Whether delivered as cloud services, back-office outsourcing, software (or data) “as a service” transactions, or simply as affiliated company shared-service arrangements, the IT service contracts that are used for those transactions will soon become the subject of onerous legal compliance and regulatory scrutiny.
When Bermuda’s privacy laws — the Personal Information Protection Act 2016 — are brought into full force, the provisions of PIPA concerning the domestic and overseas use of personal information will trigger an array of regulatory restrictions and requirements.
They will include security safeguard requirements, proportional standards of protection and numerous requirements concerning the provision of personal information for use by third-party service providers, domestic and overseas.
Therefore, as a matter of governance and risk management, Bermuda organisations will be forced to re-evaluate and assess all their existing and prospective IT and outsourcing service contracts from that new and onerous regulatory perspective.
PIPA is clear in its assertion that although Bermuda organisations can delegate the processing of data that contains personal information to third-party service providers, they cannot delegate to others their unmitigated and direct responsibility to fully comply with the Act’s personal information use, security and protection duties and obligations.
For example, even though the Act permits the privacy commissioner to formally recognise that the country of an overseas service provider (eg, cloud or other IT services) has privacy laws that are comparable to PIPA , such a declaration will not release a Bermuda organisation from continuing to own all the responsibility, liability and related obligations to fully comply with its Pipa obligations.
Obviously the situation that IT executives, in-house counsel and compliance managers want to avoid is having their organisation caught in the middle between its upstream PIPA regulatory requirements and any downstream IT service arrangements that will not satisfy those PIPA obligations.
In the event that an IT service provider does not perform such contractually required PIPA obligations, only the Bermuda organisation will be held financially liable to compensate injured individuals, will be answerable to the Privacy Commission, and will be exposed to reputational harm — which could be especially damaging if a breach concerns “sensitive personal information”, as defined in the Act.
Therefore, the most efficient risk-management, commercial and legal way for a Bermuda organisation to manage those regulatory obligations and potential liability is by ensuring that its PIPA obligations are stipulated as performance obligations in the relevant service contract.
By ensuring that all of its material PIPA compliance obligations are flowed down to its IT service providers in a well-drafted and robust IT service contract, IT service providers thereby become partners in assisting their Bermuda customer to comply with its legal and regulatory obligations.
Only well-drafted contractual privacy provisions that are part of the outsourced service specifications, including clear PIPA compliance covenants, representations, warranties and indemnities, can commercially and legally transfer any of the risk and liability that the Bermuda organisation may suffer for the mistakes and failures of its IT service providers — whether as an arm’s-length or an affiliated IT service provider.
A circumstance that causes a Bermuda organisation to suffer unmitigated liability, regulatory intervention and reputational loss because it failed to contractually protect itself from the failures of its IT service providers may also constitute a failure of regulatory compliance management, a failure to exercise normative risk management practices and a failure of prudent corporate governance.
Now is the time to review your IT outsourcing services arrangements in light of the pending PIPA.
For further information, please contact:
Duncan Card, Partner, Appleby