USA Law and Practice Contributed by: Jeffrey Harvey, Randall Parks, Andrew Geyer and Cecilia Oh, Hunton Andrews Kurth LLP
Another example at the federal level is a Department of Justice (DOJ) rule finalised in 2025 that imposes certain prohibitions and restrictions on access to cer - tain data by “countries of concern” or “covered per - sons”. The rule is aimed at restricting access to “U.S. sensitive personal data” and “government-related data” to protect against risk to US national security. State Requirements In addition to federal requirements, a number of states have enacted laws requiring organisations that maintain personal information about state residents to adhere to general information security require - ments. California’s information security law requires businesses that own or license personal information about California residents to implement and main - tain reasonable security procedures and practices to protect the information from unauthorised access, destruction, use, modification or disclosure. Addition - ally, information security laws in Massachusetts and Nevada impose more prescriptive requirements on organisations with regard to the processing of per - sonal information. All 50 states, plus DC, Guam, Puerto Rico and the Virgin Islands, have adopted legislation requiring notice to data subjects of certain security breaches involving personally identifiable information. Com - panies that have outsourced data-processing tasks to vendors remain responsible for security breaches by those vendors. As a result, outsourcing contracts usually address these issues in some detail, including extensive security requirements, reporting and audit obligations, incident notification and response obliga - tions, and carefully constructed limitations of liability and indemnities. Customers seek to allocate these risks to providers, arguing that – as the providers man - age and secure the IT and other infrastructure that is involved in the incident – risk and liability should sit with the provider. Providers attempt to avoid liability for security breach - es not caused by their breach of contract and to strict - ly limit their financial liability for those resulting from their fault. As providers have insisted on limiting their liability, many customers have sought their own insur - ance coverage for these risks.
The California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020, requires covered businesses to provide a num - ber of rights to California consumers, including with regard to accessing, deleting, correcting and opt - ing out of the sale of personal information or sharing personal information for purposes of cross-context behavioural advertising. As discussed in 4.5 Data Protection and Cybersecu- rity , the CCPA also includes requirements for different types of contracting parties, including “service provid - ers” and “contractors”. In addition, a number of other states have enacted comprehensive data privacy laws that provide rights to residents of their respective states, including as to access, deletion, correction, and opting out of the sale of personal information and targeted advertis - ing. These laws require contracts between “control - lers” and “processors”, which must include certain provisions. Under these laws, a controller is the party that determines the purpose and means of process - ing the personal information, whereas a processor is the party that processes the personal information on behalf of the controller. Notably, many of these laws also include requirements when sharing de-identified data. Companies in the USA also self-impose limits on the collection, use and sharing of personal information through representations made in privacy policies. Companies are held accountable to these represen - tations through state and federal consumer protection laws.
3. Model Outsourcing Contracts 3.1 Standard Contract Model
Typically, outsourcing agreements take the form of a master agreement and accompanying statements of work – all of which are heavily negotiated. The master agreement provides an overall structure that should include provisions that are sufficiently detailed to cov - er a range of services, from long-term IT outsourc - ing services to one-off consulting projects. It usually includes a basic service-level methodology, security
96 CHAMBERS.COM
Powered by FlippingBook