on Data Processing or Data Security , other state com - prehensive privacy laws require contracts between “controllers” and “processors”. Such contracts must include, among other things, obligations relating to
100 CHAMBERS.COM
Powered by FlippingBook