Assistance With Litigation
Assistance with Litigation
Why is this Important: These are litigious times and a data breach or impermissible disclosure of confidential data can affect the reputation of an institution of higher education, potentially harming its reputation and ability to attract donors. In the event of a data breach or disclosure, a contracting third party may be hesitant to assist the institution in investigating incidents due to concerns about its own potential liability. These types of provisions help alleviate that concern and help the institution to protect itself in litigation.
Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(r); (s)
Many examples contractually require the third party to assist the originating institution with litigation pertaining to the subject matter and services provided under the contract.
Criticality: Category 4.
Sample RFP Language:
- Describe the procedures and methodology in place to retain, preserve, backup, delete, and search data in a manner that meets the requirements of electronic discovery rules.
Sample Contract Clauses:
- [Vendor] shall make itself and any employees, subcontractors, or agents assisting [Vendor] in the performance of its obligations under the Agreement available to Institution at no cost to Institution to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings against Institution, its directors, officers, agents or employees based upon a claimed violation of laws relating to security and privacy and arising out of this Agreement.
- E-Discovery: "The obligations of this Section ___ shall not act to restrict [Vendor]'s lawful disclosure of the Institution Data pursuant to any applicable state or federal laws or by request or order of any court or government agency. Provided, however, before making such a disclosure, [Vendor] must give Institution and all affected employees prior written notice of that disclosure, which must identify: the data [Vendor] intends to disclose, the law(s), request, or order under which [Vendor] believes it is required to make such a disclosure, the persons or entities to whom [Vendor] intends to disclose such data, and the date on which [Vendor] is required to make such a disclosure."
- Note: See the E-Discovery Toolkit for additional information.
- E-Discovery: "In order to provide Institution with the ability to be compliant with e-discovery rules, [Vendor] must provide the following where "relevant data" might include any data stored regarding any person affiliated with Institution, access logs, activity logs, transaction logs, changes to access rights, etc., as detailed by the system architecture and practices provided by [Vendor].
- Up-to-date documentation of its system architecture, operating practices, especially as regards data retention, backups, and data deletion, and other potentially relevant data sufficient to enable Institution to accurately represent what [Vendor] can and cannot produce for discovery purposes. Institution will provide a template upon request.
- Suspension of any routine destruction of potentially relevant data upon receiving written notice and as instructed by Institution until such time as the suspension is released in writing by Institution. A snapshot of all available potentially relevant data (including data on prior-backup media) may be acceptable provided that newly created/updated data is suitably preserved on an on-going basis and little risk of modifying or losing data or metadata exists.
- Preservation of potentially relevant data in its native form, including any metadata, upon receiving written notice and as instructed by Institution until such time as the suspension is released in writing by Institution. A snapshot of all available potentially relevant data (including data on prior-backup media) may be acceptable provided that newly created/updated data is suitably preserved on an on-going basis and little risk of modifying or losing data or metadata exists.
- Search capability to assist in identifying potentially relevant data. Searchable data will be determined by analysis of the system architecture provided by [Vendor]. Search results must be deliverable within a reasonable time period provided by written notice and instruction by Institution.
- Produce potentially relevant data in both native and humanly-readable forms, including any metadata, understanding that [Vendor] stores all data in a proprietary, encrypted format, upon written notice, in accordance with the timeframe specified in the notice and as instructed by Institution. Production may be accomplished via electronic file transfer or as physical media so long as metadata is preserved.
- Compliance with requests to testify as to the application architecture, operating practices, and procedures followed in preservation or production activities, and other questions that may arise in the course of litigation.
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).