This Webcast Will Begin Shortly If you have any technical problems with the Webcast or the streaming audio, please contact us via email at: [email protected] Thank You!
This Webcast Will Begin Shortly If you have any technical problems with the Webcast or the
streaming audio, please contact us via email at: [email protected]
Thank You!
A General Counsel's Contract Primer on Third Party Cybersecurity Risks
Cameron Stoll, CIPP/US Counsel, Blackbaud, Inc. [email protected]
Belton Zeigler Partner, Womble Carlyle [email protected]
Structure of Presentation
ScopeofCyberRisk
FrameworkforAssessingCyberRisk
KeyContractualProvisions
3
Scope of the Problem
http://enterprise-content.akamai.com/2016-it-survey-enterprise-application-access
http://en.softeck.co/tprisk2016
http://www.ponemon.org/library/data-risk-in-the-third-party-ecosystem
https://securityintelligence.com/media/2016-cost-data-breach-study/
4
Examples
5
HVAC Vendor
Medical Transcription Vendor
Photo Hosting Service
Point of Sale Vendor
Vehicle Driver Compliance
Vendor
Stolen Vendor Credentials
u
u
u
t
t
t
Examples
6
Payment Processing Vendor
Background Checking Company
Payroll Services (Equifax, ADP)
…and others
Point of Sale Services Vendor
u
u
u t
E-commerce Portal
t
Contract Call Center Employees
t
Trouble in the Ecosystem Ponemon Study: Data risk in the Third-Party Ecosystem: • Not confident that they would receive notice of third breaches
affecting their information. • Don’t know which third parties have access to their confidential
information. • Vendor’s security practices are not monitored. • Internal accountability for third-party risk management unclear. Ponemon, Data Risk in the Third-Party Ecosystem, 2016 http://www.ponemon.org/library/data-risk-in-the-third-party-ecosystem
7
Introduction
When Should We Care About Vendor Contracts the Most?
1. If vendor is Processing company data; or 2. If vendor has access to company networks.
1. State the Obligations
1. Assess what kind of data vendor will be processing
2. Look at your data flows to determine contractual and legal obligations
Answers will help you determine with which security requirements Company (and vendors) must comply
Internal
• Employee information • Payroll • Direct deposit • PII • Health information
• Trade secrets
• Pricing information
• Internal policies
• Audit results
Client
• PII
• PII of its clients
• Financial data
• History of use of your products/services
• Payment information
• Non-PII
What Data Will Vendor Be Processing?
Obligations
1. Compliance with security requirements 2. Compliance with laws 3. Confidentiality 4. Data usage restrictions
Obligations – Security Requirements
Security Requirements
What best practices do we want to employ?
What certifications or contractual
obligations apply?
Which laws (if any) apply?
What data do we have?
Obligations – Security Requirements
Reasonable Industry-standard Appropriate
PCI-DSS ISO 27001 NIST 800-53
Bespoke requirements
Obligations – Security Requirements
Reasonable Industry-standard Appropriate
PCI-DSS ISO 2700 NIST 800-53
Bespoke requirements
“Vendor shall take appropriate technical, physical and organizational precautions to protect Company Data against destruction, loss, alteration, unauthorized access by or disclosure to third parties.”
Obligations – Security Requirements
Reasonable Industry-standard Appropriate
PCI-DSS ISO 27001 NIST 800-53
Bespoke requirements
“Vendor shall comply with the rules and regulations of the Payment Card Industry’s and the card associations (e.g., Visa, MasterCard), including, but not limited to, the data security standards (“PCI-DSS”).”
Obligations – Security Requirements
Reasonable Industry-standard Appropriate
PCI-DSS ISO 27001 NIST 800-53
Bespoke requirements
“In connection with its Processing of Company Data, Vendor shall comply with all requirements set forth on Exhibit A, attached hereto and incorporated herein.”
Obligations – Laws
• Vague: “Vendor shall comply with all applicable state and federal laws when Processing Company Data”
• Specific: “[…] including the following:” • HIPAA • FERPA • GLBA • Etc.
Industry • Finance
• GLBA • Healthcare
• HIPAA • Government
• Privacy Act of 1974
Activities • Advertising
• CAN-SPAM • Data Breaches
• State laws • Commerce
• FTC Act • State laws
• Credit Reporting • FCRA
• Employment • State laws • ADA
Data Subjects • Students
• State student record laws • FERPA
• Children • COPPA
Obligations – Laws Organization of U.S. Privacy Laws – Sectoral Approach
Obligations – Confidentiality
• The definition of Confidential Information should specifically include Company Data
• Obligation to maintain confidentiality of Confidential Information and not disclose to third parties
• Carve outs for affiliates, service providers, and if required by applicable law or legal process
Obligations – Data Usage Restrictions
• Purposes of Processing • “Vendor shall Process data only [in accordance with
Company’s instructions/as necessary to perform the Services]”
• Usage Restrictions • Company grants Vendor a license to use Company
Data in aggregate and de-identified forms
Ensuring Performance
PCI-DSS compliance validation SOC 1 SOC 2
Third party audit report
On-premise audits
Audit on periodic basis and upon occurrence of breach or other defined event
1. Require Visibility a) Know who the vendors are b) Information/Audit rights c) Veto over your data/access to your system
25
2. Obligations Flow Down a) Compliance with data security standards b) Immediate breach reporting c) Response cooperation d) Vendor’s vendors’ vendors
Indemnities
26
Company wants broad
indemnity
Security Incident Broadly Defined
Vendor’s Vendors
First and Third Party Costs
Not defeated by Limitations
of Liability
Fines, Penalties, Ransom
Payments, etc
Vendor Wants the Opposite
Consequential Damages Lost
Profits
Limitations of Liabilities
Company wants none • Company may
press for carve-out for breach of confidentiality
27
Vendor wants cap • Vendor may want
super cap in the range of $10 -$15 million.
Beware limitations of liability by category that frustrate indemnities and other damages provisions.
How big is the cap?
Insurance • Highly recommended. • Terms are not standardized. • Be wary of exclusions that apply to
Vendor’s negligence.
28
Surviving data usage/transfer rights
• Specify the cost, schedule and terms of data migration or hostage situation.
• Vendor may not use identifiable or non-aggregated data.
29
Certify destruction or de-identification
• Degaussing or overwriting with 1’s and 0’s. • Comingled data causes problems. • Terminate system access rights need to be
terminated completely. • Certificate of destruction, verification.
30
Procurement Resources • Vendor security rating services:
https://www.bitsighttech.com/ https://securityscorecard.com/company/
http://www.riskrecon.com/ • Vendor security questionnaires:
https://www.vendorsecurityalliance.org/ https://cloudsecurityalliance.org/download/cloud-controls-matrix-
v3-0-1/
• Security certification: ISO/IEC 27001:2013 http://www.iso27001security.com/html/27001.html
• Reports: SOC-2 • https://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/
Pages/AICPASOC2Report.aspx
31
Cloud
• Amazon Web Services Whitepapers: https://aws.amazon.com/whitepapers/overview-of-security-
processes/
• Cloud Security Alliance https://cloudsecurityalliance.org/
32
Thank you for attending another presentation from
ACC’s Webcasts
Please be sure to complete the evaluation form for this program as your comments and ideas are helpful in planning future programs.
If you have questions about this or future webcasts, please contact ACC at [email protected]
This and other ACC webcasts have been recorded and are available, for
one year after the presentation date, as archived webcasts at http://www.acc.com/webcasts.