Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

Similar documents
Barbara J. Grahn, Partner, Fox Rothschild, Minneapolis Roberto Kunz-Hallstein, Partner, Dr. Kunz-Hallstein Rechtsanwälte, Munich, Germany

Distracted Driving Accident Claims Involving Mobile Devices Special Considerations and New Frontiers in Legal Liability

Considerations for Building Owners Best Practices for Drafting and Negotiating Lease Agreements for Telecom Equipment

Cloud Computing in Healthcare: HIPAA and State Law Challenges

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Cyber Risks in the Boardroom Conference

Information Security Policy

NYDFS Cybersecurity Regulations

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Privacy Policy Effective May 25 th 2018

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Google Cloud & the General Data Protection Regulation (GDPR)

ADIENT VENDOR SECURITY STANDARD

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Data Processing Agreement for Oracle Cloud Services

Red Flags/Identity Theft Prevention Policy: Purpose

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Keys to a more secure data environment

Learning Management System - Privacy Policy

HIPAA Privacy, Security and Breach Notification

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

NY DFS Cybersecurity Regulations August 8, 2017

HPE DATA PRIVACY AND SECURITY

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Open Data Policy City of Irving

Data Processing Agreement

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Terms of Use. Changes. General Use.

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Information Security Incident Response Plan

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Protecting your data. EY s approach to data privacy and information security

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

SYSTEMS ASSET MANAGEMENT POLICY

Building Information Modeling and Digital Data Exhibit

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Data Use and Reciprocal Support Agreement (DURSA) Overview

Automotive Privacy. A discussion of privacy and security legal compliance for the automotive industry

University of Pittsburgh Security Assessment Questionnaire (v1.7)

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

Use of data processor (external business unit)

Employee Security Awareness Training Program

01.0 Policy Responsibilities and Oversight

Access to University Data Policy

Regulation P & GLBA Training

EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS

SCCE ECEI 2014 EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS. Monica Salgado JANINE REGAN CIPP/E

The HIPAA Omnibus Rule

Apex Information Security Policy

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Lakeshore Technical College Official Policy

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

Canada Life Cyber Security Statement 2018

SECURITY & PRIVACY DOCUMENTATION

Fritztile is a brand of The Stonhard Group THE STONHARD GROUP Privacy Notice The Stonhard Group" Notice Whose Personal Data do we collect?

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Baseline Information Security and Privacy Requirements for Suppliers

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

PRIVACY COMMITMENT. Information We Collect and How We Use It. Effective Date: July 2, 2018

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

Cyber Security Law --- Are you ready?

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

DeMystifying Data Breaches and Information Security Compliance

EXHIBIT A. - HIPAA Security Assessment Template -

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Information Technology General Control Review

Oracle Data Cloud ( ODC ) Inbound Security Policies

HIPAA Audits and the New Audit Protocol

Integrating HIPAA into Your Managed Care Compliance Program

Virginia Commonwealth University School of Medicine Information Security Standard

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Use of data processor (external business unit)

Security and Privacy Governance Program Guidelines

GDPR compliance: some basics & practical to do list

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

DFARS Cyber Rule Considerations For Contractors In 2018

Throughout this Data Use Notice, we use plain English summaries which are intended to give you guidance about what each section is about.

Motorola Mobility Binding Corporate Rules (BCRs)

Information Security Incident Response Plan

Legal notice and Privacy policy

Security Policies and Procedures Principles and Practices

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Version 1/2018. GDPR Processor Security Controls

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

Ferrous Metal Transfer Privacy Policy

Checklist According to ISO IEC 17065:2012 for bodies certifying products, process and services

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Made In Hackney Data Protection Policy Last Updated:

Transcription:

Presenting a live 90-minute webinar with interactive Q&A Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel Evaluating Data Security Risks During Due Diligence, Negotiating Contractual Protections, Monitoring Supplier Performance TUESDAY, FEBRUARY 7, 2017 1pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Matthew A. Karlyn, Partner, Foley & Lardner, Boston The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-961-8499 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

Continuing Education Credits FOR LIVE EVENT ONLY In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program. For additional information about continuing education, call us at 1-800-926-7926 ext. 35.

Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to Conference Materials in the middle of the lefthand column on your screen. Click on the tab labeled Handouts that appears, and there you will see a PDF of the slides for today's program. Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.

Integrating Information Security Into the Supplier Contracting Process Matt Karlyn Partner Foley & Lardner mkarlyn@foley.com (617) 502-3239 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500

Overview Information security requires a unified approach Security policies Employee education Use of technology (e.g., firewalls, encryption, intrusion protection systems) Security audits Addressing security in contracts with business partners and other suppliers 6

Overview Security measures can be divided into three main categories Administrative: Policies and procedures Technical: Firewalls, intrusion detection systems, encryption Physical: Secure doors and facilities, video and other monitoring, security guards Many privacy and security laws are use this language 7

Types of Contracts and Relationships Any agreement where a third party will have access to the company s Network Facilities Data Confidential information including information about people as well as proprietary processes, etc. Access can be remote or physical 8

What are we Protecting? Confidential information Intellectual property Personally identifiable information 9

Why Protections are Important Protect valuable assets of the company Establish a due diligence process Protect business reputation Avoid public embarrassment Minimize potential liability Comply with laws 10

Three Step Approach to Incorporating Information Security in IT Contracting Step 1: Internal and vendor due diligence Step 2: Contractual protections Step 3: Information handling and security procedures and requirements, generally in the form of contract exhibits Common errors Failure to involve all relevant stakeholders in the process Failure to assess the unique requirements of the particular transaction Failure to maintain flexibility 11

Scaling of Security in IT Contracting Information security is a not an all or nothing proposition Protections (and the company s approach) must scale to meet the risk Fees (i.e., how much the company is paying) should not be part of the analysis Most data security laws are written in terms of scaling meaning they take into account things like The size, scope and type of business The resources available The amount and type of data stored The need for confidentiality and security 12

Scaling of Security Massachusetts Data Security Law: safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. 13

Step 1: Internal and Supplier Due Diligence 14

Initial Internal Due Diligence What is the mix of data sensitivity and criticality of service / product provided? HIGH RISK Mission critical processes Highly sensitive data MEDIUM RISK Generally available data High service levels required Non-confidential enterprise data LOW RISK Non-mission critical service or process Generally available data Can accept outages and variable performance 15

Vendor Due Diligence From the outset, vendors must be on notice that the information they provide as part of the company s information security due diligence will be (1) relied upon in making a vendor selection, and (2) part of the contract Make security part of RFP process (if you have one) To ensure proper documentation and uniformity in the due diligence process, companies should develop a vendor due diligence questionnaire 16

Questionnaire Key Areas Financial condition Insurance coverage Actions against the vendor (e.g., criminal convictions, litigation, regulatory enforcement actions, breaches of security, etc.) Location of services Offshore transmission of data Intended use of subcontractors Personnel security standards Information security policies Business continuity/disaster recovery requirements Data destruction procedures Physical security procedures Access controls Development and maintenance procedures Privacy policies 17

Initial Vendor Due Diligence Provides uniform framework for due diligence Ensures key areas are addressed Provides easy way to incorporate information into contract Educates vendors with respect to compliance expectations 18

Step 2: Contractual Protections 19

U.S. Regulatory Language Should be Treated as a Floor Including the HIPAA, GLB and other statutory / regulatory minimally required security language, without more, may not adequately protect companies In many cases, cannot solely rely on compliance with applicable laws requirements Even the more robust language provided in laws and regulations (e.g., HIPAA Security Rule, GLB Safeguards Rule) may not provide sufficient protection 20

Some Contract Protections are Not Optional Some security protections in vendor agreements are required by law GLB HIPAA/HITECH Massachusetts, California, etc. 21

One Size Does Not Fit All Important to maintain flexibility in the contracting process Develop library of alternative contractual protections to address common areas of disagreement between parties 22

Key Contractual Protections Confidentiality Draft broadly be sure to include all potential confidential information Marking requirements are generally disfavored and unworkable Ensure ongoing protection of trade secrets (i.e., no term with respect to the confidentiality of trade secrets) 23

