The SIG Webinar will begin shortly. Once the webinar begins, the …sig.org/docs2/SIGMayerBrown11172016Webinar.pdf · Once the webinar begins, the sound will come from your computer

The SIG Webinar will begin shortly.

Once the webinar begins, the sound will come from your computer

speakers.

In the meantime, please take a look at the upcoming SIG networking events listed on the right side of your screen

and plan to join us if you are in one of

these cities this fall.

For more information and to register for all SIG events:

www.sig.org

NETWORKING EVENTS

GLOBAL SUMMITMar 13-16 - Amelia Island, FL

SYMPOSIUM

Jan 18 - San Francisco, CA

Feb 21 - San Francisco, CA

April 11 - New York, NY

March 1-2 - Seattle, WA

Networking and sharing thought leadership are part of SIG membership

Global Summits – attend two large events with 50+ breakouts, 5-8 keynotes and unlimited networking opportunities

Global events in North America, EMEA, APAC – attend SIGnature

events, GBS Roadmap series, Challenge awards

Weekly Webinars and Monthly Town Hall Teleconferences –access virtual thought leadership

Peer2Peer Resource – ask top-of-mind questions for instant responses

SIG Resource Center – access 5,000+ presentations, research, whitepapers, tools, templates and more

Career Network – post and find jobs or internships

Student Talent Outreach – meet students interested in a career in supply chain, sourcing or services

bit.ly/SIGLinkedIn

@SIGinsights

bit.ly/SIGfacebook

bit.ly/SIGYouTube

Stay connected with other SIG members through various social media channels

bit.ly/SIGBlog

SIG Global Summits are semi-annual events with 350-400 decision-makers in attendance

Global Summits

• 3 ½ days of networking in a non-

commercial environment

• 5 keynote sessions

• Global brands

• Executive Roundtables

• Over 50 breakout sessions

• Hundreds of industry thought leaders with a

buy-side ratio of 70:30

Amelia Island, FLMarch 13-16, 2017

67% of delegates are director level or above, of which 43% are

VP/C-level

Recent speakers include:

We are bringing SIG to you…all over the globe

GLOBAL EVENTS

SymposiumsFeb 1 – London, England

GBS ROADMAP SERIES

Mar 2 – Zurich, Switzerland

CHALLENGE THE FUTURE AWARDS PROGRAM

Feb 2-3 – London, England

For more information go to: www.siguniversity.org

Online learning environment with multiple eLearning options: Cohort, Self-Paced and Custom Solutions

Modules with lessons, formative assessments, and NO final exam

Certification good for 5 years

Early enrollment options that can save you up to 25%

Certified Sourcing Executive program coming in 2017

Updated governance, risk and compliance program coming in 2017

Certified Sourcing Professional starting January 30th, 2017!

Contracting for Cybersecurity and Privacy Protections

Sourcing Industry Group (SIG)

Rebecca S. Eisner Lei ShenPartner Senior AssociateMayer Brown LLP Mayer Brown LLP

November 17, 2016

Presenters

Rebecca Eisner is a partner in the Chicago office of Mayer Brown LLP where she also serves as Partner-In-Charge (350 attorneys). She focuses her practice on technology and business-process outsourcing and sourcing, information technology transactions, privacy, and security. Rebecca also regularly advises clients in data transfer and privacy issues affecting corporate initiatives and transactions, such as divestitures, global data programs, data collection, analytics and use, privacy assessments and emerging US security and privacy legal standards.

7

Rebecca S. EisnerPartnerMayer Brown+1 312 701 [email protected]

Lei ShenSenior AssociateMayer Brown+1 312 701 [email protected]

Lei Shen is a senior associate in the Cybersecurity & Data Privacy and Business & Technology Sourcing practices in Mayer Brown’s Chicago office. Lei focuses her practice on data privacy and security and on information technology transactions. Lei advises clients regarding a wide range of global data privacy and security issues. She assists companies with navigating and complying with state, federal, and international privacy regulations, including with regard to global data transfers and data breach notification.

• More than 50 lawyers around the world focused on helping clients improve their business operations by sourcing services and technology

• Advised on more than 300 significant outsourcing transactions valued at an aggregate of more than $100 billion

Recognized Market Leader

“Band 1” ranking in IT/Outsourcing for13 consecutive years (Chambers 2004-2016)

Named “MTT Outsourcing Team of the Year”in 2014 and ranked in the top tier from 2010 through 2016

Ranked as one of the top law firms in 2009 through 2016 on The World’s Best Outsourcing Advisors list for The Global Outsourcing 100™

About Mayer Brown’s Business & Technology Sourcing Practice

“They're very practical in terms of trying to identify solutions and giving very good advice on areas where it's reasonable for us to compromise or, alternatively, where to hold our ground.”

~ Chambers USA 2015

“An excellent team of people for outsourcing agreements globally -pragmatic in their approach, with a wealth of experts they can call on.”

~ Chambers Global 2014

“They are very good at being able to communicate and synthesize information in a useful and easily understandable way.”

~ Chambers USA 2016

“Their knowledge in this area is tremendous. They know us so well they blend into our deal teams and become a natural extension to our in-house team.”

~ Chambers USA 2014

Cyber Attacks Are Increasing in Cost and Frequency

0

200

400

600

800

1000

1200

1400

1600

2005 2007 2009 2011 2013 2015

Hacking

Malware

Social

Error

Misuse

Physical

Environmental

9

*Source: Verizon 2016 Data Breach Report

89% of breaches in 2015 had a financial or espionage motive.

~ Verizon 2016 Data Breach Report

Cybercrime already costs the global economy approximately$445 billion a year.

~ McAfee; CSIS (2014)

Impact

1. Expense to respond

2. Damage to brand/reputation and resulting loss of sales

3. Disruption to management, public relations, marketing and operations

4. Regulatory sanctions or mandates

5. Shareholder derivative suits against directors and officers

6. Consumer class actions against the company

7. Collateral damage to other companies, who then to sue

8. Recognition that a company cannot “outsource” cyber and privacy risk to a third party

10

ITO, BPO and Cloud

• Your security is as good as your weakest vendor’s security

• Trusted contractors may subcontract vital roles

• Liability caps may warp incentives

11

Legal Structure for Security and Privacy

• US – Sectoral, state and FTC regulation on personal data

– Regulators weighing in: NAIC, FCC, SEC, DOJ, FDA, NYDFS, CA AG

• Europe – Consolidated, strict privacy regulations

• ROW – Varied and in some cases more strict

• The majority of privacy and security laws apply first and foremost to the data owner versus to a service provider who processes the data, but this is changing…

– HIPAA, Massachusetts, GDPR

• Most laws require “reasonable and appropriate” technical and organizational measures without clear standards

12

ITO, BPO and Cloud: US Legal Standards

“Reasonable Measures” include care in selection and oversight of Third Parties:

• GLBA: OCC Third-Party Relationships – Risk Management Guidance (Oct. 30, 2013); and US FRB: “Guidance on Managing Outsourcing Risk” (Dec. 5, 2013); FFIECCybersecurity Risk Assessment Tool (June 2015)

• HIPAA: Business Associate Agreement, Privacy and Security Rules

• SEC: Disclose material outsourcing relationships and risks that bear on cybersecurity

• States: For example, Massachusetts regulations require companies to take steps in selection and supervision of service providers; service providers have direct exposure to individuals regardless of contract terms

• FTC: Inadequate Oversight of Service Providers – Failing to oversee service providers and to require them by contract to implement safeguards to protect personal information

13

ITO, BPO and Cloud: US Legal Standards

• FTC commonly includes in consent decrees:

– Designate dedicated data security personnel

– Identify “material internal and external risks”

