Breach Notification Clause

Written by: Patrick Shaunessy

19 minute read

What is a breach notification clause?

When a business (a controller) enters into a contract with another (a vendor) to obtain products or services, it may need to share certain data pertaining to its customers, employees, contractors, etc. (each a data subject) with the vendor for the purposes of that contract.¹ Often, this data includes information of a personal or sensitive nature, and applicable data protection laws² may impose certain obligations on these businesses with respect thereto. To comply with these data protection laws, vendors and controllers generally need to add specific terms to their contracts regarding the protection of data subjects’ data. This includes terms like the breach notification clause, which addresses notification requirements in circumstances where a data subjects’ data is (or is at risk of being) compromised. This clause helps ensure that vendors notify controllers of such circumstances in a timely manner so that appropriate action can be taken.

As the examples below illustrate, breach notification clauses are found in a variety of contracts. They are perhaps most common, however, in contracts that by their nature involve the collection, processing, use, and/or storage of data, such as data processing agreements, SaaS agreements, and business associate agreements as well as any schedules, addendums or policies relating to data protection that may supplement these agreements.


¹ In this article, the terms “controller”, “vendor” and “data subject” are used to differentiate among the following: (i) businesses that have the authority to direct how and when data in their possession may be used by others, including third parties (controllers); (ii) third party businesses that provide products or services to businesses described in (i) (vendors); and (iii) individuals (natural persons) that provide data to (or whose data is collected by) businesses described in (i) (data subjects). Certain data protection laws also contain similar defined terms - for example, GDPR uses “data controller”, “data processor” and “data subject”, respectively. While these legal terms may overlap with the terms “controller”, “vendor” and “data subject” as used in this article, they are not necessarily an exact match. For example, a “vendor” for the purposes of this article could also be a “data controller” (or its equivalent) under applicable law.

² In this article, the term “data protection law” means any law, regulation, etc. pertaining to privacy and/or data security.

Why does the breach notification clause matter?

As technology has developed in recent years to allow more data to be available or accessible either online or in digital form, privacy and data security have become increasingly important, and governments all over the world - including those at the state, provincial and local level - have enacted comprehensive legislation to address these matters. Some well-known examples include the European Union’s General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the United States’ Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA).

While these laws may have similar objectives and some may even apply to similar kinds of data, they all have different requirements for effecting compliance. Fulfilling these compliance obligations can, therefore, be both expensive and time-consuming for many businesses - especially given that privacy and data security are areas of law that are constantly evolving. Many of these laws require controllers to notify the relevant authorities and/or certain data subjects in the event of a data breach, including any breach that involves a vendor with whom they do business. As noted above, controllers and their vendors may be required by law to include breach notification clauses in their contracts. The challenge some of these businesses face is that they may have hundreds or even thousands of contracts with these clauses in them, which adds to the complexity of the compliance framework. When the unexpected happens and data subjects’ data is (or is at risk of being) compromised, businesses that are unprepared may find themselves scrambling to figure out what they need to do to prevent adverse legal, financial and even reputational consequences. To avoid being caught off guard, these businesses would be well advised to review their contracts proactively for data protection clauses, including breach notification clauses, to familiarize themselves with their terms and ensure ongoing compliance with applicable law.

How do you review the breach notification clause in contracts?

After locating all the breach notification language in each agreement, key things to focus on when reviewing these provisions include:

