Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 2014 ACC-SoCal In-House Counsel Conference #IHCC14 Information Security & Regulatory Compliance: The Bottom Line January 22, 2014 Los Angeles, California.

Similar presentations

Presentation on theme: "1 2014 ACC-SoCal In-House Counsel Conference #IHCC14 Information Security & Regulatory Compliance: The Bottom Line January 22, 2014 Los Angeles, California."— Presentation transcript:

1 ACC-SoCal In-House Counsel Conference #IHCC14 Information Security & Regulatory Compliance: The Bottom Line January 22, 2014 Los Angeles, California Sponsored by LexisNexis Presented by Foley & Lardner LLP Panelists: #IHCC12 Michael R. Overly, Esq. CISA, CISSP, ISSMP, CIPP, CRISC Foley & Lardner LLP Wendy Coticchia, Esq. Applied Computer Solutions David R. Alberton, Esq., CIPP/IT Foley & Lardner LLP © 2014 Foley & Lardner LLP

2 090701_2 2 #IHCC ACC-SoCal In-House Counsel Conference  Overview of the current landscape of privacy and security laws and regulations.  Privacy is only part of the problem.  Identifying three common threads in privacy and security laws and regulations.  Potential risks of non-compliance.  Application to vendor contracting process. Agenda and Overview

3 090701_3 3 #IHCC ACC-SoCal In-House Counsel Conference  In the last year, there were almost a dozen major incidents in which personal information has been severely compromised.  According to the FBI, incidence of hacking and insider misappropriation or compromise of confidential information is at an all time high. – Insiders include not only the company’s own personnel, but also its contractors and business partners. Information Security Risks Are At An All Time High

4 090701_4 4 #IHCC ACC-SoCal In-House Counsel Conference  FTC, OCC, HHS and other regulators increasingly focusing on information security. – States becoming increasingly active in this area.  Possibility of FTC, AG, and other regulatory action at an all-time high.  Sanctions can scale to the millions of dollars Information Security Risks Are At An All Time High

5 090701_5 5 #IHCC ACC-SoCal In-House Counsel Conference  It’s all about the data – Security of systems – Security of data  It’s all about privacy – Privacy is only a subset of security  It’s all about confidentiality – CIA: Confidentiality, Integrity, Availability. – This requirement is seen in many privacy/security laws and regulations. Biggest Misconceptions

6 090701_6 6 #IHCC ACC-SoCal In-House Counsel Conference  Gramm-Leach-Bliley  HIPAA Security Rule / HITECH Act  California, Massachusetts, New Jersey, and many others  Federal Trade Commission Examples of Federal & State Laws and Regulations

7 090701_7 7 #IHCC ACC-SoCal In-House Counsel Conference  Australia, US, US State: “Reasonable” measures  Others: “Appropriate,” “necessary” measures  Contract requirements – EU Model Contracts – Other Agreements Standards

8 090701_8 8 #IHCC ACC-SoCal In-House Counsel Conference  General Confidential Information  Intellectual Property  Protected Health Information (HIPAA)  Personally Identifiable Non-Public Financial Information (GLB), and other information protected under state privacy and security laws What Are We Protecting

9 090701_9 9 #IHCC ACC-SoCal In-House Counsel Conference  Other PII, e.g., HR data, investors, business contact information  System operations  System integrity What Are We Protecting

10 090701_10 10 #IHCC ACC-SoCal In-House Counsel Conference  California Civil Code Section and Expanded the definitions of “personal information” and notice requirements after an unauthorized disclosure of a “user name or address, in combination with a password or security question and answer that would permit access to an online account.” Expanding definitions of “personal information”

11 090701_11 11 #IHCC ACC-SoCal In-House Counsel Conference  Protect valuable assets of the business  Establish due diligence  Protect business reputation  Avoid public embarrassment  Minimize potential liability  Regulatory compliance Why Protections Are Important

12 090701_12 12 #IHCC ACC-SoCal In-House Counsel Conference  Attempt to gain a broader picture of compliance obligations.  Three common themes or “threads.”  Threads run through laws and regulations and, also, common industry standards (PCI DSS, CERT at Carnegie Mellon, and the International Standards Organization). Three Common Threads

13 090701_13 13 #IHCC ACC-SoCal In-House Counsel Conference  Confidentiality, Integrity, and Availability (CIA).  Foundational principle in information security. – Data must be held in confidence – Data must be protected against unauthorized modification – Data must be available for use when needed First Common Thread