– Implement “reasonable safeguards” to control risks

– Develop “reasonable steps” to select secure vendors

– Require suppliers to implement reasonable security measures through written agreements and ongoing verification

• See “Start with Security” publication from FTC (June 2015)

14

ITO, BPO and Cloud: US Legal Standards

New York Department of Financial Services (Proposed)

• Recently proposed a new regulation that would require New York state-licensed banks and insurers to institute intensive cybersecurity procedures and controls, including:

– Establish an internal cybersecurity program and adopt a written cybersecurity policy

– Designate a Chief Information Security Officer

– Implement a third-party information security policy

– Annual certification of compliance

– Breach notification within 72 hours of “any material risk of imminent harm”

– Requirements for data encryption, multifactor authentication

– Entities with (1) fewer than 1,000 customers in each of the last three years, (2) less than $5 million in gross annual revenue in the last three years, and (3) less than $10 million in year-end total assets are exempt from many requirements.

• Scheduled to take effect on January 1, 2017

– 45-Day notice-and-comment period; industry will likely have significant comments during this period

15

Building Data Security and Privacy Compliance Into ITO, BPO and Cloud

Selection Contracting Governance

16

First Steps

• Review your written information security plan

– If you don’t have one, advocate for one

• Review your data breach response plan

– If you don’t have one, advocate for one

• Review cyber goals and objectives set by the Company Board

• Identify subject matter experts and stakeholders

• Identify relevant laws, policies and standards

• Create (or identify) data security questionnaires by category or data risk level

17

Polling Question

• Does your company have a written information security plan or a data breach response plan in place?

a) We have both

b) Only a written information security plan

c) Only a data breach response plan

d) Neither

e) I don’t know

18

Building Data Security Into ITO, BPO and Cloud

• Determine what data will be accessed or stored by supplier

• Categorize that data by risk level (sensitivity, volume, legal/contractual obligations)

• Review contracting party’s security measures under your policies

• If applicable, send questionnaires regarding security

• If applicable, commission security reviews and audits

• Review completed questionnaires and audit reports and remove suppliers with inadequate security capabilities

• Estimate cost of ongoing security review for business case

19

Building Data Security and Privacy Compliance Into ITO, BPO and Cloud

Selection Contracting Governance

20

Contracting Readiness

• Develop your own checklist of contractual requirements based on your company’s privacy and security requirements

• Develop standard contractual clauses that address these privacy and security requirements, and fallback positions

• Use the checklist to evaluate supplier agreements and to educate your business about gaps or shortfalls in a supplier’s ability to meet your privacy and security requirements

21

Data Security and Privacy – Checklist — Terms

** Indicates challenges in obtaining these commitments in public cloud area

22

General security and confidentiality covenants for Customer Data

Compliance with security standards and annual certification (ISO 27001 (Statement of Applicability) and 27008 for cloud, NIST, FEDRAMP, PCIDSS, etc.)

Audit reports – which ones, how often, performed by trusted third party, ability to (SOC 1, SOC 2 Type II, SOC 3)

Compliance with privacy and data security laws

Data locations (processing and storage) and data transfers (including remote access)**

Customer’s written information security policies**

Physical, technical and organizational security measures

Security incident reporting (definition of incident and personal information (recently expanded) and time period) (GA – Supplier-to-owner in 24 hours; FL – notify individualsin 30 days)

Data Security and Privacy – Checklist — Terms

** Indicates challenges in obtaining these commitments in public cloud area

23

Restrictions on subcontracting**, including flow-down of obligations

Background checks and personnel screening **

Data minimization and compliance with records retention policies **

Limitations on access to systems

Adequate cyber-liability coverage on a primary basis **

Restrictions on secondary uses of data (including aggregated, derived or anonymizeddata) **

Data Security and Privacy – Checklist – Options (not public cloud)

24

Rights to change policies and standards to respond to changes in laws or new threats

Rights to obtain commitments directly from personnel

Rights to require use of new technologies such as biometrics, when available

Right to do on-site security audits, including penetration testing

Note: Contracting parties, particularly suppliers, will ask that all changes go through Change Control with mutual agreement on cost, capability and timing

Data Security and Privacy– Checklist — Remedies

25

Reimbursement for cost of audits that detect security failures

Reimbursement for costs of security breaches, such as data breach notification to consumers

Reimbursement for customary additional actions, such as investigation, call centers, credit monitoring services, credit card replacements, etc.

Reimbursement for forensic investigations and breach identification costs

Other damages, perhaps subject to a liability cap (includes consequentials and direct damages)

Termination rights triggered by breaches (e.g., deeming a data security incident involving loss of sensitive data a material breach)

Key issue: Is contracting party responsible if contracting party fails to prevent security incidents or only if contracting party causes the security incident

ITO, BPO and Cloud: New Risk

“Big Data” increases risk:

• New “Big Data” tools allow suppliers to create new value with customer data, and data increasingly goes out for “analytics”

• “Big Data” uses may not breach traditional confidentiality provisions due to standard exceptions such as information being publicly available

• These uses may be authorized by clauses such as use “to improve our services” or “in aggregated form” or “in anonymized form”

• These uses potentially disclose valuable information that might otherwise be secret, such as the characteristics of high-margin customers or trade secrets or future plans

26

ITO, BPO and Cloud: New Risk

Use of your “Big Data” by a supplier may result in:

• Violations of privacy laws or certifications (e.g., EU marketing restrictions, notice and choice principles under Privacy Shield, etc.)

• Violation of your privacy policies

• Violation of third-party data licenses

• Lack of compliance with self-regulatory principles (e.g., DMA, etc.)

27

EU AND DATA TRANSFERS

Current EU Challenges With Data Transfers

• EU Model Clauses (but with caution – Shrems challenge)

• Binding Corporate Rules (BCRs) (intercompany only)

• Derogations listed in Article 26 of EU Data Protection Directive

– Data Subject Consent

• Approval from Data Protection Authority (DPA)

• Privacy Shield – NOT Safe Harbor

29

Prepare NOW for EU General Data Protection Regulation – Third-Party Contracts will be Affected

• Implementation

– Regulation adopted and published 27 April 2016 and replaces existing EU data privacy regime in May 2018

• Should result in a largely harmonized position throughout all EU countries

• Applies to processing of personal data

– (a) in the context of the activities of a controller or processor established in the EU, irrespective of where the processing takes place

– (b) of data subjects who are in the EU by controllers or processors not established in the EU where the processing relates to offering goods or services to the data subjects or monitoring the behavior in the EU of data subjects

30

GDPR Impacts on Third-Party Contracting

• More sophisticated requirements between controllers and processors

• Privacy by design

• Record-keeping

• Impact assessments

• Enhanced data subject rights –transparency, right to be forgotten, data portability, right to object to processing

• Breach notification in 72 hours

• Administrative fines of greater of 4% worldwide turnover or €20 million

• Direct remedies and proceedings for data subjects

• Approved transfer mechanisms largely continue but with possible challenge to model clauses and tightened use of consent and derogations

31

Polling Question

• Is your company using Privacy Shield, the Standard Contractual Clauses (Model Clauses) or another method to transfer EU personal data to the U.S.?

a) Privacy Shield

b) Standard Contractual Clauses (Model Clauses)

c) Both

d) Another transfer mechanism

e) I don’t know

32

Privacy Shield

• Replacement mechanism to Safe Harbor that permits transfers of EU personal information to the US

• Must be subject to jurisdiction of FTC or DOT to self-certify

• Privacy Shield Principles: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability (plus 16 Supplemental Principles)

• Not easy – compliance often requires certain operational and policy changes

• Certify prior to September 30 – nine-month grace period for Onward Transfer principle

