Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Data Privacy and Security Agreements:
Defining, Allocating, and Mitigating
Risks From Data Security Breaches
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
WEDNESDAY, NOVEMBER 20, 2019
Presenting a live 90-minute webinar with interactive Q&A
Amy Lawrence, Attorney, Frankfurt Kurnit Klein & Selz, Los Angeles
Alex C. Nisenbaum, Attorney, Pepper Hamilton, Los Angeles
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-877-447-0294 and enter your Conference ID and PIN when prompted.
Otherwise, please send us a chat or e-mail [email protected] immediately
so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the ‘Full Screen’ symbol located on the bottom
right of the slides. To exit full screen, press the Esc button.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the link to the PDF of the slides for today’s program, which is located
to the right of the slides, just above the Q&A box.
• The PDF will open a separate tab/window. Print the slides by clicking on the
printer icon.
FOR LIVE EVENT ONLY
Title Slide Layout
Enter title in the text box
Alex C. Nisenbaum | Pepper Hamilton LLPAmy Lawrence | Frankfurt Kurnit Klein & Selz PC
Data Privacy and Security Agreements: Defining, Allocating and Mitigating Risks From Data Security Breaches
November 20, 2019 | 1:00 pm EST
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Can’t outsource liability for legal compliance
Federal, state, international regulatory framework
Not just for “IT” vendors
- Target breach
6
Service Providers and the Lifecycle of Data in the Business
Background
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Federal Laws
- Section 5 of FTC Act
- HIPAA
- GLBA
State Laws
- California Consumer Privacy Act
- Massachusetts Data Security Regulations
- NYDFS Cybersecurity Regulation
- Cal. Civ. Code Section 1798.80 et. seq. and similar state laws
International Laws
- EU (GDPR), Canada, APAC may be more stringent
Self-Regulatory Regimes
7
Legal Obligations
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Pre-Contract Due Diligence
Contract – Conversation to Commitment
Verify Compliance
8
Vendor Contracting Process
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Review relevant privacy and security policies
Review security controls
- Vendor security questionnaires
- Independent third party audit reports (SOC1/SOC 2)
- Certifications/Attestations
• ISO/IEC 27001
• HITRUST
• PCI DSS
9
Pre-Contract Due Diligence
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Every situation is unique
- Sensitivity of data
- Type of service
- Criticality of service
- Operational delivery realities
- Negotiating leverage
10
Vendor Contracts
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Ownership and control of data
Compliance with law; compliance with policies/procedures
Administrative, technical and physical safeguards
Audit rights
Breach notification, response and cooperation
Indemnification
Limits of Liability
Insurance
Service Levels
End of relationship/transition
Legally mandated agreements
11
Vendor Contracts
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Ownership and Control of Data
- Cloud vendors
- Secondary uses
- Access/suspension
12
Ownership and Control of Data
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Can’t outsource compliance
Fines, penalties and other regulator-imposed costs can be substantial
On-site/Access to systems
13
Compliance with law; compliance with policies/procedures
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Mandated by state, federal and international law
Basic to complex
Access controls, authorization protocols, monitor audit logs, network security, malware defense, physical safeguards, training, incident response, penetration tests…
14
Administrative, technical and physical security safeguards
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Customer/vendor/independent third party audits
Regulator audits
Remediation of deficiencies
15
Audit rights
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Timeframe for notice of breach from vendor
Information sharing and cooperation
Preservation of documents and information
Control over notices to individuals and regulators
16
Breach Notification, Response and Cooperation
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
First party costs
- Legal costs
- Forensic investigation
- Notice costs, credit monitoring, call center
- Regulatory fines and penalties
Third party costs
- Class actions and other lawsuits
- Third party contractual claims
17
Indemnification
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Caps - supercaps
Carve outs
Consequential Damages
What is appropriate will be unique to risk and relationship
- Sensitivity of data
- Criticality of business function
- Negotiation leverage
18
Limits of Liability
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Cyber liability coverage
Coverage for whose costs
Coverage limits
19
Insurance
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Data needs to be available to be useful to business
Availability service levels
Recovery point objectives / Recovery time objectives
Severity level response times
Review of Disaster Recovery / Business Continuity
20
Service Levels
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Data retrieval/format
Return or destruction of data
How long will it take to transition to new solution?
Mandated continuation during transition period
21
End of Relationship/Transition
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Compliance chain
- Business Associate Agreements (HIPAA)
- Agreements with Service Providers (GLBA)
- Data Processing Agreements (GDPR)
- Recipients of Personal Information (CCPA)
- Other State laws
22
Legally Mandated Agreements
Title and Content with
Sub
Click in text box to insert
text
Use “Increase/Decrease
List Level” to format each
level of sub
Alex C. Nisenbaum | [email protected]
Amy Lawrence | [email protected]
23
Questions ? Contact Us