Data Security: Public Contracts and the Cloud

Similar documents
U.S. Private-sector Privacy Certification

Data Privacy and Cybersecurity

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

The Impact of Cybersecurity, Data Privacy and Social Media

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Cybersecurity in Higher Ed

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Cloud Computing, SaaS and Outsourcing

Certified Information Privacy Professional/United States

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

Keeping It Under Wraps: Personally Identifiable Information (PII)

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

U.S. Corporate Privacy Certification

DeMystifying Data Breaches and Information Security Compliance

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

ProCloud An Overview

What to do if your business is the victim of a data or security breach?

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

Compliance in 5 Steps

Putting It All Together:

Best Practices in Securing a Multicloud World

CCISO Blueprint v1. EC-Council

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

10 Considerations for a Cloud Procurement. March 2017

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

Laws and Regulations & Data Governance

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Managing SaaS risks for cloud customers

Auditing the Cloud. Paul Engle CISA, CIA

Document Title: IT Security Assessment Questionnaire

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Checklist: Credit Union Information Security and Privacy Policies

Cloud & Managed Server Hosting for Healthcare Professionals

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

SYSTEM SECURITY PLAN (SSP) [Official Company Name]

Hot Topics in Privacy

Hot Topics in Privacy

Data Classification, Security, and Privacy

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Data Security and Privacy Principles IBM Cloud Services

How to Establish Security & Privacy Due Diligence in the Cloud

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

IT Attestation in the Cloud Era

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Cloud Customer Architecture for Securing Workloads on Cloud Services

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Health Care: Privacy & Security in a Digital Age

Altius IT Policy Collection Compliance and Standards Matrix

Cyber Risks in the Boardroom Conference

HITRUST Common Security Framework - Are you prepared?

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW

Top Five Privacy and Data Security Issues for Nonprofit Organizations

GLBA, information security and incident response a compliance perspective

Why you MUST protect your customer data

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Annual Report on the Status of the Information Security Program

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

What is Cybersecurity?

Certification Exam Outline Effective Date: August 1, 2019

Altius IT Policy Collection Compliance and Standards Matrix

Vendor Security Questionnaire

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Sales Training for DataMotion Products. March, 2014

Securing Data in the Cloud: Point of View

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

HIMSS 15 Doing Better Business in the Era of Data Security and Privacy

CYBERSECURITY: STAYING ONE STEP AHEAD DANIEL D. WHITEHOUSE, ESQ. WHITEHOUSE & COOPER, PLLC

The simplified guide to. HIPAA compliance

Choosing a Secure Cloud Service Provider

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Oracle Database Vault

GLBA. The Gramm-Leach-Bliley Act

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

The State of Privacy in Washington State. August 16, 2016 Alex Alben Chief Privacy Officer Washington

Achieving PCI-DSS Compliance with ZirMed financial services Darren J. Hobbs, CPA and James S. Lacy, JD

VMware vcloud Air Network Service Providers Ensure Smooth Cloud Deployment

Cloud Essentials for Architects using OpenStack

Leveraging the Cloud for Law Enforcement. Richard A. Falkenrath, PhD Principal, The Chertoff Group

Mobility Policy Bundle

Privacy hacking & Data Theft

Information Security in Corporation

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

What is Penetration Testing?

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

CLOUD COMPUTING READINESS CHECKLIST

Version 1/2018. GDPR Processor Security Controls

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Transcription:

Data Security: Public Contracts and the Cloud July 27, 2012 ABA Public Contract Law Section, State and Local Division Ieuan Mahony Holland & Knight ieuan.mahony@hklaw.com

Roadmap Why is security a concern? Why outsource security? Why the cloud? (and what in the Sam Hill is the cloud?) What are the alternatives? 2

Flavors of Exposure External unfriendly threats = hackers and competitors External friendly threats = service providers Internal threats consultants = employees and Business model threats = no risk assessment; unprepared 3

Statistic April 2012 report from Massachusetts regulators: Approximately 1,800 data breaches Over the past four years. High scoring industries Financial services: 955 Health care: 214 Education: 101 4

Brief Examples Sony credit card data of PlayStation Network users 77 million user accounts name, address (city, state, zip), e-mail address, birthdate, PlayStation Network/Qriocity password and login Health Net Data servers missing for a month 2 million customers nationwide Social Security numbers and health history 5

