Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.

Published byEmerald Benson Modified over 8 years ago

Similar presentations

Presentation on theme: "© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast."— Presentation transcript:

1 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast Roundtable June 29, 2011 The Cloud and The Law

2 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® If something goes wrong: What performance standard was met or not met? o Was that clearly referenced in the contract? o How clearly can we demonstrate the miss? How do we know that something went wrong? o Do the contract specifications conform to real world expectations? o Will the provider notify us in the event of a breach? When? o How much control do we have in crafting the response?

3 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® Where is my Data? › For a lawyer, one of the most important facts but also can be difficult to fully grasp. › Essential to understanding which party has control of the data and can be held responsible for: Securing physical access to the data Securing electronic access to the data Encrypting the data (if required) Monitoring for unauthorized access

4 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® What Data? What Jurisdiction? Federal: Multiple sector-specific privacy laws: › Education records – FERPA › Medical records – HIPAA, the HITECH Act › Financial data – Gramm-Leach-Bliley (“GLBA”) › Disclosure to law enforcement – USA Patriot Act › Electronic communications – ECPA › E-Discovery/Litigation Holds – Federal and State Rules of Civil Procedure State: › Data-breach statutes, SSN laws, health privacy, financial privacy and the like. International: › Personal data within EU – The European Union Data Protection Directive; › Data laws of non EU-States (i.e. Australia, Canada and now, Mexico) Contract: › Payment Card Industry Standards and any other contractual privacy provisions.

5 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® Is My Data Secure? › What security measures does the provider have in place? Is the data segregated from other parties’? If so, how? › Are the security measures documented? › Do we have the right (and ability) to conduct security assessments? › What monitoring do we do of the provider’s security practices? › What are our rights in the event of a data breach? Can we bring in our forensic company?

6 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® Is a Password Required? Is a Password Enough?

7 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® Is My Data Available? › Service Level Agreements Uptime/Downtime Definitions 24x7 or 8x5? Measurement/metrics – who provides? Measurement Periods – short enough? Remedies: meaningful and incentivizing › Practical Redundancies Data sources Power supplies Communication links

8 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® Do you know who your neighbors are?

9 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® And, It Wasn’t the First Time...

10 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® Any Subcontractors? › Is the provider hiring a third party which will have access to our data? › What subcontractors will have access to which data? › What written confidentiality and privacy obligations do they have? › What security assessments have been done on the subcontractors’ practices?

11 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® Data Ownership and Use › Does the contract provide that the data is “owned” by the customer? Typically, state laws require that the provider is only obligated to notify the “owner” - so you will have to take care of the rest. › Does the contract provide that the data cannot be used except in the performance of the services?

12 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® Data Retention and Access › What are the provider’s data search, retention and destruction practices? › Can the provider implement a “legal hold” on request (because of actual or potential litigation)? › Are sufficient processes and controls in place for necessary authentication of data?

13 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® Notice Required? › Does the agreement mandate that that provider give notice within a specific (and short) time in the event of: Any subpoena or other legal process seeking access to the data? Any security event or unauthorized access? › Is the provider obligated to provide assistance and support if such an event occurs?

14 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® Insurance vs. Contracts › Insurance: If a covered “something” happens and you suffer a covered loss, we will pay according to policy limits. › Contract: If I have failed to do what I said I would do and you suffer a loss as a result, I will pay you for the types of losses that I have agreed to pay up to the limits in my contract.

15 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® Insurance vs. Contracts › Insurance Promise: If a covered event happens and you suffer a covered loss, we will pay according to policy limits. › Contract Promise: If I have failed to do what I said I would do and you suffer a loss as a result, I will pay you for the types of losses that I have agreed to pay up to the limits in my contract.

16 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® Indemnification; Limits of Liability › Typically, these are the most contentious contract provisions. › Provider wants to exclude liability for certain kind of damages and to put a cap on the rest. › Consider the types of damages that are most likely to be incurred and do not allow them to be excluded. › Do not allow a cap that is lower than the likely loss. Even better to have a cap at a multiple of the likely loss. The best is no cap. › Consider excluding from caps or limitations damages from: › willful misconduct, › breach of confidentiality or privacy, › bodily injury (if any work is to be done on site), › property damage and › infringement claims.

17 © Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® A Key Question: › What happen to our data when the contract terminates? Is it destroyed? Returned? Do we get machine readable copies? If so, in what formats? Will they provide transition assistance at a reasonable cost?

Download ppt "© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast."

Similar presentations

A GIA is a contract between a surety company and a contractor (or subcontractor)/principal. A GIA is a standard, typical document in the construction.

A GIA is a contract between a surety company and a contractor (or subcontractor)/principal. A GIA is a standard, typical document in the construction.
Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.

Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA 206-628-7769.

Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA
Basics of Liability Liability Issues and Coverage.

Basics of Liability Liability Issues and Coverage.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;

What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;
1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, 2004. This work is the intellectual property.

1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

Similar presentations

Ads by Google