We have all seen them, confidentiality provisions that require a party “to treat Confidential Information as strictly confidential and to use the same care to prevent disclosure of such information as the party uses with respect to its own most confidential or proprietary information, but in no event less than a reasonable degree of care.” Similarly, we have seen warranties that require a party to protect personally identifiable information in accordance with all applicable laws and regulations. In some cases, the warranty may also be tied to “best industry practices.” The question is whether these approaches continue to be appropriate or if it isn’t time to rethink them. I suggest that in light of the current regulatory environment, it is time to revisit these types of provisions. With regard to confidentiality obligations like the one described above, perhaps a better approach would be to ensure the protection is, at minimum, compliant with all applicable laws and regulations. Consider the following potential rewrite of the language quoted above: “Receiving Party shall treat Confidential Information as strictly confidential and shall use the same care to prevent disclosure of such information as it uses with respect to its own most confidential or proprietary information, which shall not be less than the standard of care imposed by state and federal laws and regulations relating to the protection of such information and, in the absence of any legally imposed standard of care, the standard shall be that of a reasonable person under the circumstances.” Note how the inserted language provides a clearer, more protective baseline for protection of the information.Similarly, warranty provisions regarding compliance with law should be rethought to reflect the general understanding that data protection laws, PCI DSS, and other similar requirements are written and intended to set only the baseline for protections, not the ceiling. In that vein, consider a warranty that provides a floor of compliance with applicable law, but requires the party to go beyond that floor if consistent with industry practice: “Vendor shall at all times handle, process, use, store, and destroy personally identifiable information in conformance with all applicable state and federal laws and regulations relating to such information and, to the extent it provides greater protection, best industry practices.” Related content opinion Finding Common Threads in Privacy and Information Security Laws. By Michael Overly Apr 26, 2013 3 mins Compliance opinion Ensure Your Data is Securely Deleted By Michael Overly Mar 11, 2013 2 mins Cloud Security opinion CIA in the Cloud By Michael Overly Dec 18, 2012 2 mins Cloud Security opinion Overreacting to Information Security By Michael Overly Dec 10, 2012 2 mins Privacy Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe