Many associations license their data to third parties as a revenue source. In the past, these agreements were primarily focused on terms of use and preventing inappropriate use or appropriation by the licensee. In today's environment, licensing risk has expanded to include the very real threat of a security breach.

An organization's data is one of its most valuable assets, and data licensing or sharing agreements require additional precautions to offset security threats and protect the association in the event of a breach. Here's a quick overview of provisions to consider including in any agreement to share data with an outside party.

Provisions

Security requirements. In an ideal world, avoiding a data breach altogether is the goal. To protect their assets, associations should consider adding language to their agreements that requires the licensee (and any third parties they may involve in the use of the data) to maintain sufficient technical, physical, and administrative safeguards to prevent unauthorized access, disclosure, and use of the association's data.

A licensing agreement should address the licensee's obligations to promptly notify the association when a breach occurs, to investigate and remediate it, and to communicate results.

Notifications. Even with good cybersecurity precautions, data breaches happen. Therefore, a licensing agreement should address the licensee's obligations to promptly notify the association when a breach occurs, to investigate and remediate it, and to communicate results. This is true even if the licensed data will not include the sensitive information that is subject to data security and breach notification laws, such as payment card numbers, Social Security numbers, state identification information, and bank account information.

Even when a breach involves less-sensitive information—such as members' names, addresses, email addresses, and telephone and fax numbers—it poses a reputational risk. In such cases, it may be prudent for an association to notify its members when a licensee has experienced a breach to reassure them that more-sensitive information has not been stolen. A prompt response can mitigate the reputational harm of the breach. It can also avoid damage to member trust, which may be difficult to repair and may lead members to opt out of your mailing list, devaluing your data asset. Including a notification provision in a licensing agreement ensures that the association receives the information it will need to inform members of a breach.

Liability limitations. When a data breach occurs, there will be costs associated with minimizing the damage. In negotiating a licensing agreement, vendors may attempt to curtail or cap their liability for such costs. Variations in a limitation of liability may include a cap based on anticipated losses or the cost of notifying members of a breach, a cap based on the relative value of the contract, or a flat dollar value no matter the losses incurred. Do not agree to a cap until all potential costs of a data breach are calculated. These include costs of notifying the individuals whose records were affected, reduction of the data's value—which may reduce future revenue streams—membership losses, and others.

Practical Steps

Take these steps when considering whether and how to license your data to a third party:

• Involve IT security experts when developing security requirements.
• Review audit agreements already in place, as they may need to be updated.
• Plan for updates to accommodate the evolution of security standards and to address any newly identified threats.
• Consider your licensee's security standards as an option. Your IT security expert can assess if they are sufficient.

When presented with a new revenue opportunity from data licensing, associations need to ensure that any agreement with a third party includes provisions to ensure the care and security of their data asset, including their members' and customers' confidential information. Associations need to weigh the revenue opportunity against potential risks associated with licensing the data, keeping in mind the manner in which the data will be used and how it will be stored by the licensee.

Note: This article does not constitute legal advice. Always consult with your counsel in drafting and negotiating data licensing agreements.