View
203
Download
0
Embed Size (px)
Citation preview
Data Privacy & Security Issues in Cloud Contracts
Presentedby:RobertJ.Sco2,ManagingPartner www.Sco$andSco$llp.com
Copyright © 2016 – Scott & Scott, LLP
CloudCompu/ngTrends• ForresterResearches:matesthecloudmarketwillreach$191billionby2020.1
• Es:mated$940billioninITservicesspendingin2016.2
• 94percentofcompaniesexpectmorethanaquarteroftheirworkloadstobeinthecloudwithintwoyears.3
1ThePublicCloudMarketIsNowInHypergrowth:SizingThePublicCloudMarket,2014To2020(ForresterResearch,April24,2014)
2 GartnerWorldwideITSpendingForecast3 StateoftheMarket:EnterpriseCloud2016(Verizon)
Copyright © 2016 – Scott & Scott, LLP
RegulatoryComplianceRisksIndustry-specificRegula:on
§ Gramm-Leach-BlileyAct–Financial§ HIPAA&HITECH–Healthcare§ PCICompliance–PaymentSystems
BroadRegula:on§ StateDataPrivacy
Copyright © 2016 – Scott & Scott, LLP
GLBAComplianceConsidera/onsServiceProvider:Anypartythatispermi2edaccesstoafinancialins:tu:on’scustomerinforma:onthroughtheprovisionofservicesdirectlytotheins:tu:on.
VendorSelec/on:Exerciseappropriateduediligenceinselec:ngserviceproviders.
Copyright © 2016 – Scott & Scott, LLP
GLBAComplianceConsidera/onsRequiredProvisions:• Requireserviceprovidersbycontracttoimplementappropriatemeasuresdesignedtomeettheobjec:vesoftheSecurityGuidelines.
• Whereindicatedbyriskassessment,monitorserviceproviderstoconfirmthattheyhavesa:sfiedtheirobliga:onsunderthecontract.
Copyright © 2016 – Scott & Scott, LLP
GLBAComplianceConsidera/onsRequiredProvisions:• Requireserviceprovidersbycontracttoimplementappropriatemeasuresdesignedtomeettheobjec:vesoftheSecurityGuidelines.
• Whereindicatedbyriskassessment,monitorserviceproviderstoconfirmthattheyhavesa:sfiedtheirobliga:onsunderthecontract.
Copyright © 2016 – Scott & Scott, LLP
HIPAACompliance• DueDiligence• WhorequiresaBAA• Whatareadequateadministra:veandproceduralsafeguards
• WhatifavendorwillnotagreetoaBAA
Copyright © 2016 – Scott & Scott, LLP
HIPAASecurityRule• Ensuretheconfiden:ality,integrity,andavailabilityofall
e-PHItheycreate,receive,maintainortransmit.
• Iden:fyandprotectagainstreasonablyan:cipatedthreatstothesecurityorintegrityoftheinforma:on.
• Protectagainstreasonablyan:cipated,impermissibleusesordisclosures.
• Ensurecompliancebytheirworkforce.
Copyright © 2016 – Scott & Scott, LLP
SecurityMeasureConsidera/ons• Size,complexity,andcapabili:es
• Technical,hardwareandsocwareinfrastructure• Costsofsecuritymeasures
• Likelihoodandpossibleimpactofpoten:alriskstoe-PHI
• Covereden::esmustreviewandmodifytheirsecuritymeasurestocon:nueprotec:nge-PHIinachangingenvironment
Copyright © 2016 – Scott & Scott, LLP
RiskAssessmentRiskanalysisprocessincludes,butisnotlimitedto,thefollowingac:vi:es:
• Evaluatethelikelihoodandimpactofpoten:alriskstoe-PHI
• Implementappropriatesecuritymeasurestoaddressrisksiden:fiedinriskanalysis
• Documentchosensecuritymeasuresand,whererequired,thera:onaleforadop:ngthosemeasures
• Maintaincon:nuous,reasonable,andappropriatesecurityprotec:ons
Riskanalysisshouldbeanongoingprocessofperiodicandregularreviews.
Copyright © 2016 – Scott & Scott, LLP
KeyProvisionsinCloudContracts• Insuranceandindemnityrequirements—especiallyfor
intellectualpropertyinfringement• Regulatorycompliance• Subcontractorliabilityforthirdpartyservicesorsocware• Effectoftermina:on—returnofcustomerdata• Servicefailurecorrec:veac:onplan• SecurityCommitmentsBAA• CompliancewithLaws
Copyright © 2016 – Scott & Scott, LLP
Indemnifica/onProvisions• What indemnification is the vendor offering?
• How do proposed terms compare to vendor contracting policies and procedures?
• Customers often use insurance to cover risks that would normally be addressed in indemnification provisions.
Copyright © 2016 – Scott & Scott, LLP
Limita/onofLiability• Calculating maximum liability
• Usually tied to payments made under the agreement
• Carve-outs – certain claims are not subject to the cap
• Liability risks related to security incidents
Copyright © 2016 – Scott & Scott, LLP
RiskMi/ga/onStrategies• Requirevendorstolegallyassumeallliabili:es
associatedwiththeservice.• Specifyinsurancecoveragerequirementsincluding
forensics,breachresponse,regulatoryresponseandconsumerclaims.
• Useindemnityprovisionstoprotectagainstliability.• Editlimita:onofliabilityprovisionsthatwouldlimit
accesstocoverage.
Copyright © 2016 – Scott & Scott, LLP
ContactInforma/onRobertJ.ScoL,Esq.ManagingPartner
[email protected](214)999-2902
ScoL&ScoL,LLP.1256MainStreet,Suite200
Southlake,TX76092www.sco2andsco2llp.com