This Webcast Will Begin Shortly
If you have any technical problems with the Webcast or
the streaming audio, please contact us via email at:
[email protected]
Thank You!
Terms of Service and Privacy Issues
July 27, 2016
Jeffrey Batt
Vice President
Marsh & McLennan Companies
202-263-7880
[email protected]
Alan Fishel
Partner
Arent Fox, LLP
202-857-6450
[email protected]
Nicholas Lawson
Associate
Arent Fox, LLP
202-350-3706
[email protected]
Disclaimer
No entities or persons, including the drafters of this
PowerPoint and the presenters of the webinar, may
be held responsible for the use which may be made
of the information contained in this PowerPoint and
presented during the webinar.
Nothing in this PowerPoint or presented during the
webinar is meant to constitute legal or insurance
advice.
3
Terms of Service – Separate Enterprise
Agreement
• 
• 
• 
• 
• 
Liability under multiple agreements
Liability for multiple parties
Conflicting obligations
Additional obligations
Misleading statements (e.g., this TOS
represents all of the terms that govern the
parties relationship)
4
Terms of Service – Are Unilateral
Modifications Permitted?
If so, what are the
•  Notice requirements relating to such modifications
•  Limits on such modifications (both with respect to
types of modifications permitted and harm that
could otherwise occur to customers)
•  Rights of the customer where such modifications
occur
5
Terms of Service –TOS that Include Links
• 
• 
• 
• 
• 
Not always clear what is even incorporated
Links add additional rights and obligations
Links can change
Links can include links
What are the rights of the customer where
modifications occur within links
6
Terms of Service – Issues Related to Third
Parties
• 
• 
• 
• 
TOS often include customer obligations to third parties
(both affiliates and non-affiliates of providers), which can
greatly increase customer risk
TOS often limit provider obligations with respect to third
party content or technology, which can undermine
protections customers thought they otherwise had (also
rights customers thought they had can disappear)
Definitions are critical here
Sometimes TOS is not even from the same party with
whom a customer is entering into its enterprise customer
agreement
7
Terms of Service – Provider Use of
Contractor/Agents
•  Obligations of Contractor/Agents
•  Whether actions of Contractors/Agents are
attributable to Provider
8
Terms of Service – Limits on Customer’s
Permitted Use
• 
• 
• 
• 
Who
How much
What
There is often a lack of clarity here
9
Terms of Service – Customer
Responsibility for Accounts
• 
• 
• 
• 
Payments
Liabilities
Exceptions rarely stated, but should be
What are the issues with the following typical
language:
“You are responsible for any use that occurs under
your Login Credentials, including any activities by
you or your employees, contractors or agents”
10
Terms of Service – At Least Partially
Misplaced Customer Responsibilities
•  Some TOS inexplicably seek to require that
customers be responsible for what the
provider is supposed to provide
•  Many TOS have ambiguous sentences that
could lead to unduly broad interpretations of
customers’ responsibilities
11
Terms of Service – At Least Partially
Misplaced Customer Responsibilities,
cont’d
•  Examples of the issue raised in the second
bullet point on the prior page:
•  “You are solely responsible for Your
Content”
•  “You are responsible for ensuring full
compliance with any laws or regulations
that apply to Your Content”
12
Terms of Service – Requirements /
Restrictions
•  TOS may have Customer requirements that can
lead to termination where they should only give
rise to exclusions from provider responsibility
•  Many customers believe TOS restrictions on use
are often overbroad. For example, a TOS may
state that you shall not use the Services in a
manner that “a reasonable person may think is
unlawful or constitutes a tort”
13
Terms of Service – Requirements /
Restrictions, cont’d
•  TOS restrictions for which Customer is rightly
responsible should often make it clear that
Customer is only responsible as between
Customer and Provider
•  Example of such a clause that should be clarified:
“You are solely responsible for any software,
product or service that a third party licenses, sells
or makes available to you that you install or use
with the Service Offering”
14
Terms of Service – Requirements /
Restrictions, cont’d
•  TOS often include many provisions for which
customers have no right to cure (such as violations
of any “restrictions” in the TOS), but these clauses
are often more aggressive than they need to be
•  TOS frequently include IP and feedback issues
that place customers in a difficult position
15
Terms of Service – Suspension /
Termination
• 
• 
• 
Providers need to make sure they have enough flexibility,
particularly with respect to suspensions, to keep their
services running smoothly
Customers, on the other hand, want to restrict suspensions,
particularly those without advance notice and opportunity to
cure, to a very limited group of circumstances
Customers also want to make sure that providers do not
have a right to terminate where all they truly need is a right
to suspend
16
Terms of Service – LOL and
Indemnification
• 
Limitation of liability and indemnification issues
have been covered in great detail in many of our
other presentations, but one interesting issue in
TOS in particular with respect to LOL is that many
of these provisions are so one-sided that they will
not be enforceable in some courts
17
GDPR
•  Background on the General Data Protection
Regulation (GDPR)
•  EU views on privacy – fundamental human right
18
GDPR cont’d
KEY TAKEAWAYS: increases individual privacy, greater regulatory powers
1.