14 090701_14 14 #IHCC ACC-SoCal In-House Counsel Conference  Acting “Reasonably” or taking “Appropriate” or “Necessary” measures to protect data.  EU, Australia, Canada, US, and many other countries.  Business must do what is reasonable or necessary. Perfection is not required. Second Common Thread

15 090701_15 15 #IHCC ACC-SoCal In-House Counsel Conference  Scaling security measures to reflect nature of data and risk presented.  Closely related to acting reasonably or doing what is necessary.  Security measures must be adjusted to reflect the sensitivity of the data and severity of the risk.  The greater the risk and sensitivity of data, the greater the effort to secure the data. Third Common Thread

16 090701_16 16 #IHCC ACC-SoCal In-House Counsel Conference  Security isn’t an all or nothing proposition.  Protections must scale to meet the risk. – Fees should not be part of the analysis.  Data security regulations and laws written in terms of scaling. Scaling of Security

17 090701_17 17 #IHCC ACC-SoCal In-House Counsel Conference  Massachusetts Data Security Law: “... safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.” Scaling of Security

18 090701_18 18 #IHCC ACC-SoCal In-House Counsel Conference  HIPAA Security Rule: Factors to consider: (i)The size, complexity, and capabilities of the Covered Entity. (ii)The Covered Entity's technical infrastructure, hardware, and software security capabilities. (ii)The costs of security measures. (iv)The probability and criticality of potential risks to ePHI. Scaling of Security

19 090701_19 19 #IHCC ACC-SoCal In-House Counsel Conference Applying Common Threads to Vendor Contracting Relationships

20 090701_20 20 #IHCC ACC-SoCal In-House Counsel Conference  Vendor due diligence  Contractual protections  Information handling procedures and requirements, generally in the form of contract exhibits Three Step Approach

21 090701_21 21 #IHCC ACC-SoCal In-House Counsel Conference  Failure to involve all relevant stakeholders in the process  Failing to assess the unique requirements of the transaction at-hand – Example: Mobile applications  Inflexibility Common Errors

22 090701_22 22 #IHCC ACC-SoCal In-House Counsel Conference  From the outset, Vendors must be on notice that the information they provide as part of the company’s information security due diligence will be (i) relied upon in making a vendor selection; and (ii) part of the ultimate contract.  To ensure proper documentation and uniformity in the due diligence process, companies should develop a “Vendor Due Diligence Questionnaire.” Step One: Due Diligence

23 090701_23 23 #IHCC ACC-SoCal In-House Counsel Conference  Provides a uniform framework for due diligence  Ensures “apples-to-apples” comparison of vendor responses  Ensures all key areas of diligence are addressed  Provides an easy means for incorporating due diligence information into the final contract Step One: Questionnaire Advantages

24 090701_24 24 #IHCC ACC-SoCal In-House Counsel Conference  The Questionnaire will address security standards with which Vendors will be required to comply under the laws (e.g, HIPAA, FCRA/FACTA, GLB, etc.). Many Vendors will lack true understanding of these requirements.  The Questionnaire will be a tool to educate your Vendors about your compliance expectations. Step One: Questionnaire Use

25 090701_25 25 #IHCC ACC-SoCal In-House Counsel Conference  The Questionnaire should be presented to potential vendors at the earliest possible stage in the relationship.  Include as part of all relevant RFPs. If no RFP is used, submit to the vendor as a stand-alone document. Step One: Questionnaire Use

26 090701_26 26 #IHCC ACC-SoCal In-House Counsel Conference  NDA or Confidentiality Clause  General security obligations  Security and data warranties  Use of subcontractors/offshore entities  Personnel controls, diligence Step Two: Contractual Protections – Threat Scaling

27 090701_27 27 #IHCC ACC-SoCal In-House Counsel Conference  Breach notification, cost reimbursement  Indemnity – Protection from third party claims  Limitation of Liability  Insurance  Incorporation of Due Diligence Questionnaire Step Two: Contractual Protections

28 090701_28 28 #IHCC ACC-SoCal In-House Counsel Conference  Where appropriate, attach specific information handling requirements in an exhibit – Securing PII – Encryption – Secure destruction of data – Securing of removable media – Communication and coordination Step Three: Information Handling Requirements

29 090701_29 29 #IHCC ACC-SoCal In-House Counsel Conference  Raise security requirements from the outset, including liability expectations.  The way in which the requirements are presented to the vendor is key.  In many cases, it is necessary to educate the vendor about legal/regulatory requirements.  Major push-back to baseline technical requirements is common and almost never difficult to overcome.  Flexibility is frequently required, but generally only for a narrow range of requirements. Negotiation Tips