  1. What data the clause applies to. As the examples below illustrate, breach notification clauses often include a defined term such as “Personal Data”, “Customer Data”, or “Confidential Information”, in which case it will be necessary to review the definition of any such term(s) to ascertain the full scope of the data to which the provision applies. Sometimes, however, the clause may refer to “personal data”, “personal information”, etc. without defining the precise meaning of those terms (see, for instance, example 12 below). Some of these terms are defined under various data protection laws - e.g., “personal data” (GDPR) and “personal information” (CCPA and PIPEDA). And while these terms may seem similar, they are generally not interchangeable. Accordingly, when encountering one of these undefined terms in a breach notification clause - or even a defined term in the clause that contains a legislative reference (e.g., “Personal Data” may reference the definition of that term under GDPR) - be sure to check any applicable data protection laws to confirm how those statutes or regulations define them and, by extension, how they should be interpreted for the purposes of that clause. In addition, pay particular attention to any undefined terms in breach notification clauses that do not have corresponding definitions in applicable data protection laws (see, for instance, “data” in example 2 below), as the ambiguity this introduces could have problematic consequences - especially if it gives the vendor sufficient interpretive latitude to exclude certain types of data from the scope of this provision.
  2. What triggers the obligation to notify. The breach notification clause is, of course, designed to require notice when an actual breach occurs. But, in some cases, even an attempted or suspected breach may trigger it (see, for instance, examples 3, 7, 8 and 11 below). Moreover, the “breach” does not necessarily have to involve illegal access to and/or use of data by unauthorized persons. A given clause may also require notification when this data is (i) disclosed accidentally, (ii) damaged or destroyed, or (iii) even altered or used in a manner not specifically contemplated by the contract. In addition, as example 3 below illustrates, incidents like disciplinary action taken against employees or sanctions brought against agents, subcontractors and other third parties who had access to data subjects’ data may trigger a notification requirement. When evaluating these triggering events, be sure to confirm that they are consistent with the requirements of applicable law. Note, as well, any specific references to data protection laws that inform the interpretation of the clause. Example 5 below, for instance, requires Company to report to Reseller any Breach of Unsecured Protected Health Information in accordance with HIPAA regulation 164.410 and also defines “Breach” with reference to HIPAA regulation 164.402; and example 7 below cites infringements of European Data Protection Laws (i.e., GDPR, etc.) relating to Customer’s Personal Data as one of the triggering events.
  3. Timing of the notification. As the examples below illustrate, the obligation to notify almost always arises when the vendor becomes “aware” of the breach. The clause will also often employ words such as “promptly” or “immediately” to emphasize the timeliness with which notice should be provided. Even still, these are not precise terms and they leave room for interpretation, meaning controllers may not find out about incidents where data has been (or is at risk of being) compromised as quickly as they would want. More precise terms, such as those in examples 8 and 13 below, which provide a specific time period within which notice must be given, may be preferable to controllers.
  4. Any further details or information to be provided with the notice. Some breach notification clauses will specify additional information that the vendor must provide to the controller along with the breach notice. Example 5 below, for instance, states that Company, when reporting a breach, shall provide the Reseller with all information required by HIPAA regulation 164.410(c). Example 10 below similarly provides that Vendor shall summarize in reasonable detail the impact of the Personal Data Security Breach on Lessee’s Personal Data. The obligation to provide this information may be prescribed by law, and it is important to ensure that any such terms in the breach notification clause are consistent with these legal requirements.

As with the review of any contractual provision, it’s also important to be aware of other provisions that may affect the interpretation of breach notification clauses. Defined terms, for example, were mentioned in point 1 above. The notice section details how and to whom notice needs to be given for it to be effective for the purposes of the agreement, which a vendor would want to check before sending a breach notification. The breach response clause (of which the breach notification clause may be a part) sets out additional obligations that the vendor may have in the event of a data breach, including providing support to the controller, investigating the breach, and ensuring appropriate measures are taken to contain and resolve it. The indemnification and limitation of liability clauses may contain important details about the vendor’s liability exposure in the event of a data breach. Finally, although they are not contractual terms, the provisions of applicable data protection laws can help parties interpret these clauses and evaluate the rights, duties and restrictions they establish. Note that the governing law section, which establishes which jurisdiction’s laws apply to an agreement, will generally be insufficient for the purposes of determining what data protection laws apply to both the contract and each party. Vendors and controllers need to consider all the facts and circumstances of their contractual relationship as well as their respective business operations more generally to ascertain all applicable data protection laws.

Software that uses AI to identify and extract breach notification clauses (as well as other terms that may affect their interpretation) can accelerate the work of finding these provisions and enable a more comprehensive review than can otherwise be done manually.

Examples of the breach notification clause

Below are some examples of breach notification clauses from different kinds of agreements. While these examples do not necessarily cover the full range of breach notification clauses one may encounter, they are meant to illustrate the degree to which these provisions can vary from contract to contract. Where an example includes broader contextual language, the breach notification clause is highlighted in bold.

Example 1: From a Data Processing Agreement

5.2 The Processor shall notify the Company immediately if it becomes aware of: (a) any unauthorised or unlawful processing, loss of, damage to or destruction of the Personal Data;

Example 2: From a Data Processing Agreement

10 To be disclosed Breaches. PROCESSOR will inform the CUSTOMER of any serious disruption to the operational process (including when such are impending), insofar as they affect the order, as well as of a suspicion of a breach of data protection, of investigations by the supervisory authorities, of established breaches of this agreement, or in respect of any other serious irregularities, insofar as the data of the order are affected in each case.