IMPLEMENTATION – directly applicable in all Member States
2. SCOPE – applies to companies physically located in the EU AND non-EU
companies that offer goods/services to EU data subjects or process their data
3.
CONSENT REQUIREMENTS – needs to be crystal clear, can be revoked
4. **ROBUST COMPLIANCE OBLIGATIONS** -- self-assess for high risk. If so,
conduct impact assessments, mitigate risk, appoint data protection officer
5. **MANDATORY BREACH NOTIFICATION** -- within 72 hours of incident
awareness, notify Member State data protection authorities
6.
***SANCTIONS*** -- greater of up to €20M euro or 4% of revenue
19
GDPR cont’d
RISK IMPACT:
•  WHO WILL BE AFFECTED
•  HOW SHOULD BUSINESSES
PREPARE
–  “Privacy by design”, more oversight, strong
emphasis on managing external
relationships
INSURANCE
CONSIDERATIONS
•  DO EXISTING CYBER POLICIES
PROVIDE COVERAGE
•  INCREASED RISK FOR CARRIERS,
BUT ALSO SOME POTENTIAL
BENEFITS
20
GDPR cont’d
IS BREXIT A GAME-CHANGER FOR UK ADHERENCE?
PROBABLY NOT . . .
•  Once the UK officially leaves the EU,
they will (in all likelihood) continue to
abide by GDPR
•  Geopolitical, legal, and economic
reasons why the UK will remain
aligned:
–  Continued customer access
–  Emphasis on stability and
minimizing uncertainty
–  Policymakers will be driving this
process, who were overwhelmingly
in favor of “Remain”
21
GDPR cont’d
Takeaways
•  Companies need to start preparing for GDPR now
•  Incorporate GDPR into your cyber/privacy risk
conversations and planning, as appropriate
22
Privacy Shield – Background
•  Companies that transfer EU individuals’ personal
information from the EU to the US must have a
legal mechanism in place for doing so
•  The Privacy Shield is one of these legal
mechanisms
•  It is the replacement for the US-EU Safe Harbor
framework, which was invalidated by the EU’s
highest court last year
23
Privacy Shield – 7 Requirements
•  The Privacy Shield has seven primary requirements,
which are similar to those of the now-defunct Safe
Harbor
1. Notice
2. Choice
3. Accountability for Onward Transfer
4. Security
5. Data Integrity/Purpose Limitation
6. Access
7. Recourse, Enforcement And Liability
24
Privacy Shield – Should You Use It?
• 
• 
• 
Whether a company should choose to join the Privacy
Shield or comply with the GDPR using SCCs or BCRs
would depend heavily on the facts and circumstances
relevant to its specific situation, including its operational
competencies, the maturity of its privacy/security program,
and its level of risk tolerance
The adequacy of Standard Contractual Clauses have been
challenged in the Irish High Court. This case will shortly be
transferred to ECJ. Though the ECJ is unlikely to rule on
the case in the near term, the proceedings raise doubts
about the legitimacy of data transfers using the SCCs.
BCRs may likewise become subject to a similar challenge
25
Privacy Shield – Should You Use It? cont’d
• 
• 
If a company decides to join the Shield within two months
from its effective date of July 12, 2016, it will have 9 months
from the day it joins to renegotiate contracts with existing
third parties who handle EU personal data on its behalf, and
add the necessary language required by the Shield. All
other requirements will apply from the date the company
joins the Shield.
