Whether delivered as cloud services, back-office outsourcing, software (or data) “as a service” transactions, or simply as affiliated company shared-service arrangements, the IT service contracts that are used for those transactions will soon become the subject of onerous legal compliance and regulatory scrutiny.

When Bermuda’s privacy laws — the Personal Information Protection Act 2016 — are brought into full force, the provisions of PIPA concerning the domestic and overseas use of personal information will trigger an array of regulatory restrictions and requirements.

They will include security safeguard requirements, proportional standards of protection and numerous requirements concerning the provision of personal information for use by third-party service providers, domestic and overseas.

Therefore, as a matter of governance and risk management, Bermuda organisations will be forced to re-evaluate and assess all their existing and prospective IT and outsourcing service contracts from that new and onerous regulatory perspective.

PIPA is clear in its assertion that although Bermuda organisations can delegate the processing of data that contains personal information to third-party service providers, they cannot delegate to others their unmitigated and direct responsibility to fully comply with the Act’s personal information use, security and protection duties and obligations.

For example, even though the Act permits the privacy commissioner to formally recognise that the country of an overseas service provider (eg, cloud or other IT services) has privacy laws that are comparable to PIPA , such a declaration will not release a Bermuda organisation from continuing to own all the responsibility, liability and related obligations to fully comply with its Pipa obligations.

Obviously the situation that IT executives, in-house counsel and compliance managers want to avoid is having their organisation caught in the middle between its upstream PIPA regulatory requirements and any downstream IT service arrangements that will not satisfy those PIPA obligations.

In the event that an IT service provider does not perform such contractually required PIPA obligations, only the Bermuda organisation will be held financially liable to compensate injured individuals, will be answerable to the Privacy Commission, and will be exposed to reputational harm — which could be especially damaging if a breach concerns “sensitive personal information”, as defined in the Act.

Therefore, the most efficient risk-management, commercial and legal way for a Bermuda organisation to manage those regulatory obligations and potential liability is by ensuring that its PIPA obligations are stipulated as performance obligations in the relevant service contract.

By ensuring that all of its material PIPA compliance obligations are flowed down to its IT service providers in a well-drafted and robust IT service contract, IT service providers thereby become partners in assisting their Bermuda customer to comply with its legal and regulatory obligations.

Only well-drafted contractual privacy provisions that are part of the outsourced service specifications, including clear PIPA compliance covenants, representations, warranties and indemnities, can commercially and legally transfer any of the risk and liability that the Bermuda organisation may suffer for the mistakes and failures of its IT service providers — whether as an arm’s-length or an affiliated IT service provider.

A circumstance that causes a Bermuda organisation to suffer unmitigated liability, regulatory intervention and reputational loss because it failed to contractually protect itself from the failures of its IT service providers may also constitute a failure of regulatory compliance management, a failure to exercise normative risk management practices and a failure of prudent corporate governance.

Now is the time to review your IT outsourcing services arrangements in light of the pending PIPA.

Share
Twitter LinkedIn Email Save as PDF
More Publications
5 Dec 2022

Business Crime and Investigations in Bermuda: Overview

A Q&A guide to business crime and investigations in Bermuda.

24 Nov 2022

Information Technology, Outsourcing, Privacy & Data Protection

All aspects of Bermuda's economy rely on information technology and data processing - an essential i...

Contributors: Duncan Card
22 Nov 2022

A Look Back on 2022 and What to Expect for 2023

As we approach the end of 2022, we are able to look back and say with certainty that the arena of la...

14 Nov 2022

When will the court enforce a promise?

As we all know, promises are made and broken all the time. What, if anything, can the law do to assi...

4 Nov 2022

Legally speaking: what not to do when outsourcing operations

In the course of my career, I have drafted, negotiated or otherwise provided commercial and legal ad...

1 Nov 2022

The Insolvency Review – Edition 10

The Insolvency Review offers an in-depth review of the most consequential features of the insolvenc...

25 Oct 2022

Bermuda: Mergers & Acquisitions Comparative Guide 2022

This country-specific Q&A provides an overview to Mergers & Acquisitions laws and regulati...

Contributors: Katie Blundy
24 Oct 2022

Directors’ duties on the eve of insolvency

It is common knowledge that directors of companies owe a duty to the company to act in its best inte...

Contributors: James Batten
13 Oct 2022

Employee probation periods: an update

The Employment Act 2000 is the island’s key piece of employment legislation, applicable to employe...

Contributors: Kiara Wilkinson
6 Oct 2022

Centre Stage: Bermuda’s Role In An Insurtech Revolution

Bermuda is rapidly becoming a focus for insurtechs seeking the island’s expertise, the accessibili...