Example 3: From a Global Master Services Agreement

12.4 (b) Whether or not resulting from an audit and subject to any reasonable restriction placed on Service Provider by any law enforcement agency in the process of conducting an investigation, Service Provider will notify Customer promptly if Service Provider becomes aware of any security and/or privacy threat that specifically affects Customer Data, Customer’s clients, or the Customer environment at Service Provider. Security releases, updates and patches of Service Provider Software shall not be considered responses to security threats “specific to” Customer….

16.2 (b) Without limiting the generality of Section 16.2(a) :

(i) Service Provider Personnel shall not attempt to access, or allow access to, any Customer Data that they are not permitted to access under this Agreement. If such access is attained (or is reasonably suspected), Service Provider shall immediately report such incident to Customer, describe in detail the accessed Customer Data, and if applicable return to Customer any copied or removed Customer Data….

16.2 (I) Notify Customer within *** of the termination of any Service Provider Personnel or its Affiliates employee, agent, subcontractor or other authorized third party who had access to a Customer network account. Service Provider explicitly acknowledges that this notice is necessary to enable the Customer Service Desk to terminate all account- and system-level access (application, e-mail, network and remote) upon resource termination. Subject to the confidentiality provisions of Section 16.4 ( Confidentiality ), Service Provider also agrees to provide Customer advance notice (as soon as reasonably practicable) of (i) any material disciplinary action to be taken against any of its employees ( i.e. , an involuntary termination) who have Customer network accounts, or (ii) any material sanction to be taken against any of its agents, subcontractors or other authorized third parties who have Customer network accounts, each as and when relevant, including within the context of a breach of an applicable security policy that has, or is reasonably likely to have, a material, adverse impact on Customer.

Example 4: From a Supply Agreement

5.2. The Supplier shall notify the Customer immediately if it becomes aware of any unauthorised or unlawful processing, loss of, damage to or destruction of the Personal Data;

Example 5: From a Reseller Agreement

Exhibit E

Business Associate Addendum…

4. Breach Notification.

(i) Company shall report to Reseller any Use or Disclosure of PHI not provided for in this Addendum of which Company becomes aware, including any Breach of Unsecured Protected Health Information in accordance with 45 CFR § 164.410. In addition, Company shall provide to the Reseller all information required by 45 CFR § 164.410(c) to the extent known and provide any additional available information reasonably requested by a Qualified Customer for purposes of investigating the Breach. For purposes of this Addendum, “Breach” means the acquisition, access, Use or Disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI as defined, and subject to the exclusions set forth, in 45 CFR § 164.402.

(ii) Company shall be required to report to Reseller, without unreasonable delay, only successful Security Incidents pertaining to the PHI of which Company becomes aware. The Parties agree that throughout the term of the applicable Order Form, Company will make information regarding unsuccessful Security Incident attempts available to active Qualified Customers’ Users with appropriate administrative rights via the “Login History” feature.

Example 6: From a Development and Supply Agreement

Section 10.01. CONFIDENTIALITY. During the Term and for a period of [**] years thereafter, each Party shall maintain all Confidential Information of the other Party as confidential and shall not disclose any such Confidential Information to any Third Party or use any such Confidential Information for any purpose, except (a) as expressly authorized by this Agreement, (b) as required by law, rule, regulation or court order (provided that the disclosing Party shall first notify the other Party and shall use commercially reasonable efforts to obtain confidential treatment of any such information required to be disclosed), or (c) to its Affiliates and its employees, agents, consultants and other representatives (“Representatives”) to accomplish the purposes of this Agreement, so long as such persons are under an obligation of confidentiality no less stringent than as set forth herein. Each Party may use such Confidential Information only to the extent required to accomplish the purposes of this Agreement. Each Party shall use at least the same standard of care as it uses to protect its own Confidential Information to ensure that it and its Affiliates and Representatives do not disclose or make any unauthorized use of the other Party’s Confidential Information. Each Party shall be responsible for any breach of this Agreement by its Representatives. Each Party shall promptly notify the other Party upon discovery of any unauthorized use or disclosure of the other Party’s Confidential Information.

