Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Slides:

Advertisements

Similar presentations

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

Advertisements

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Rule Training

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Springfield Technical Community College Security Awareness Training.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

REGULATIONS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Security Controls – What Works

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Dino Tsibouris (614) Information Security – What’s New In the Law?

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Dino Tsibouris (614) Technology Contracting 101 What to watch out for in your contracts.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Banks and the Privacy of Medical Information 8 th National HIPAA Summit March 8, 2004 Joy Pritts, JD Health Policy Institute Georgetown University

GSBlaw.com DATA SECURITY: LEGAL LANDSCAPE AND BEST PRACTICES November 16, 2011 Scott G. Warner Garvey Schubert Barer Seattle, Portland,

INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Electronic Records Management: What Management Needs to Know May 2009.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

THE CLOUD Risks and Benefits from the Business, Legal and Technology Perspective September 11, 2013 KEVIN M. LEVY, ESQ. GUNSTER YOAKLEY.

Identity Protection (Red Flag/PCI Compliance/SSN Remediation) SACUBO Fall Workshop Savannah, GA November 3, 2009.

Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Florida Information Protection Act of 2014 (FIPA).

© 2011 Foley Hoag LLP. All Rights Reserved. 1 What Law Applies In “the Cloud”? And how far into the Cloud does Massachusetts law extend? A CloudCamp Boston.

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Dino Tsibouris (614) Vendor Contracts: What You Need and What You May Be Missing.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.

Understanding HIPAA (Health Insurandce Portability and Accountability Act)

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.

© Copyright 2010 Hemenway & Barnes LLP H&B

HIPAA Health Insurance Portability and Accountability Act of 1996.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

Chapter 4: Laws, Regulations, and Compliance

Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Hot Topics in Technology Transactions Presented by: Robert J. Scott

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

Public Health IT Privacy, Confidentiality and Security of Public Health Information This material (Comp13_Unit2) was developed Columbia University, funded.

An Information Security Management System

Contracting for the Cloud

What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.

Florida Information Protection Act of 2014 (FIPA)

Florida Information Protection Act of 2014 (FIPA)

Red Flags Rule An Introduction County College of Morris

Disability Services Agencies Briefing On HIPAA

Information Security Law Update

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

National HIPAA Audioconferences

Colorado “Protections For Consumer Data Privacy” Law

Presentation transcript:

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015

Discussion Topics Data Security. Compliance. Indemnification. Limitation on Liability and Insurance.

Data Security Ownership and Access Acknowledgment that all data you input into the software or provide the vendor is owned by you. Requirement that, at the termination of the contract, the vendor will provide you a copy of your data in an agreed-upon format. Requirement that vendor permanently deletes all copies of your data at the termination of the contract (including back-up media). Litigation-cooperation clause requiring the vendor to preserve your data and cooperate with any discovery requests if you become involved in any litigation.

Data Security Back-Up Capability Redundant systems in place so that if vendor’s main data center goes down (e.g., because of a natural disaster or cyber attack), you will continue to be able to access and use the services Required procedure for backing up your data

Data Security Confidentiality Restrict who can have access to your information. Restrict how your information can be used. Require vendor to use at least reasonable measures to protect your information. Require vendor to be responsible for any data that is lost, stolen or compromised while in the possession or control of vendor.

Data Security Encryption Requirements when transmitting data. Requirements when storing data.

Data Security Audit Rights and Reporting Obligations You should have right to audit the security procedures and data centers of vendor. Requirement that the vendor have Type II SSAE 16 examinations conducted on its controls and procedures for storing, processing and transmitting data, and to provide you copies of the examination reports.

Data Security Security Breach Procedures Requirement for prompt notification of actual or suspected breach. Requirement to cooperate and provide assistance in remedying breach. Remedial obligations, including payment of notification and credit monitoring costs, if applicable.

Compliance Federal Data Security Law and Regulations The Federal Information Security Management Act (“FISMA”) The Veterans Benefits, Heath Care, and Information Technology Act (the “VA Information Security Act”) The Privacy Act Gramm-Leach-Bliley Act (“GLBA”) The Health Insurance Portability and Accountability Act (“HIPAA”) & the HITECH Act The Federal Trade Commission Act (the “FTC Act”) The Telecommunications Act The Fair and Accurate Credit Transactions Act (“FACTA”)

Compliance Industry Data Security Standards Payment Card Industry Data Security Standard (PCI DSS) – PCI DSS was originally adopted by Visa, MasterCard, Discover, American Express and Japan Credit Bureau. PCI DSS sets forth minimum technical and operational requirements for the protection of cardholder data. PCI DSS applies to all entities involved in payment card processing – including Merchants. ISO/IEC – Series of information security standards promulgated by the International Organization for Standardization and the International Electrotechnical Commission. NIST – a set of security controls promulgated for U.S. federal information systems and their party service providers by the National Institute of Standards and Technology.

Compliance State Data Security Law and Regulations California Civil Code § – Businesses that own, license or maintain personal information shall implement and maintain reasonable security procedures and practices. Connecticut General Statute § – Any person in possession of another’s personal information shall safeguard the data, computer files and documents containing such personal information. Maryland Personal Information Protection Act – Businesses owning or licensing personal information shall implement and maintain reasonable security procedures.

Compliance State Data Security Law and Regulations (cont.) Massachusetts Safeguards Rule -- Persons owning or licensing personal information shall develop, implement and maintain a comprehensive written information security program setting forth administrative, technical and physical safeguards. If personal information is electronically stored, the information security program must cover computers and wireless systems. Minnesota Plastic Card Security Act - Prevents merchants from retaining various card related data for more than 48 hours after authorization of a transaction. Nev. Rev. Stat. Ann. §§ 603A.210 & 603A Require, among other things: (a) data collectors maintaining records of personal information to implement and maintain reasonable security measures, and (b) business entities accessing payment cards for the sale of good or services to comply with PCI DSS.

Compliance State Breach Notification Laws and Regulations Widespread Adoption – Currently 47 states have adopted some form of data breach notification laws. Protect “personally identifiable information” – State data breach laws, generally speaking, protect a name in combination with other data (driver’s license#, ss#, financial account numbers – sometimes in combination with passcode), if not publicly available. Notice Requirements -- There is some variation in notice requirements across the states, but notice to affected persons (and/or governmental agencies) is typically triggered when the data holder reasonable believes there has been disclosure or access to personally identifiable information by an unauthorized person of information not rendered unusable when illegal use of the information has occurred or is reasonably like to occur

Indemnification Types of Claims Tortious acts and omissions. Intellectual property infringement (beware of combination carve- out). Note publicity restrictions. Personal injury/property damage. Breach of confidentiality/security breach.

Limitation on Liability Exclusions Exclusion for indemnity obligations. Exclusion for willful misconduct. Exclusion for breach of confidentiality obligations (and data breach, if possible). Exclusion for property damage/bodily injury. Exclusion for remedial obligations for data breach. If not obtainable, consider a negotiated cap on liability.

Insurance General commercial liability Cybersecurity (data breaches, business interruption, and network damage)

QUESTIONS?