Whether delivered as cloud services, back-office outsourcing, software (or data) “as a service” transactions, or simply as affiliated company shared-service arrangements, the IT service contracts that are used for those transactions will soon become the subject of onerous legal compliance and regulatory scrutiny.

When Bermuda’s privacy laws — the Personal Information Protection Act 2016 — are brought into full force, the provisions of PIPA concerning the domestic and overseas use of personal information will trigger an array of regulatory restrictions and requirements.

They will include security safeguard requirements, proportional standards of protection and numerous requirements concerning the provision of personal information for use by third-party service providers, domestic and overseas.

Therefore, as a matter of governance and risk management, Bermuda organisations will be forced to re-evaluate and assess all their existing and prospective IT and outsourcing service contracts from that new and onerous regulatory perspective.

PIPA is clear in its assertion that although Bermuda organisations can delegate the processing of data that contains personal information to third-party service providers, they cannot delegate to others their unmitigated and direct responsibility to fully comply with the Act’s personal information use, security and protection duties and obligations.

For example, even though the Act permits the privacy commissioner to formally recognise that the country of an overseas service provider (eg, cloud or other IT services) has privacy laws that are comparable to PIPA , such a declaration will not release a Bermuda organisation from continuing to own all the responsibility, liability and related obligations to fully comply with its Pipa obligations.

Obviously the situation that IT executives, in-house counsel and compliance managers want to avoid is having their organisation caught in the middle between its upstream PIPA regulatory requirements and any downstream IT service arrangements that will not satisfy those PIPA obligations.

In the event that an IT service provider does not perform such contractually required PIPA obligations, only the Bermuda organisation will be held financially liable to compensate injured individuals, will be answerable to the Privacy Commission, and will be exposed to reputational harm — which could be especially damaging if a breach concerns “sensitive personal information”, as defined in the Act.

Therefore, the most efficient risk-management, commercial and legal way for a Bermuda organisation to manage those regulatory obligations and potential liability is by ensuring that its PIPA obligations are stipulated as performance obligations in the relevant service contract.

By ensuring that all of its material PIPA compliance obligations are flowed down to its IT service providers in a well-drafted and robust IT service contract, IT service providers thereby become partners in assisting their Bermuda customer to comply with its legal and regulatory obligations.

Only well-drafted contractual privacy provisions that are part of the outsourced service specifications, including clear PIPA compliance covenants, representations, warranties and indemnities, can commercially and legally transfer any of the risk and liability that the Bermuda organisation may suffer for the mistakes and failures of its IT service providers — whether as an arm’s-length or an affiliated IT service provider.

A circumstance that causes a Bermuda organisation to suffer unmitigated liability, regulatory intervention and reputational loss because it failed to contractually protect itself from the failures of its IT service providers may also constitute a failure of regulatory compliance management, a failure to exercise normative risk management practices and a failure of prudent corporate governance.

Now is the time to review your IT outsourcing services arrangements in light of the pending PIPA.

Share
Twitter LinkedIn Email Save as PDF
More Publications
21 Jul 2022

Recent Case Clarifies Employer’s Responsibility For Severance Allowance

This article discusses the recent case of C12 Aviation Bermuda Limited v Dr. M. Bradshaw et al [2022...

13 Jul 2022

Novel Cat Bonds on the Horizon

On the back of a robust opening quarter, catastrophe bond issuance remained strong in the second-qua...

8 Jul 2022

Riding the wave

Members of Bermuda’s captive industry talk to Rebecca Delaney about the island’s promising capti...

7 Jul 2022

An LLC may be the right entity for you

Every day, we see clients choosing to incorporate a company limited by shares, often just referred t...

29 Jun 2022

Bermuda’s legal system

Through an elected Bar Council, the Bar Association — in conjunction with the Supreme Court Judici...

29 Jun 2022

Avoid These 3 Common NDA Drafting Mistakes

It is difficult to think of a transaction that doesn’t begin with a confidentiality or non-disclos...

28 Jun 2022

Bermuda: a restructuring destination

Bermuda has an outsized, first-class insurance and financial sector, attracting complex, multination...

Contributors: James Batten
27 Jun 2022

Insurtech ILS and the New Normal

As Bermuda and the global markets with which the Island transacts move towards the so-called  ‘ne...

Contributors: Josephine Noddings
23 Jun 2022

Digital Assets in a Crypto Winter

In 2013, IT engineer James Howells was cleaning out his house. He had two identical hard drives: one...

Contributors: James Batten
22 Jun 2022

Bloomberg Tax Country Guide: Bermuda

Bloomberg Tax Country Guides provide overviews of the tax regimes of more than 200 jurisdictions. Th...

Contributors: Ashley Bento