If a company joins more than two months after the effective
date, it will not receive the 9-month grace period with
respect to third party contracts referenced above
26
Privacy Shield – Joining
•  Joining the Privacy Shield is similar to the process
for joining the now-defunct safe harbor
1.  Eligibility
2.  Privacy Statement
3.  Independent Recourse Mechanism
4.  Verification Mechanism
5.  Designated Contact
27
Privacy Policies – General Concerns
•  Definition of Data and Personal Data
•  Definition of Data Breach
•  Customers need to be careful about inadvertent
transfers of ownership with respect to their data
28
Privacy Policies – General Concerns cont’d
• 
Customers should be on the lookout for obligations or
restrictions that they are not anticipating in privacy policies,
or that may be overly broad, such as the following:
•  “You will ensure compliance with all applicable privacy
and data protection laws with respect to Your Content”
•  “You will ensure that you have obtained (or will obtain)
all consents and rights necessary for us to process
Content in accordance with this Privacy Policy”
•  “You will not upload any data which is regulated by the
US Health Insurance Portability and Accountability Act
into the Service Offering”
29
Privacy Policies – General Concerns cont’d
•  Customers need to be concerned about what data
is collected
•  Use and disclosure rights and obligations for
customer data should ordinarily be treated
separately in privacy policies; otherwise use rights
arguably can be used to give providers the right to
disclose customer data to third parties in ways
customers are not intending to permit
30
Privacy Policies – The Three W’s
•  The Three W’s
•  What rights and obligations does a provider
have in connection with customer data
•  Who has access to customer data
•  Where will the facilities receiving, storing, and
transmitting customer data be located
31
Privacy Policies – The Three W’s – What
• 
Where appropriate, Customers will want a requirement that
the Provider encrypt Customer data, and for the Provider to
have limited rights to decrypt
• 
In addition to generally requiring a Provider to follow
applicable law, Customers may want to reference specific
applicable laws (e.g., HIPAA)
• 
Providers, however, need to be cautious about agreeing to
comply with specific laws that govern the use of certain
data
32
Privacy Policies – The Three W’s – What
cont’d
•  Customers generally want to greatly restrict a
Provider’s use of customer data
•  Customers often want to restrict such uses to
something like the following: “Provider may use
customer data for the sole purpose of providing
the services to Customer”
33
Privacy Policies – The Three W’s – What
cont’d
•  Providers generally want their use rights to be far broader,
such that they may also include, among other things,
-- Preventing fraud
-- Protecting Provider’s rights and the rights of others
-- Protecting the network
-- Marketing
-- Improving Provider’s products
-- For Provider’s own legitimate business purposes
-- As permitted by law
34
Privacy Policies – The Three W’s – What
cont’d
•  Providers often try to obtain maximum flexibility by
using words like “generally,” “ordinarily,” “usually,”
“primarily,” and “typically” to describe their use
rights with respect to customer data
•  Also, Providers often seek the right to use deidentified data for any purpose, which raises issues
about, among other things, whether the data is
truly de-identified, and how easily the data could
be re-identified
35
Privacy Policies – The Three W’s – What
cont’d
•  With respect to purportedly de-identified data,
Customers will want assurances that all direct and
indirect personal identifiers are removed such as
name, ID numbers, date of birth, and so on
•  Customers may require that Providers agree not to
attempt to re-identify the data, and not let their
contractor/agents do it either
•  Providers, however, should be careful with respect
to what they agree to in connection with their
contractor/agents given their existing agreements
36
Privacy Policies – The Three W’s – What
cont’d
• 
Let’s discuss concerns with this provision, which seeks to
address what happens to customer content at the end of
the term of the Agreement
If you do not delete Your Content before your Agreement
expires, we will retain Your Content for a period of 90 days
following the effective date of that expiration. During this 90-day
period, you will not have access to our Service Offering but, on
written request, we can either provide you with reasonable
assistance to retrieve a copy of Your Content or delete Your
Content for you. We may delete Your Content at any time after
this 90-day period.