Standard of Care for Confidentiality Vendor shall treat Customer Confidential Information as strictly confidential and shall use the same care to prevent disclosure of such information as it uses with respect to its own most confidential or proprietary information, but in no event less than reasonable care. Vendor shall treat Customer Confidential Information as strictly confidential and shall use the same care to prevent disclosure of such information as it uses with respect to its own most confidential or proprietary information, which shall not be less than the standard of care imposed by state and federal laws and regulations relating to the protection of such information and, in the absence of any legally imposed standard of care, the standard shall be that of a reasonable person under the circumstances. 24

Key Contractual Protections Warranties Compliance with best industry standard practices Compliance with state/federal law; privacy policy, etc. Use of subcontractors Limit; require approval; primary vendor remains responsible If subcontractor is providing critical functions (hosting, outsource provider) Greater need for due diligence Control over changes to subcontractors Ample notice of change Assistance in conducting diligence Termination right Consider use of subcontractor NDA Where appropriate include specific security requirements in additional to baseline confidentiality protections 25

Key Contractual Protections Personnel due diligence background checks and screening Control of personnel Removal, inspection, monitor Compliance with access requirements/security No removal of data Termination for failure to comply Indemnity protection from third party claims for breach of confidentiality or failure to comply with security obligations 26

Key Contractual Protections General Security Obligations Take all reasonable measures to secure and defend its systems and facilities from unauthorized access or intrusion Periodically test systems and facilities for vulnerabilities Immediate reporting of breaches Joint security audits Regulatory access and compliance Firewalls, antivirus, etc. Termination for compliance issues 27

Key Contractual Protections Exceptions to Limitation of Liability Breach of confidentiality, indemnification obligations, use of name, misappropriation of IP Security breach notification Notice from vendor Customer controls notice Allocation of costs Annual certification of compliance 28

Key Contractual Protections Security breach notification for PII Associated costs Ensure prompt notice from vendor of actual and potential breaches to ensure your ability to comply with applicable laws Control of notice Allocate responsibility for costs 29

Step 3:Information Handling Requirements 30

Information Handling Requirements Where appropriate, attach specific information handling requirements in an exhibit to the contract Securing PII Encryption Secure destruction of data Securing removable media 31

Negotiation Tips Raise security requirements from the outset, including liability expectations Educate the vendor about legal requirements that apply to your company Flexibility is required, but usually for only a narrow range of requirements Create alternatives to your required language Think about how to address common vendor arguments We cannot change the way we secure our systems for a single engagement Baseline security requirements prevent us from evolving security standards 32

Flexibility in Contracting Process Ongoing re-evaluation of contracting approach to reflect: Changes in laws Feedback from vendors Developing means to address vendor feedback can speed negotiations, lower costs and contribute to a more efficient contracting and procurement process Contracting is a dynamic process hire people who know how to procure goods and services efficiently! 33

Case 1: Information is Generally Available and Service/Application is Low Risk Commonly working from vendor forms where negotiation is impossible or limited Difficult to impose company s privacy and security requirements on the vendor Thoroughly review vendor s privacy and security practices and determine gaps with company s practices Vendors typically maintain right to alter privacy and security practices from time-to-time attach policies to contract as of the effective date and ensure future revisions to not diminish obligations Be prepared to agree to vendor s privacy and security practices 34

Case 2: Highly Sensitive Data is Used/Processed as Part of Mission Critical Application Due diligence effort is critical Ensure that vendors understand that security requirements will be a critical part of the transaction and the company is unlikely to rely solely on the vendor s practices Frequently (always?) appropriate to impose the company s security practices on the vendor Frequent compliance audits mandatory Contractual protections extensive 35

Case 3: Data Somewhat Sensitive and Used/Processed as Part of an Important Service or Application The most difficult cases often requires flexibility and creativity Perform gap analysis between vendor security practices and company s security requirements Consider creating an addendum to the vendor practices to fill gaps Consider contractual protections, but be flexible in approach work with vendor to create correct solution 36

Post Execution Ensure process includes an ongoing policing of vendor performance and compliance Develop means to address vendor feedback, accommodate and adapt to changes Anticipate that contracting is a dynamic process 37

A Guide to IT Contracting: Checklists, Tools, and Techniques 38

Questions? Matt Karlyn Partner Foley & Lardner LLP (617) 502-3239 mkarlyn@foley.com 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback