This Webcast Will Begin Shortly - Association of …webcasts.acc.com/handouts/Cybersecurity_Webcast_Slides.pdfThis Webcast Will Begin Shortly ... Payment Processing Vendor Background

This Webcast Will Begin Shortly If you have any technical problems with the Webcast or the

streaming audio, please contact us via email at: [email protected]

Thank You!

A General Counsel's Contract Primer on Third Party Cybersecurity Risks

Cameron Stoll, CIPP/US Counsel, Blackbaud, Inc. [email protected]

Belton Zeigler Partner, Womble Carlyle [email protected]

Structure of Presentation

ScopeofCyberRisk

FrameworkforAssessingCyberRisk

KeyContractualProvisions

3

Scope of the Problem

http://enterprise-content.akamai.com/2016-it-survey-enterprise-application-access

http://en.softeck.co/tprisk2016

http://www.ponemon.org/library/data-risk-in-the-third-party-ecosystem

https://securityintelligence.com/media/2016-cost-data-breach-study/

4

Examples

5

HVAC Vendor

Medical Transcription Vendor

Photo Hosting Service

Point of Sale Vendor

Vehicle Driver Compliance

Vendor

Stolen Vendor Credentials

u

u

u

t

t

t

Examples

6

Payment Processing Vendor

Background Checking Company

Payroll Services (Equifax, ADP)

…and others

Point of Sale Services Vendor

u

u

u t

E-commerce Portal

t

Contract Call Center Employees

t

Trouble in the Ecosystem Ponemon Study: Data risk in the Third-Party Ecosystem: •  Not confident that they would receive notice of third breaches

affecting their information. •  Don’t know which third parties have access to their confidential

information. •  Vendor’s security practices are not monitored. •  Internal accountability for third-party risk management unclear. Ponemon, Data Risk in the Third-Party Ecosystem, 2016 http://www.ponemon.org/library/data-risk-in-the-third-party-ecosystem

7

Third Party Cyber Risk Contractual Life Cycle

8

Introduction

When Should We Care About Vendor Contracts the Most?

1.  If vendor is Processing company data; or 2.  If vendor has access to company networks.

Contractual Provisions

10

1. State the Obligations

1. State the Obligations

1. Assess what kind of data vendor will be processing

2. Look at your data flows to determine contractual and legal obligations

Answers will help you determine with which security requirements Company (and vendors) must comply

Internal

•  Employee information •  Payroll •  Direct deposit •  PII •  Health information

•  Trade secrets

•  Pricing information

•  Internal policies

•  Audit results

Client

•  PII

•  PII of its clients

•  Financial data

•  History of use of your products/services

•  Payment information

•  Non-PII

What Data Will Vendor Be Processing?

Obligations

1.  Compliance with security requirements 2.  Compliance with laws 3.  Confidentiality 4.  Data usage restrictions

Obligations – Security Requirements

Security Requirements

What best practices do we want to employ?

What certifications or contractual

obligations apply?

Which laws (if any) apply?

What data do we have?


Reasonable Industry-standard Appropriate

PCI-DSS ISO 27001 NIST 800-53

Bespoke requirements





“Vendor shall take appropriate technical, physical and organizational precautions to protect Company Data against destruction, loss, alteration, unauthorized access by or disclosure to third parties.”





“Vendor shall comply with the rules and regulations of the Payment Card Industry’s and the card associations (e.g., Visa, MasterCard), including, but not limited to, the data security standards (“PCI-DSS”).”





“In connection with its Processing of Company Data, Vendor shall comply with all requirements set forth on Exhibit A, attached hereto and incorporated herein.”

Obligations – Laws

•  Vague: “Vendor shall comply with all applicable state and federal laws when Processing Company Data”

•  Specific: “[…] including the following:” •  HIPAA •  FERPA •  GLBA •  Etc.

Industry •  Finance

•  GLBA •  Healthcare

•  HIPAA •  Government

•  Privacy Act of 1974

Activities •  Advertising

•  CAN-SPAM •  Data Breaches

•  State laws •  Commerce

•  FTC Act •  State laws

•  Credit Reporting •  FCRA

•  Employment •  State laws •  ADA

Data Subjects •  Students

•  State student record laws •  FERPA

•  Children •  COPPA

Obligations – Laws Organization of U.S. Privacy Laws – Sectoral Approach

Obligations – Confidentiality

•  The definition of Confidential Information should specifically include Company Data

•  Obligation to maintain confidentiality of Confidential Information and not disclose to third parties

•  Carve outs for affiliates, service providers, and if required by applicable law or legal process

Obligations – Data Usage Restrictions

•  Purposes of Processing •  “Vendor shall Process data only [in accordance with

Company’s instructions/as necessary to perform the Services]”

•  Usage Restrictions •  Company grants Vendor a license to use Company

Data in aggregate and de-identified forms

Ensuring Performance

PCI-DSS compliance validation SOC 1 SOC 2

Third party audit report

On-premise audits

Audit on periodic basis and upon occurrence of breach or other defined event

1. Require Visibility a)  Know who the vendors are b)  Information/Audit rights c)  Veto over your data/access to your system

25

2. Obligations Flow Down a)  Compliance with data security standards b)  Immediate breach reporting c)  Response cooperation d)  Vendor’s vendors’ vendors

Indemnities

26

Company wants broad

indemnity

Security Incident Broadly Defined

Vendor’s Vendors

First and Third Party Costs

Not defeated by Limitations

of Liability

Fines, Penalties, Ransom

Payments, etc

Vendor Wants the Opposite

Consequential Damages Lost

Profits

Limitations of Liabilities

Company wants none •  Company may

press for carve-out for breach of confidentiality

27

Vendor wants cap •  Vendor may want

super cap in the range of $10 -$15 million.

Beware limitations of liability by category that frustrate indemnities and other damages provisions.

How big is the cap?

Insurance •  Highly recommended. •  Terms are not standardized. •  Be wary of exclusions that apply to

Vendor’s negligence.

28

Surviving data usage/transfer rights

•  Specify the cost, schedule and terms of data migration or hostage situation.

•  Vendor may not use identifiable or non-aggregated data.

29

Certify destruction or de-identification

•  Degaussing or overwriting with 1’s and 0’s. •  Comingled data causes problems. •  Terminate system access rights need to be

terminated completely. •  Certificate of destruction, verification.

30

Procurement Resources •  Vendor security rating services:

https://www.bitsighttech.com/ https://securityscorecard.com/company/

http://www.riskrecon.com/ •  Vendor security questionnaires:

https://www.vendorsecurityalliance.org/ https://cloudsecurityalliance.org/download/cloud-controls-matrix-

v3-0-1/

•  Security certification: ISO/IEC 27001:2013 http://www.iso27001security.com/html/27001.html

•  Reports: SOC-2 •  https://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/

Pages/AICPASOC2Report.aspx

31

Cloud

•  Amazon Web Services Whitepapers: https://aws.amazon.com/whitepapers/overview-of-security-

processes/

•  Cloud Security Alliance https://cloudsecurityalliance.org/

32

Questions

33

Thank you for attending another presentation from

ACC’s Webcasts

Please be sure to complete the evaluation form for this program as your comments and ideas are helpful in planning future programs.

If you have questions about this or future webcasts, please contact ACC at [email protected]

This and other ACC webcasts have been recorded and are available, for

one year after the presentation date, as archived webcasts at http://www.acc.com/webcasts.

This Webcast Will Begin Shortly - Association of …webcasts.acc.com/handouts/Cybersecurity_Webcast_Slides.pdfThis Webcast Will Begin Shortly ... Payment Processing Vendor Background

Documents