GCWest reviews and drafts thousands of contracts every year. A growing area of focus is on protecting one of our clients’ most valuable assets and sources of potential liability – their data. What starts as a simple contract review often evolves into an intense negotiation over data use.
We have repeatedly observed our clients’ dismay upon realizing their vendors intend to gain access to and utilize their data for purposes far beyond the scope of the services provided. The data, in fact, can often be more valuable than the fees being paid for the underlying service.
While a coveted asset, data is also a potential liability. With cybersecurity breaches on the rise, patients rely on health care providers to protect and secure their data. “Healthcare data breach costs increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase,” according to the annual Cost of a Data Breach Report produced by Ponemon Institute and IBM Security. “For 11 consecutive years, healthcare had the highest industry cost of a breach.” Steadfast data protection is therefore paramount.
Data mongers attempt to gain access to and exploit data through two key tactics: (1) Using hidden provisions and broad language, vendors attempt to gain access to use and sell valuable data, (2) Vendors assume the right to de-identify and use aggregated data without restriction, which is permitted by HIPAA, but is not a right you must grant your vendors.
Be Intentional: Data use should be a privilege not a right. We advise our clients to develop a firm position on limiting permitted data uses by their vendors. For example, we strongly encourage our clients to limit vendors’ ability to de-identify data only if required to perform the services purchased. Limit vendors’ rights to avoid broader use with no benefit to you.
Require Cyber Insurance: Costs of data breaches are on the rise. Vendors must carry cyber insurance commensurate with the amount of data accessed and assume unlimited liability to cover the cost of a breach. According to the Ponemon Institute and IBM Security Data Breach Report, the cost of a mega data breach (between 1 million and 10 million records) can swell into the tens of millions of dollars (with the average cost of a mega breach at $50 million).
Vet Vendors with Robust Security Assessment: We also strongly recommend our clients require vendors to undergo a robust security assessment to validate it has a mature data security program in place.
Narrowly Craft Language to Protect Your Rights: Language must be narrow and precise – leaving no doubt that data is off limits or restricted to specific uses. Without strong protocols in place, vendors proceed as if they have an unfettered right to de- identify and use aggregated data.
GCW has expertise in fighting for our clients to best protect them and their data without losing sight of their business needs, but negotiating solid contracts upfront is only half the battle. It takes a vigilant and concerted effort by everyone within your organization to protect one of your most valuable assets. Awareness and effective advocacy are key to handling this emerging and complex issue.