• The “Onward Transfer” principle addresses how Privacy Shield-certified companies must protect personal information that they transfer onto other data controllers or to third-party agents

33

Privacy Shield Onward Transfers

• Contracts between a Privacy Shield-certified entity and a third-party controller must include the following:

– Data can only be processed for limited and specified purposes consistent with the consent provided by the individual

– The third-party controller must provide the same level of protection as the Privacy Shield principles

– If the third-party controller can no longer provide the same level of protection as the Privacy Shield principles, the contract must require that the controller cease processing and or take other reasonable and appropriate steps to remediate

34

Privacy Shield Onward Transfers

• With respect to transfers to a third-party agent:

– Transfers of data must be only for limited and specified purposes

– Companies must ascertain that the agent is obligated to provide at least the same level of privacy protection required by the Privacy Shield principles

– Companies must take reasonable and appropriate steps to ensure that the data is processed by the third-party agent in a manner consistent with companies’ obligations under the Privacy Shield principles

– Require that companies be notified by third-party agent if they determine they can no longer meet those obligations and, if so, take steps to stop and remediate

– Companies must provide a summary or a copy of the relevant privacy provisions of their contract with the Department of Commerce if requested

35

Privacy Shield Onward Transfers

• After Safe Harbor invalidation, many companies put EU Model Clauses in place to address data transfers

• EU Model Clauses alone will not satisfy Privacy Shield requirements

• Some companies are doing both Model Clauses and Privacy Shield

• Companies will likely need to amend their third-party agreements under which they transfer EU data to comply with Privacy Shield Onward Transfer requirements

• Amendments will need to address compliance with Privacy Shield requirements

36

Privacy Shield Onward Transfers

• Amendments should address (among other items):

– restrictions or conditions on further onward transfers (subcontracting)

– the ability to delete personal information after a change in choice by an individual

– the requirement to subject to audits and other verifications so that the certified company may ascertain that the third-party agent is in compliance with Privacy Shield obligations

– assistance in providing access to individuals for review and corrections

37

Privacy Shield Onward Transfers

• Amendments should address (among other items):

– agreement that certified company may provide relevant portions of the contract to the Department of Commerce

– assurance regarding reasonable and appropriate measures regarding security

– processing compatible with the purpose for collection

– requirement to notify company if third party can no longer comply

– allocation of liability – certifying company is liable unless it proves it is not responsible for the event giving rise to the action

38

Building Data Security and Privacy Compliance Into ITO, BPO and Cloud

Selection Contracting Governance

39

Following up in Governance

• Security team explicitly takes responsibility

• Follow-up questionnaires and certifications and ongoing monitoring

• “Data map” showing which contractors have access to which data

• Security audits

• Review of audit reports and follow-up on exceptions or identified vulnerabilities

• Rigorous policing of access rights (particularly those where User IDs are generally shut off based on a feed from the HR systems)

40

Summary

• Data security is a current critical issue

– Loss of competitive advantage and reputation

– Breach of laws and contracts

• You can mitigate data security risk in the selection, contracting and governance phases for new contracts

• You can also address current data security issues with current contracting parties through review, amendment and governance steps

• Taking these steps will reduce the risk of a high-profile calamity from a contracting party agreement

• Monitor and prepare for changes in data protection laws that affect third-party contracts

41

QuestionsRebecca S. EisnerPartner, Mayer Brown

+1 312 701 [email protected]

Lei ShenSenior Associate, Mayer Brown

+1 312 701 [email protected]

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe–Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown Mexico, S.C., a sociedad civil formed under the laws of the State of Durango, Mexico; Mayer Brown JSM, a Hong Kong partnership and its associated legal practices in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. Mayer Brown Consulting (Singapore) Pte. Ltd and its subsidiary, which are affiliated with Mayer Brown, provide customs and trade advisory and consultancy services, not legal services. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.