Flexible Standards in Compliance and Confidentiality Provisions
We have all seen them, confidentiality provisions that require a party “to treat Confidential Information as strictly confidential and to use the same care to prevent disclosure of such information as the party uses with respect to its own most confidential or proprietary information, but in no event less than a reasonable degree of care.” Similarly, we have seen warranties that require a party to protect personally identifiable information in accordance with all applicable laws and regulations. In some cases, the warranty may also be tied to “best industry practices.”
The question is whether these approaches continue to be appropriate or if it isn’t time to rethink them. I suggest that in light of the current regulatory environment, it is time to revisit these types of provisions.
With regard to confidentiality obligations like the one described above, perhaps a better approach would be to ensure the protection is, at minimum, compliant with all applicable laws and regulations. Consider the following potential rewrite of the language quoted above: “Receiving Party shall treat Confidential Information as strictly confidential and shall use the same care to prevent disclosure of such information as it uses with respect to its own most confidential or proprietary information, which shall not be less than the standard of care imposed by state and federal laws and regulations relating to the protection of such information and, in the absence of any legally imposed standard of care, the standard shall be that of a reasonable person under the circumstances.” Note how the inserted language provides a clearer, more protective baseline for protection of the information.
Similarly, warranty provisions regarding compliance with law should be rethought to reflect the general understanding that data protection laws, PCI DSS, and other similar requirements are written and intended to set only the baseline for protections, not the ceiling. In that vein, consider a warranty that provides a floor of compliance with applicable law, but requires the party to go beyond that floor if consistent with industry practice: “Vendor shall at all times handle, process, use, store, and destroy personally identifiable information in conformance with all applicable state and federal laws and regulations relating to such information and, to the extent it provides greater protection, best industry practices.”
Previous Post: Businesses May be Liable for Employee Statements on Social Networking...Next Post: Click-Wrap License Agreement Found Binding on Company Even Though It was...
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
WHITE PAPER
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
Webcasts
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
White Papers
