Upload
alex-brassington
View
214
Download
1
Embed Size (px)
Citation preview
12014 ACC-SoCal In-House Counsel Conference
#IHCC14
Information Security & Regulatory Compliance: The Bottom Line
January 22, 2014Los Angeles, California
Sponsored by LexisNexisPresented by Foley & Lardner LLP
Panelists:
#IHCC12
Michael R. Overly, Esq.CISA, CISSP, ISSMP, CIPP, CRISCFoley & Lardner LLP
Wendy Coticchia, Esq.Applied Computer Solutions
David R. Alberton, Esq., CIPP/ITFoley & Lardner LLP
© 2014 Foley & Lardner LLP
090701_2 2
#IHCC142014 ACC-SoCal In-House Counsel Conference
Overview of the current landscape of privacy and security laws and regulations.
Privacy is only part of the problem.
Identifying three common threads in privacy and security laws and regulations.
Potential risks of non-compliance.
Application to vendor contracting process.
Agenda and Overview
090701_3 3
#IHCC142014 ACC-SoCal In-House Counsel Conference
In the last year, there were almost a dozen major incidents in which personal information has been severely compromised.
According to the FBI, incidence of hacking and insider misappropriation or compromise of confidential information is at an all time high. – Insiders include not only the company’s own
personnel, but also its contractors and business partners.
Information Security Risks Are At An All Time High
090701_4 4
#IHCC142014 ACC-SoCal In-House Counsel Conference
FTC, OCC, HHS and other regulators increasingly focusing on information security.– States becoming increasingly active in this area.
Possibility of FTC, AG, and other regulatory action at an all-time high.
Sanctions can scale to the millions of dollars
Information Security Risks Are At An All Time High
090701_5 5
#IHCC142014 ACC-SoCal In-House Counsel Conference
It’s all about the data– Security of systems– Security of data
It’s all about privacy– Privacy is only a subset of security
It’s all about confidentiality– CIA: Confidentiality, Integrity, Availability.– This requirement is seen in many privacy/security laws
and regulations.
Biggest Misconceptions
090701_6 6
#IHCC142014 ACC-SoCal In-House Counsel Conference
Gramm-Leach-Bliley
HIPAA Security Rule / HITECH Act
California, Massachusetts, New Jersey, and many others
Federal Trade Commission
Examples of Federal & State Laws and Regulations
090701_7 7
#IHCC142014 ACC-SoCal In-House Counsel Conference
Australia, US, US State: “Reasonable” measures
Others: “Appropriate,” “necessary” measures
Contract requirements– EU Model Contracts– Other Agreements
Standards
090701_8 8
#IHCC142014 ACC-SoCal In-House Counsel Conference
General Confidential Information
Intellectual Property
Protected Health Information (HIPAA)
Personally Identifiable Non-Public Financial Information (GLB), and other information protected under state privacy and security laws
What Are We Protecting
090701_9 9
#IHCC142014 ACC-SoCal In-House Counsel Conference
Other PII, e.g., HR data, investors, business contact information
System operations
System integrity
What Are We Protecting
090701_10 10
#IHCC142014 ACC-SoCal In-House Counsel Conference
California Civil Code Section 1798.29 and 1798.82
Expanded the definitions of “personal information” and notice requirements after an unauthorized disclosure of a “user name or email address, in combination with a password or security question and answer that would permit access to an online account.”
Expanding definitions of “personal information”
090701_11 11
#IHCC142014 ACC-SoCal In-House Counsel Conference
Protect valuable assets of the business
Establish due diligence
Protect business reputation
Avoid public embarrassment
Minimize potential liability
Regulatory compliance
Why Protections Are Important
090701_12 12
#IHCC142014 ACC-SoCal In-House Counsel Conference
Attempt to gain a broader picture of compliance obligations.
Three common themes or “threads.”
Threads run through laws and regulations and, also, common industry standards (PCI DSS, CERT at Carnegie Mellon, and the International Standards Organization).
Three Common Threads
090701_13 13
#IHCC142014 ACC-SoCal In-House Counsel Conference
Confidentiality, Integrity, and Availability (CIA).
Foundational principle in information security.– Data must be held in confidence– Data must be protected against unauthorized
modification– Data must be available for use when needed
First Common Thread
090701_14 14
#IHCC142014 ACC-SoCal In-House Counsel Conference
Acting “Reasonably” or taking “Appropriate” or “Necessary” measures to protect data.
EU, Australia, Canada, US, and many other countries.
Business must do what is reasonable or necessary. Perfection is not required.
Second Common Thread
090701_15 15
#IHCC142014 ACC-SoCal In-House Counsel Conference
Scaling security measures to reflect nature of data and risk presented.
Closely related to acting reasonably or doing what is necessary.
Security measures must be adjusted to reflect the sensitivity of the data and severity of the risk.
The greater the risk and sensitivity of data, the greater the effort to secure the data.
Third Common Thread
090701_16 16
#IHCC142014 ACC-SoCal In-House Counsel Conference
Security isn’t an all or nothing proposition.
Protections must scale to meet the risk.– Fees should not be part of the analysis.
Data security regulations and laws written in terms of scaling.
Scaling of Security
090701_17 17
#IHCC142014 ACC-SoCal In-House Counsel Conference
Massachusetts Data Security Law:“. . . safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.”
Scaling of Security
090701_18 18
#IHCC142014 ACC-SoCal In-House Counsel Conference
HIPAA Security Rule: Factors to consider:
(i) The size, complexity, and capabilities of the Covered Entity.
(ii) The Covered Entity's technical infrastructure, hardware, and software security capabilities.
(ii) The costs of security measures.
(iv) The probability and criticality of potential risks to ePHI.
Scaling of Security
090701_19 19
#IHCC142014 ACC-SoCal In-House Counsel Conference
Applying Common Threads to Vendor Contracting Relationships
090701_20 20
#IHCC142014 ACC-SoCal In-House Counsel Conference
Vendor due diligence
Contractual protections
Information handling procedures and requirements, generally in the form of contract exhibits
Three Step Approach
090701_21 21
#IHCC142014 ACC-SoCal In-House Counsel Conference
Failure to involve all relevant stakeholders in the process
Failing to assess the unique requirements of the transaction at-hand– Example: Mobile applications
Inflexibility
Common Errors
090701_22 22
#IHCC142014 ACC-SoCal In-House Counsel Conference
From the outset, Vendors must be on notice that the information they provide as part of the company’s information security due diligence will be (i) relied upon in making a vendor selection; and (ii) part of the ultimate contract.
To ensure proper documentation and uniformity in the due diligence process, companies should develop a “Vendor Due Diligence Questionnaire.”
Step One: Due Diligence
090701_23 23
#IHCC142014 ACC-SoCal In-House Counsel Conference
Provides a uniform framework for due diligence
Ensures “apples-to-apples” comparison of vendor responses
Ensures all key areas of diligence are addressed
Provides an easy means for incorporating due diligence information into the final contract
Step One: Questionnaire Advantages
090701_24 24
#IHCC142014 ACC-SoCal In-House Counsel Conference
The Questionnaire will address security standards with which Vendors will be required to comply under the laws (e.g, HIPAA, FCRA/FACTA, GLB, etc.). Many Vendors will lack true understanding of these requirements.
The Questionnaire will be a tool to educate your Vendors about your compliance expectations.
Step One: Questionnaire Use
090701_25 25
#IHCC142014 ACC-SoCal In-House Counsel Conference
The Questionnaire should be presented to potential vendors at the earliest possible stage in the relationship.
Include as part of all relevant RFPs. If no RFP is used, submit to the vendor as a stand-alone document.
Step One: Questionnaire Use
090701_26 26
#IHCC142014 ACC-SoCal In-House Counsel Conference
NDA or Confidentiality Clause
General security obligations
Security and data warranties
Use of subcontractors/offshore entities
Personnel controls, diligence
Step Two: Contractual Protections – Threat Scaling
090701_27 27
#IHCC142014 ACC-SoCal In-House Counsel Conference
Breach notification, cost reimbursement
Indemnity – Protection from third party claims
Limitation of Liability
Insurance
Incorporation of Due Diligence Questionnaire
Step Two: Contractual Protections
090701_28 28
#IHCC142014 ACC-SoCal In-House Counsel Conference
Where appropriate, attach specific information handling requirements in an exhibit– Securing PII– Encryption– Secure destruction of data– Securing of removable media– Communication and coordination
Step Three: Information Handling Requirements
090701_29 29
#IHCC142014 ACC-SoCal In-House Counsel Conference
Raise security requirements from the outset, including liability expectations.
The way in which the requirements are presented to the vendor is key.
In many cases, it is necessary to educate the vendor about legal/regulatory requirements.
Major push-back to baseline technical requirements is common and almost never difficult to overcome.
Flexibility is frequently required, but generally only for a narrow range of requirements.
Negotiation Tips
090701_30 30
#IHCC142014 ACC-SoCal In-House Counsel Conference
Create a ready library of “plug-and-play” alternatives to standard required terms.
Addressing the common argument that “we cannot change the way we secure our systems for a single engagement.”
Addressing the argument that baseline security requirements somehow prevent the vendor from evolving its security standards.
Negotiation Tips
090701_31 31
#IHCC142014 ACC-SoCal In-House Counsel Conference
Moving target language
“Industry best practices” provisions
Compliance with laws/regulations that may not directly apply to the vendor’s business
Negotiation Tips
090701_32 32
#IHCC142014 ACC-SoCal In-House Counsel Conference
Ongoing policing of vendor performance and compliance is crucial– Audit rights– Access to third party audit reports (e.g., SAS 70 Type II,
SSAE 16)– Updating of due diligence questionnaire is key
Annual compliance statement
Post-Execution Follow-up
090701_33 33
#IHCC142014 ACC-SoCal In-House Counsel Conference
Questions?
090701_34 34
#IHCC142014 ACC-SoCal In-House Counsel Conference
Contact Information
Michael R. Overly, Esq., PartnerCISA, CISSP, ISSMP, CIPP, CRISCTechnology Transactions & Outsourcing GroupFoley & Lardner LLP555 South Flower StreetSuite 3500Los Angeles, California 90071(213) [email protected]
Wendy Coticchia, Esq.Senior Corporate CounselApplied Computer Solutions15461 Springdale StreetHuntington Beach, CA 92649(714) [email protected]
David R. Albertson, Esq., CIPP/IT Technology Transactions & Outsourcing GroupFoley & Lardner LLP555 South Flower StreetSuite 3500Los Angeles, California 90071(213) [email protected]
000000_35
11th Annual In-House Counsel ConferenceJanuary 22, 2014 (Los Angeles, CA)
#IHCC1435
www.acc.com/chapters/socal/