Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

Transcription

1 Presenting a live 90-minute webinar with interactive Q&A Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel Evaluating Data Security Risks During Due Diligence, Negotiating Contractual Protections, Monitoring Supplier Performance TUESDAY, FEBRUARY 7, pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Matthew A. Karlyn, Partner, Foley & Lardner, Boston The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions ed to registrants for additional information. If you have any questions, please contact Customer Service at ext. 10.

2 Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial and enter your PIN when prompted. Otherwise, please send us a chat or sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

3 Continuing Education Credits FOR LIVE EVENT ONLY In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you that you will receive immediately following the program. For additional information about continuing education, call us at ext. 35.

4 Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to Conference Materials in the middle of the lefthand column on your screen. Click on the tab labeled Handouts that appears, and there you will see a PDF of the slides for today's program. Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.

5 Integrating Information Security Into the Supplier Contracting Process Matt Karlyn Partner Foley & Lardner (617) Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL

6 Overview Information security requires a unified approach Security policies Employee education Use of technology (e.g., firewalls, encryption, intrusion protection systems) Security audits Addressing security in contracts with business partners and other suppliers 6

7 Overview Security measures can be divided into three main categories Administrative: Policies and procedures Technical: Firewalls, intrusion detection systems, encryption Physical: Secure doors and facilities, video and other monitoring, security guards Many privacy and security laws are use this language 7

8 Types of Contracts and Relationships Any agreement where a third party will have access to the company s Network Facilities Data Confidential information including information about people as well as proprietary processes, etc. Access can be remote or physical 8

9 What are we Protecting? Confidential information Intellectual property Personally identifiable information 9

10 Why Protections are Important Protect valuable assets of the company Establish a due diligence process Protect business reputation Avoid public embarrassment Minimize potential liability Comply with laws 10

11 Three Step Approach to Incorporating Information Security in IT Contracting Step 1: Internal and vendor due diligence Step 2: Contractual protections Step 3: Information handling and security procedures and requirements, generally in the form of contract exhibits Common errors Failure to involve all relevant stakeholders in the process Failure to assess the unique requirements of the particular transaction Failure to maintain flexibility 11

12 Scaling of Security in IT Contracting Information security is a not an all or nothing proposition Protections (and the company s approach) must scale to meet the risk Fees (i.e., how much the company is paying) should not be part of the analysis Most data security laws are written in terms of scaling meaning they take into account things like The size, scope and type of business The resources available The amount and type of data stored The need for confidentiality and security 12

13 Scaling of Security Massachusetts Data Security Law: safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. 13

14 Step 1: Internal and Supplier Due Diligence 14

15 Initial Internal Due Diligence What is the mix of data sensitivity and criticality of service / product provided? HIGH RISK Mission critical processes Highly sensitive data MEDIUM RISK Generally available data High service levels required Non-confidential enterprise data LOW RISK Non-mission critical service or process Generally available data Can accept outages and variable performance 15

16 Vendor Due Diligence From the outset, vendors must be on notice that the information they provide as part of the company s information security due diligence will be (1) relied upon in making a vendor selection, and (2) part of the contract Make security part of RFP process (if you have one) To ensure proper documentation and uniformity in the due diligence process, companies should develop a vendor due diligence questionnaire 16

17 Questionnaire Key Areas Financial condition Insurance coverage Actions against the vendor (e.g., criminal convictions, litigation, regulatory enforcement actions, breaches of security, etc.) Location of services Offshore transmission of data Intended use of subcontractors Personnel security standards Information security policies Business continuity/disaster recovery requirements Data destruction procedures Physical security procedures Access controls Development and maintenance procedures Privacy policies 17

18 Initial Vendor Due Diligence Provides uniform framework for due diligence Ensures key areas are addressed Provides easy way to incorporate information into contract Educates vendors with respect to compliance expectations 18

19 Step 2: Contractual Protections 19

20 U.S. Regulatory Language Should be Treated as a Floor Including the HIPAA, GLB and other statutory / regulatory minimally required security language, without more, may not adequately protect companies In many cases, cannot solely rely on compliance with applicable laws requirements Even the more robust language provided in laws and regulations (e.g., HIPAA Security Rule, GLB Safeguards Rule) may not provide sufficient protection 20

21 Some Contract Protections are Not Optional Some security protections in vendor agreements are required by law GLB HIPAA/HITECH Massachusetts, California, etc. 21

22 One Size Does Not Fit All Important to maintain flexibility in the contracting process Develop library of alternative contractual protections to address common areas of disagreement between parties 22

23 Key Contractual Protections Confidentiality Draft broadly be sure to include all potential confidential information Marking requirements are generally disfavored and unworkable Ensure ongoing protection of trade secrets (i.e., no term with respect to the confidentiality of trade secrets) 23

24 Standard of Care for Confidentiality Vendor shall treat Customer Confidential Information as strictly confidential and shall use the same care to prevent disclosure of such information as it uses with respect to its own most confidential or proprietary information, but in no event less than reasonable care. Vendor shall treat Customer Confidential Information as strictly confidential and shall use the same care to prevent disclosure of such information as it uses with respect to its own most confidential or proprietary information, which shall not be less than the standard of care imposed by state and federal laws and regulations relating to the protection of such information and, in the absence of any legally imposed standard of care, the standard shall be that of a reasonable person under the circumstances. 24

25 Key Contractual Protections Warranties Compliance with best industry standard practices Compliance with state/federal law; privacy policy, etc. Use of subcontractors Limit; require approval; primary vendor remains responsible If subcontractor is providing critical functions (hosting, outsource provider) Greater need for due diligence Control over changes to subcontractors Ample notice of change Assistance in conducting diligence Termination right Consider use of subcontractor NDA Where appropriate include specific security requirements in additional to baseline confidentiality protections 25

26 Key Contractual Protections Personnel due diligence background checks and screening Control of personnel Removal, inspection, monitor Compliance with access requirements/security No removal of data Termination for failure to comply Indemnity protection from third party claims for breach of confidentiality or failure to comply with security obligations 26

27 Key Contractual Protections General Security Obligations Take all reasonable measures to secure and defend its systems and facilities from unauthorized access or intrusion Periodically test systems and facilities for vulnerabilities Immediate reporting of breaches Joint security audits Regulatory access and compliance Firewalls, antivirus, etc. Termination for compliance issues 27

28 Key Contractual Protections Exceptions to Limitation of Liability Breach of confidentiality, indemnification obligations, use of name, misappropriation of IP Security breach notification Notice from vendor Customer controls notice Allocation of costs Annual certification of compliance 28

29 Key Contractual Protections Security breach notification for PII Associated costs Ensure prompt notice from vendor of actual and potential breaches to ensure your ability to comply with applicable laws Control of notice Allocate responsibility for costs 29

30 Step 3:Information Handling Requirements 30

31 Information Handling Requirements Where appropriate, attach specific information handling requirements in an exhibit to the contract Securing PII Encryption Secure destruction of data Securing removable media 31

32 Negotiation Tips Raise security requirements from the outset, including liability expectations Educate the vendor about legal requirements that apply to your company Flexibility is required, but usually for only a narrow range of requirements Create alternatives to your required language Think about how to address common vendor arguments We cannot change the way we secure our systems for a single engagement Baseline security requirements prevent us from evolving security standards 32

33 Flexibility in Contracting Process Ongoing re-evaluation of contracting approach to reflect: Changes in laws Feedback from vendors Developing means to address vendor feedback can speed negotiations, lower costs and contribute to a more efficient contracting and procurement process Contracting is a dynamic process hire people who know how to procure goods and services efficiently! 33

34 Case 1: Information is Generally Available and Service/Application is Low Risk Commonly working from vendor forms where negotiation is impossible or limited Difficult to impose company s privacy and security requirements on the vendor Thoroughly review vendor s privacy and security practices and determine gaps with company s practices Vendors typically maintain right to alter privacy and security practices from time-to-time attach policies to contract as of the effective date and ensure future revisions to not diminish obligations Be prepared to agree to vendor s privacy and security practices 34

35 Case 2: Highly Sensitive Data is Used/Processed as Part of Mission Critical Application Due diligence effort is critical Ensure that vendors understand that security requirements will be a critical part of the transaction and the company is unlikely to rely solely on the vendor s practices Frequently (always?) appropriate to impose the company s security practices on the vendor Frequent compliance audits mandatory Contractual protections extensive 35

36 Case 3: Data Somewhat Sensitive and Used/Processed as Part of an Important Service or Application The most difficult cases often requires flexibility and creativity Perform gap analysis between vendor security practices and company s security requirements Consider creating an addendum to the vendor practices to fill gaps Consider contractual protections, but be flexible in approach work with vendor to create correct solution 36

37 Post Execution Ensure process includes an ongoing policing of vendor performance and compliance Develop means to address vendor feedback, accommodate and adapt to changes Anticipate that contracting is a dynamic process 37

38 A Guide to IT Contracting: Checklists, Tools, and Techniques 38

39 Questions? Matt Karlyn Partner Foley & Lardner LLP (617)