Example 7: From a Data Processing Agreement

1.9 Company shall promptly inform Customer about any of the following: (i) infringements of European Data Protection Laws that relate to Personal Data submitted into the Services by Customer that may come to its attention; (ii) actual or reasonably suspected unauthorized access to or disclosure of Personal Data submitted into the Services by Customer of which Company becomes aware; or (iii) material violations of the provisions of this Agreement by Company or Sub-Processors, as defined below.

Example 8: From a Master Services Agreement

7.12 Unauthorized Use. Each Party will notify the other Party promptly of any actual or attempted use or possession of any Confidential Information or developed intellectual property by any unauthorized person or entity which may become known to it and will cooperate with the other Party in any investigation or action against any such persons or entities…

SCHEDULE J – INFORMATION SECURITY REQUIREMENTS…

4.8 Notice of Unauthorized Access and/or Processing of Customer Personal Data

In the event Service Provider has actual knowledge of or reason to believe that there has been a security breach of the systems and/or media containing Customer Personal Data or systems used to provide the Services and/or any unauthorized Processing of, access to and/or loss of Customer Personal Data, or the media containing such Customer Personal Data, (“Security Breach”), Service Provider shall promptly, but within no more than 72 hours, notify Customer of such and shall use commercially reasonable efforts necessary including those as may be required by law, to contain such Security Breach and to prevent any further Security Breaches. Service Provider shall require its Third Party Vendors and Subcontractors to comply with this clause.

Example 9: From a Service Agreement

  1. Data Breach. We shall notify you if we become aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data arising from any act or omission by Us or Our sub-processors.

Example 10: From a Software License Agreement

1.7 Personal Data Security Breach shall mean (i) the loss or misuse (by any means) of any Licensee Personal Data; (ii) the inadvertent, unauthorized and/or unlawful processing, destruction, disclosure, corruption, modification, sale or rental of any Licensee Personal Data; or (iii) any other act or omission that compromises the security, confidentiality, or integrity of Licensee Personal Data…

2.8 Security : Vendor agrees and warrants that it shall:…

(b) promptly provide Licensee with written notice any Personal Data Security Breach affecting Licensee Personal Data processed by Vendor. Such notice shall summarize in reasonable detail the impact of such Personal Data Security Breach;

Example 11: From a Payment Services Agreement

3.10 Company shall promptly inform Merchant as soon as it becomes aware of serious disruptions of the processing operations, reasonable suspected or actual data protection violations or any security breach in connection with the processing of Customer Personal Data which, in each case, may significantly harm the interest of the Data Subjects concerned.

Example 12: From a SaaS Agreement

10.15. The Licensor will notify the Licensee without delay by email after it has become aware of a personal data breach. The Licensor will cooperate reasonably with the Licensee regarding such personal data breach. The Licensee will keep any such received information confidential, unless disclosure of such is obligatory under any applicable legislation.

Example 13: From a Data Processing Agreement

9.5 The Data Processor shall notify the Data Controller immediately (in any event within 24 hours) of any untoward incidents or activities that suggest non-compliance with any of the terms of this Agreement. This includes “near miss” events even if no actual damage to or loss or inappropriate disclosure of Data results.

Example 14: From a Manufacturing Agreement

29.0 Equitable Relief. Each party acknowledges and agrees that due to the unique nature of the Confidential Information, there can be no adequate remedy at law for any breach of the obligations hereunder and that such breach may allow Manufacturer or third Parties to unfairly compete with Customer resulting in irreparable harm to Customer. Therefore, upon any such breach or threat of breach, Customer shall be entitled to appropriate equitable relief in addition to whatever remedies it has at law. Manufacturer agrees to notify Customer in writing immediately upon learning of any unauthorized release or breach of its obligation of nondisclosure hereunder.

Example 15: From a Distribution Agreement

(d) The Receiving Party shall advise its employees, agents, contractors, subcontractors and licensees, and shall require its agents and affiliates to advise their employees, agents, contractors, subcontractors and licensees, of the Receiving Party’s obligations of confidentiality and non-use under this Article 18, and shall be responsible for ensuring compliance by its and its affiliates’ employees, agents, consultants, contractors, subcontractors and licensees with such obligations. In addition, the Receiving Party shall require all persons that are provided access to the Disclosing Party’s Confidential Information, other than the Receiving Party’s accountants and legal counsel, to execute confidentiality or non-disclosure agreements containing provisions substantially similar to those set forth in this Article 18. The Receiving Party shall promptly notify the Disclosing Party in writing upon learning of any unauthorized disclosure or use of the Disclosing Party’s Confidential Information by such persons.