Exposure to Regulators FTC enforcement powers under (e.g.): Fair Credit Reporting Act (FCRA) Gramm-Leach-Bliley Act (GLBA) Children's Online Privacy Protection Act (COPPA) More important: general jurisdiction over unfair or deceptive acts FTC s March 2012 Privacy Report: Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers 6

Other Exposure Plaintiff Class Actions In re iphone Application Litigation, (N.D. Cal., Sept., 2011) In re Facebook Privacy Litigation, (N.D. Cal., May, 2011). Claims by business partners Exposure to credit card issuers under PCI- DSS Public perception and damage to goodwill Particular concerns when dealing with public entities 7

What is the value I see here? What am I going to do with it? How am I protecting it and how should I protect it? 8

Options Local hosting Engage data center Obtain managed services, e.g. Provisioning Remote backup Secure archiving Disaster recovery Move to the cloud fully Costs, risks, and benefits 9

Application Software SaaS Software as a Service All Computing Resources Operating System Platform PaaS Platform as a Service Infrastructure IaaS Infrastructure as a Service Traditional Assets Cloud Services 10

What are key characteristics of cloud computing? 11

Multi-tenanted: computing resources are pooled and (often) shared by multiple subscribers Virtual resources: logical (virtual) resources are dynamically assigned based on demand Location independent: subscriber assets may be disbursed over many physical locations On-demand self-service: subscriber needs are (at least theoretically) provisioned automatically and as required Broad network access: access available through browsers Elasticity: scale up and down 12

Cloud Deployments Private cloud: for a single organization Community cloud: for several organizations, with shared cloud infrastructure and shared concerns Public cloud: for the general public Hybrid cloud: a combination of two or more clouds 13

Legal Implications Players Cloud Service Provider ( CSP ) Independent Software Vendors ( ISVs ) Telcos Subscribers to CSP s services Individual end users CSP s Competitors Regulatory Compliance and Risk Areas Privacy [COPPA, HIPAA, GLBA, DPA] Security Intellectual property issues Open Source / interoperability / standards Tort exposure Responsibility for users' conduct Document Retention and electronic discovery Terrorism, surveillance, preservation Taxation International, export & cross-border Personal jurisdiction Tools to Manage Risk Contracts Service Level Agreements ( SLAs ) Clear service boundaries DMCA, CDA, ECPA Pricing Insurance Lobbying Assets Products / IPR Ecosystem Data: yours / others Uncoupling assets: portability 14

Security Data is vulnerable during: Transmission Cloud storage Security measures include: Firewall protection User authentication Access controls Data segregation Encryption 15

Independent Assessment Statement for Attestation Engagements No. 16 ( SSAE 16 ), Statement on Auditing Standards No. 70: Service Organizations ( SAS 70 ) From the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) These defines the professional standards used by a service auditor to assess the internal security and other controls of a service 16

Security Standards The standards for compliance are generally relative Weighing the costs of added security against the risks and results of security compromise To achieve this balance legal and technical resources must communicate A common previous approach: We will use reasonable efforts to secure your data 17

Sample Standards Federal Trade Commission Act (15 USC 41-58, as amended); Electronic Fund Transfer Act (15 USC 1693 et seq.); Federal Reserve Regulation E (12 CFR Part 205); Identify Theft and Assumption Deterrence Act (18 USC 1028); Fair Credit Reporting Act (15 USC 1681 et seq.); Red Flag Rule (16 CFR Part 681 and analogous regulations, as applicable); Gramm-Leach-Bliley Act (15 USC 6801-6809 and 6821-6827); Financial Privacy Rule (16 CFR Part 313 and analogous regulations, as applicable); The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") (including regulations and rules under HIPAA and the HITECH Act; Safeguards Rule (16 CFR Part 314 and analogous regulations, as applicable); USA PATRIOT Act (115 Stat. 272); Federal Regulation II (12 CFR Part 235); Notice of Security Breach Regulations; and Information Security Regulations. 18

Central Role Of Risk Assessment and Resulting Policies and Practices Risk assessment Sets the internal relative standard tailored to your entity Good process = business justification for selected level of security Written information security policy Physical site security Network security Encryption PCI-DSS validation 19

Service Providers - The Stack You are responsible to safeguard service providers activities Keep in mind, as well, the chain of entities that might touch the data Complex stack, for example in mobile networks and the mobile app ecosystem the handset maker, the carrier, the platform provider, the third-party analytics company, 20

Challenges 21

22

Conclusion New developments New challenges Proactive not reactive 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback