Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 2014 ACC-SoCal In-House Counsel Conference #IHCC14 Information Security & Regulatory Compliance: The Bottom Line January 22, 2014 Los Angeles, California.

Similar presentations

Presentation on theme: "1 2014 ACC-SoCal In-House Counsel Conference #IHCC14 Information Security & Regulatory Compliance: The Bottom Line January 22, 2014 Los Angeles, California."— Presentation transcript:

1 ACC-SoCal In-House Counsel Conference #IHCC14 Information Security & Regulatory Compliance: The Bottom Line January 22, 2014 Los Angeles, California Sponsored by LexisNexis Presented by Foley & Lardner LLP Panelists: #IHCC12 Michael R. Overly, Esq. CISA, CISSP, ISSMP, CIPP, CRISC Foley & Lardner LLP Wendy Coticchia, Esq. Applied Computer Solutions David R. Alberton, Esq., CIPP/IT Foley & Lardner LLP © 2014 Foley & Lardner LLP

2 090701_2 2 #IHCC ACC-SoCal In-House Counsel Conference Overview of the current landscape of privacy and security laws and regulations. Privacy is only part of the problem. Identifying three common threads in privacy and security laws and regulations. Potential risks of non-compliance. Application to vendor contracting process. Agenda and Overview

3 090701_3 3 #IHCC ACC-SoCal In-House Counsel Conference In the last year, there were almost a dozen major incidents in which personal information has been severely compromised. According to the FBI, incidence of hacking and insider misappropriation or compromise of confidential information is at an all time high. – Insiders include not only the companys own personnel, but also its contractors and business partners. Information Security Risks Are At An All Time High

4 090701_4 4 #IHCC ACC-SoCal In-House Counsel Conference FTC, OCC, HHS and other regulators increasingly focusing on information security. – States becoming increasingly active in this area. Possibility of FTC, AG, and other regulatory action at an all-time high. Sanctions can scale to the millions of dollars Information Security Risks Are At An All Time High

5 090701_5 5 #IHCC ACC-SoCal In-House Counsel Conference Its all about the data – Security of systems – Security of data Its all about privacy – Privacy is only a subset of security Its all about confidentiality – CIA: Confidentiality, Integrity, Availability. – This requirement is seen in many privacy/security laws and regulations. Biggest Misconceptions

6 090701_6 6 #IHCC ACC-SoCal In-House Counsel Conference Gramm-Leach-Bliley HIPAA Security Rule / HITECH Act California, Massachusetts, New Jersey, and many others Federal Trade Commission Examples of Federal & State Laws and Regulations

7 090701_7 7 #IHCC ACC-SoCal In-House Counsel Conference Australia, US, US State: Reasonable measures Others: Appropriate, necessary measures Contract requirements – EU Model Contracts – Other Agreements Standards

8 090701_8 8 #IHCC ACC-SoCal In-House Counsel Conference General Confidential Information Intellectual Property Protected Health Information (HIPAA) Personally Identifiable Non-Public Financial Information (GLB), and other information protected under state privacy and security laws What Are We Protecting

9 090701_9 9 #IHCC ACC-SoCal In-House Counsel Conference Other PII, e.g., HR data, investors, business contact information System operations System integrity What Are We Protecting

10 090701_10 10 #IHCC ACC-SoCal In-House Counsel Conference California Civil Code Section and Expanded the definitions of personal information and notice requirements after an unauthorized disclosure of a user name or address, in combination with a password or security question and answer that would permit access to an online account. Expanding definitions of personal information

11 090701_11 11 #IHCC ACC-SoCal In-House Counsel Conference Protect valuable assets of the business Establish due diligence Protect business reputation Avoid public embarrassment Minimize potential liability Regulatory compliance Why Protections Are Important

12 090701_12 12 #IHCC ACC-SoCal In-House Counsel Conference Attempt to gain a broader picture of compliance obligations. Three common themes or threads. Threads run through laws and regulations and, also, common industry standards (PCI DSS, CERT at Carnegie Mellon, and the International Standards Organization). Three Common Threads

13 090701_13 13 #IHCC ACC-SoCal In-House Counsel Conference Confidentiality, Integrity, and Availability (CIA). Foundational principle in information security. – Data must be held in confidence – Data must be protected against unauthorized modification – Data must be available for use when needed First Common Thread

14 090701_14 14 #IHCC ACC-SoCal In-House Counsel Conference Acting Reasonably or taking Appropriate or Necessary measures to protect data. EU, Australia, Canada, US, and many other countries. Business must do what is reasonable or necessary. Perfection is not required. Second Common Thread

15 090701_15 15 #IHCC ACC-SoCal In-House Counsel Conference Scaling security measures to reflect nature of data and risk presented. Closely related to acting reasonably or doing what is necessary. Security measures must be adjusted to reflect the sensitivity of the data and severity of the risk. The greater the risk and sensitivity of data, the greater the effort to secure the data. Third Common Thread

16 090701_16 16 #IHCC ACC-SoCal In-House Counsel Conference Security isnt an all or nothing proposition. Protections must scale to meet the risk. – Fees should not be part of the analysis. Data security regulations and laws written in terms of scaling. Scaling of Security

17 090701_17 17 #IHCC ACC-SoCal In-House Counsel Conference Massachusetts Data Security Law:... safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. Scaling of Security

18 090701_18 18 #IHCC ACC-SoCal In-House Counsel Conference HIPAA Security Rule: Factors to consider: (i)The size, complexity, and capabilities of the Covered Entity. (ii)The Covered Entity's technical infrastructure, hardware, and software security capabilities. (ii)The costs of security measures. (iv)The probability and criticality of potential risks to ePHI. Scaling of Security

19 090701_19 19 #IHCC ACC-SoCal In-House Counsel Conference Applying Common Threads to Vendor Contracting Relationships

20 090701_20 20 #IHCC ACC-SoCal In-House Counsel Conference Vendor due diligence Contractual protections Information handling procedures and requirements, generally in the form of contract exhibits Three Step Approach

21 090701_21 21 #IHCC ACC-SoCal In-House Counsel Conference Failure to involve all relevant stakeholders in the process Failing to assess the unique requirements of the transaction at-hand – Example: Mobile applications Inflexibility Common Errors

22 090701_22 22 #IHCC ACC-SoCal In-House Counsel Conference From the outset, Vendors must be on notice that the information they provide as part of the companys information security due diligence will be (i) relied upon in making a vendor selection; and (ii) part of the ultimate contract. To ensure proper documentation and uniformity in the due diligence process, companies should develop a Vendor Due Diligence Questionnaire. Step One: Due Diligence

23 090701_23 23 #IHCC ACC-SoCal In-House Counsel Conference Provides a uniform framework for due diligence Ensures apples-to-apples comparison of vendor responses Ensures all key areas of diligence are addressed Provides an easy means for incorporating due diligence information into the final contract Step One: Questionnaire Advantages

24 090701_24 24 #IHCC ACC-SoCal In-House Counsel Conference The Questionnaire will address security standards with which Vendors will be required to comply under the laws (e.g, HIPAA, FCRA/FACTA, GLB, etc.). Many Vendors will lack true understanding of these requirements. The Questionnaire will be a tool to educate your Vendors about your compliance expectations. Step One: Questionnaire Use

25 090701_25 25 #IHCC ACC-SoCal In-House Counsel Conference The Questionnaire should be presented to potential vendors at the earliest possible stage in the relationship. Include as part of all relevant RFPs. If no RFP is used, submit to the vendor as a stand-alone document. Step One: Questionnaire Use

26 090701_26 26 #IHCC ACC-SoCal In-House Counsel Conference NDA or Confidentiality Clause General security obligations Security and data warranties Use of subcontractors/offshore entities Personnel controls, diligence Step Two: Contractual Protections – Threat Scaling

27 090701_27 27 #IHCC ACC-SoCal In-House Counsel Conference Breach notification, cost reimbursement Indemnity – Protection from third party claims Limitation of Liability Insurance Incorporation of Due Diligence Questionnaire Step Two: Contractual Protections

28 090701_28 28 #IHCC ACC-SoCal In-House Counsel Conference Where appropriate, attach specific information handling requirements in an exhibit – Securing PII – Encryption – Secure destruction of data – Securing of removable media – Communication and coordination Step Three: Information Handling Requirements

29 090701_29 29 #IHCC ACC-SoCal In-House Counsel Conference Raise security requirements from the outset, including liability expectations. The way in which the requirements are presented to the vendor is key. In many cases, it is necessary to educate the vendor about legal/regulatory requirements. Major push-back to baseline technical requirements is common and almost never difficult to overcome. Flexibility is frequently required, but generally only for a narrow range of requirements. Negotiation Tips

30 090701_30 30 #IHCC ACC-SoCal In-House Counsel Conference Create a ready library of plug-and-play alternatives to standard required terms. Addressing the common argument that we cannot change the way we secure our systems for a single engagement. Addressing the argument that baseline security requirements somehow prevent the vendor from evolving its security standards. Negotiation Tips

31 090701_31 31 #IHCC ACC-SoCal In-House Counsel Conference Moving target language Industry best practices provisions Compliance with laws/regulations that may not directly apply to the vendors business Negotiation Tips

32 090701_32 32 #IHCC ACC-SoCal In-House Counsel Conference Ongoing policing of vendor performance and compliance is crucial – Audit rights – Access to third party audit reports (e.g., SAS 70 Type II, SSAE 16) – Updating of due diligence questionnaire is key Annual compliance statement Post-Execution Follow-up

33 090701_33 33 #IHCC ACC-SoCal In-House Counsel Conference Questions?

34 090701_34 34 #IHCC ACC-SoCal In-House Counsel Conference Contact Information Michael R. Overly, Esq., Partner CISA, CISSP, ISSMP, CIPP, CRISC Technology Transactions & Outsourcing Group Foley & Lardner LLP 555 South Flower Street Suite 3500 Los Angeles, California (213) Wendy Coticchia, Esq. Senior Corporate Counsel Applied Computer Solutions Springdale Street Huntington Beach, CA (714) David R. Albertson, Esq., CIPP/IT Technology Transactions & Outsourcing Group Foley & Lardner LLP 555 South Flower Street Suite 3500 Los Angeles, California (213)

35 000000_35 11 th Annual In-House Counsel Conference January 22, 2014 (Los Angeles, CA) #IHCC14 35

Download ppt "1 2014 ACC-SoCal In-House Counsel Conference #IHCC14 Information Security & Regulatory Compliance: The Bottom Line January 22, 2014 Los Angeles, California."

Similar presentations

Ads by Google