37
Privacy Policies – The Three W’s – Who
• 
Customers often want, among other things,
•  The right to access their own data in Provider’s system
•  Limits on the Provider employees who may access the
data
•  Obligations regarding training and background checks
for Provider personnel with access to the data
•  Prohibition on the Provider’s disclosure of data to any
third-parties other than its contractors/agents for whom
it is responsible, or in response to a legal request upon
30 days advance notice to Customer
•  Advance notice of who will receive access to the data
38
Privacy Policies – The Three W’s – Who
• 
• 
In addition to their contractors/agents, Providers often want
to be able to disclose customer data to
•  Affiliates
•  Business partners
•  Any entity that Customer requests or otherwise
approves Provider’s release of customer data
•  In connection with transfers of control
•  If otherwise permitted under the Privacy Policy
•  To the extent permitted by law
Customers should be concerned not only with respect to
who receives their data, but also with respect to who is
responsible for a failure to secure that data
39
Privacy Policies – The Three W’s – Where
• 
• 
• 
Customers often include geographical requirements for
where data must be stored (e.g., in data centers only in the
United States unless Customer otherwise consents)
Providers, on the other hand, often want to be able to store
customer data in “any lawful location”
Some providers also include language such as the
following: “To the extent you provide Your Content in
connection with customer support, you acknowledge and
agree that we may handle Your Content in any country in
which we or our subcontractors maintain facilities”
40
Privacy Policies – Additional Concerns
• 
From the Provider’s perspective there are a number of
important considerations when drafting a Privacy Policy.
Some of these include the following:
• 
• 
• 
Ensuring you adequately explain how you use and share the
data you collect, and ensuring such description is accurate
Making sure your Privacy Policy is easily accessible (if it’s
not, it may not be enforceable)
Ensuring that you are complying with the numerous laws
which may be applicable (e.g., COPPA if your website targets
children; CalOPPA if you operate a commercial website used
or visited by a consumer residing in California, the CANSPAM Act )
41
Data Security
•  Some general requirements Customers require from
Providers to secure customer data may include
•  Requiring that Provider use at least commercially
reasonable best practices when storing and
processing Customer data
•  Requiring that Provider secure Customer data
against unauthorized access
•  Requiring provider undertake data security audits
(e.g., SSAE 16 SOC 2 audit, ISO 27001 audit)
•  Requiring that Provider secure Customer data
against unauthorized access
42
Data Security
•  Requiring that the measures that Provider takes
are at least as protective as Provider uses to
secure its own data of a similar type
43
Data Breaches
•  When a data breach occurs, most Customers want
Providers to, among other things,
-- Timely notify customer
-- Promptly investigate and provide Customer with
detailed information regarding the breach
-- Promptly take all actions necessary to mitigate
the effects and, if possible, remedy the breach
44
Managing Cyber Risk
WHY CORPORATE COUNSEL NEEDS TO BE
INVOLVED
•  Just like senior financial management,
it is essential for corporate counsel to
partake in cyber risk discussions and
related decision-making
•  Counsel is ideally situated to
understand risk scope and related
preparedness/mitigation measures
•  Overview of counsel’s key function at
each stage of the cyber resiliency
process
45
Managing Cyber Risk cont’d
Roadmap to Cyber Resilience
3
Address financial loss /
earnings disruption in a costeffective manner
Design risk
transfer and
financing
(Insurance +
$$$ Outlay
Risk
Identification
and
Assessment
(Strategic)
1
Identify, understand, assess, and
manage cyber risks at board level
2
Protect operations and assets
and plan for potential breaches
Cyber
Resilience
Prepare for
attacks and
plan for
breaches
(Operational/
Tactical)
46
Managing Cyber Risk cont’d
OTHER CONSIDERATIONS
•  Contracts and Third-Party Vendors
•  Preliminary Cyber Insurance Discussions
–  Tech E&O
–  Security Liability
–  Privacy Liability
–  **Regulatory Action**
•  Real-life examples of corporate counsel leading the cyber risk
conversation
47
If you have any questions, please contact
Jeffrey Batt
Vice President
Marsh & McLennan Companies
202-263-7880
[email protected]
Alan Fishel
Partner
Arent Fox, LLP
202-857-6450
[email protected]
Nicholas Lawson
Associate
Arent Fox, LLP
202-350-3706
[email protected]
48
Thank you for attending another presentation from
ACC’s Webcasts
Please be sure to complete the evaluation form for this program as
your comments and ideas are helpful in planning future programs.
If you have questions about this or future webcasts, please contact
ACC at [email protected]
This and other ACC webcasts have been recorded and are available,
for one year after the presentation date, as archived webcasts at
http://www.acc.com/webcasts