30 090701_30 30 #IHCC ACC-SoCal In-House Counsel Conference  Create a ready library of “plug-and-play” alternatives to standard required terms.  Addressing the common argument that “we cannot change the way we secure our systems for a single engagement.”  Addressing the argument that baseline security requirements somehow prevent the vendor from evolving its security standards. Negotiation Tips

31 090701_31 31 #IHCC ACC-SoCal In-House Counsel Conference  Moving target language  “Industry best practices” provisions  Compliance with laws/regulations that may not directly apply to the vendor’s business Negotiation Tips

32 090701_32 32 #IHCC ACC-SoCal In-House Counsel Conference  Ongoing policing of vendor performance and compliance is crucial – Audit rights – Access to third party audit reports (e.g., SAS 70 Type II, SSAE 16) – Updating of due diligence questionnaire is key  Annual compliance statement Post-Execution Follow-up

33 090701_33 33 #IHCC ACC-SoCal In-House Counsel Conference Questions?

34 090701_34 34 #IHCC ACC-SoCal In-House Counsel Conference Contact Information Michael R. Overly, Esq., Partner CISA, CISSP, ISSMP, CIPP, CRISC Technology Transactions & Outsourcing Group Foley & Lardner LLP 555 South Flower Street Suite 3500 Los Angeles, California (213) Wendy Coticchia, Esq. Senior Corporate Counsel Applied Computer Solutions Springdale Street Huntington Beach, CA (714) David R. Albertson, Esq., CIPP/IT Technology Transactions & Outsourcing Group Foley & Lardner LLP 555 South Flower Street Suite 3500 Los Angeles, California (213)

35 090701_35 35 #IHCC ACC-SoCal In-House Counsel Conference Introducing Lexis® Practice Advisor, a topical, transaction guide designed to address the needs of in-house counsel specializing in transactional matters. Our practice area-specific modules are chock-full of model documents, forms, checklists and commentary that are expertly annotated by seasoned attorneys in leading firms across the country. Practice Advisor content is organized to be easier to use than your traditional research platforms and is combined with pinpoint sections of Matthew Bender® treatises and relevant case law and statutes. This “stand-alone” offering will save the transactional attorney time as well as offering peace of mind that you haven’t missed something by relying on outdated and questionable resources.

36 090701_36 36 #IHCC ACC-SoCal In-House Counsel Conference

37 090701_37 37 #IHCC ACC-SoCal In-House Counsel Conference A Sampling of the Lexis Practice Advisor® Modules Currently Available: Corporate Counsel –A practical guidance resource for in-house attorneys who handle transactional matters. Written and enhanced by seasoned practicing attorneys with extensive in-house and law firm experience, the Corporate Counsel module covers issues that are relevant to a broad range of industries. It is an excellent starting point for simplifying the drafting process and enables users to handle matters quickly and efficiently. Mergers & Acquisitions featuring Market Tracker ® – An extensive database of M&A agreements and unique data capabilities to provide legal professionals the ability to quickly and easily search SEC filings. Market Tracker identifies “what’s market” by finding and comparing similar deals, giving you the ability to confidently draft documents based on the latest deal information. Securities & Capital Markets featuring Knowledge Mosaic – A comprehensive resource providing unique insight on the topics, transactions and perspectives that are critical to securities practitioners. Knowledge Mosaic brings together multifaceted securities, federal regulatory, disclosure and transaction information into one brilliant resource. You will get fast access to a unique blend of information and resources, such as SEC EDGAR filings that are updated in real time that you won’t find from any other single source. Intellectual Property & Technology – A comprehensive resource that provides unique insight for the Intellectual Property attorney. - including access to topical portions of Nimmer® on Copyright, Milgrim on Trade Secrets and Gilson on Trademarks; some of the leading IP treatises on the market. California Jurisdictional – A comprehensive resource that provides unique insight for California attorneys or lawyers practicing in California. Unique insight for a California attorney’s specific needs.

38 090701_38 38 #IHCC ACC-SoCal In-House Counsel Conference Visit us at our booth or for more information contact: Jeanne Briggs – Transactional Practice Specialist /

39 000000_39 11 th Annual In-House Counsel Conference January 22, 2014 (Los Angeles, CA) #IHCC14 39

Download ppt "1 2014 ACC-SoCal In-House Counsel Conference #IHCC14 Information Security & Regulatory Compliance: The Bottom Line January 22, 2014 Los Angeles, California."

Similar presentations

Ads by Google