Building a Program to Manage the Vendor Management Lifecycle
|
|
- Ophelia Norton
- 6 years ago
- Views:
Transcription
1 Building a Program to Manage the Vendor Management Lifecycle Libbie Canter Amelia Hukoveh Daniel Nazar October 5, 2017
2 Overview 1. Introduction and Background 2. Three Pillars of Third-Party Risk Management Due Diligence Contractual Negotiations Oversight and Monitoring 3. Key Contractual Terms and Risk management 2
3 Introduction and Background
4 Introduction There is a complex web of suppliers that support most business enterprises, for example: Cloud providers (SaaS, IaaS, PaaS) HR vendors, like benefits providers, payroll firms, recruitment Marketing, advertising and media companies Professional services companies, like law firms, consultants, outsourced IT, accountants, third-party auditors Security firms that monitor network traffic Call centers Software developers Payment processing and fraud detection services 4
5 Introduction These suppliers can provide expertise, scale and efficiency However, use of third parties also can create business and legal risks that need to be managed prudently 5
6 Legal Risks U.S. regulatory expectations FTC interpretations of section 5 of the FTC Act Sector-specific federal laws, such as: Interagency Guidelines Establishing Information Security Standards (Section 501 of the Gramm-Leach-Bliley Act) HIPAA Privacy, Security, and Breach Notification Rules State laws and regulations State data security laws Two that are most prescriptive around third-party risk management are Massachusetts regulation and New York Department of Financial Services regulation Data breach notification obligations 6
7 Legal Risks International data protection laws, e.g., EU Directive and GDPR May require specific language for data processing agreements Data controller typically is responsible for processing activities of data processor acting on its behalf Cross-border transfer restrictions Breach notification obligations 7
8 Business and Commercial Risks Vendor misuse of non-personal data also has risks: Securities law implications when financial controls are implicated Risks to trade secrets protections Data has commercial value that is diminished when a vendor commercializes data without authorization Costs of remediating a personal data security incident exceed costs of addressing regulatory requirements and litigation Examples: retaining forensic firm and PR firm, brand diminution By the end of 2014, the costs to Target exceeded $150 million, CEO resigned Ponemon Institute s 2015 U.S. Cost of Data Breach Study reports that third-party involvement in a data breach increased the per capita cost of data breaches more than any other factor 8
9 Third Party Risk Management
10 Three Pillars 1. Due Diligence 2. Contractual Negotiation 3. Oversight and Monitoring 10
11 Due Diligence Goal: Identify the legal and business risks created by the relationship and extent to which they can be managed by contractual and noncontractual controls Toolkit Template security questionnaires Interviews with vendor privacy and security professionals Review of most recent third-party audits or assessments and industry-standard certifications Research based on publicly and commercially available materials 11
12 Contractual Negotiation Goal: To manage risks identified through due diligence through appropriate contractual controls Toolkit: Template data processing and security requirements Non-contractual controls should also be explored to mitigate risk: Security training for certain vendor personnel (e.g., on-site professional services personnel) Vulnerability, penetration, and other security testing Insurance coverage 12
13 Use of Subcontractors Vendor s subcontractors also create privacy and security risks for the organization (so-called fourth party risk) Consider how to ensure that sub-contractors meet the same standards that the vendor has met Non-U.S. laws may contemplate that vendor will not use contractors without the client s authorization One common resolution of this is to build into the contract a general authorization to use subcontractors identified on a list that is updated from time to time; and provide the client a right to terminate following any change to the list of subcontractors. 13
14 Security Breach Notification and Remediation Clients often seek notice of breaches of personal data to satisfy regulatory obligations and notices of other kinds of cybersecurity incidents to protect proprietary data and their systems The language that triggers notice and other obligations often is heavily negotiated, including with respect to: Type of compromise that should trigger notices; and When vendor should provide notice of compromise, both in terms of (1) how far along in confirming (or ruling out) a compromise vendor should be; and (2) specific timeframe for notice The parties may also negotiate remediation obligations following a compromise distinct from indemnification obligations (e.g., obligations to pay for notices to individuals, credit monitoring, establishment of number), 14
15 International Transfers To address international frameworks that restrict cross-border transfers of personal data, companies may have to put in place transfer mechanisms. For example: Privacy Shield certification (U.S. only) Standard Contractual Clauses Processor Binding Corporate Rules Given annulment of Safe Harbor and fluidity of current dynamic, consider future proofing language instead of relying on one specific mechanism 15
16 GDPR Requirements Article 28 imposes a number of new requirements to include in data processing agreement: Description of processing (subject matter, duration, nature and purpose, types of personal data, categories of data subjects, obligations and rights of controller) Processing limitation Confidentiality Subcontracting Security Data subject rights Compliance assistance Deletion Information and audit 16
17 GDPR Requirements Data processors are now directly subject to certain obligations: May process personal data only on documented instructions from the controller Must notify data controllers without undue delay of a personal data breach Must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. (This should take into account the state of the art, etc.) Unless exempt, must maintain a written record of categories of processing activities carried out on behalf of controller Depending on core activities, may need to appoint a DPO Must comply with cross-border transfer restrictions 17
18 Contractual Negotiations: Other Key Terms We have touched on just a few of many relevant contractual terms! Privacy and Data Protection Obligations Compliance with Laws Data Handling/Storage/Transfer Cybersecurity Program/System Standards/Integrity Subcontractors/Service Partners Right to Audit Remediation for Breach/Discovery of Security Incident Liability Provisions Damages Exclusions Liability Cap Indemnity Insurance Service Levels Back-up/Disaster Recovery Recovery Point Objective Data Ownership/Permissions Treatment as Confidential Information 18
19 Oversight and Monitoring Goal: Monitor to confirm vendor s safeguarding of client data and systems and compliance with relevant contractual requirements Key Challenge: Vendors may not be able to grant third parties access to their systems without compromising other clients information security Toolkit There should be system in place for conducting and keeping records relating to ongoing oversight and monitoring For specific contracts, consider: Review vendor s third-party audit reports and/or certifications of compliance with third-party frameworks Audit right, even if limited to vendor s own premises or in circumstances where required by law or following a breach 19
20 Questions?
Cybersecurity Curveballs in Vendor Risk Management Programs
Cybersecurity Curveballs in Vendor Programs 2016 SoCal Cybersecurity, & Data Protection Retreat November 7, 2016 2016 Reed Smith LLP. All rights reserved. The contents of this presentation are for informational
More informationIRIS Group of Companies Customer Data Processing Terms
IRIS Group of Companies Customer Data Processing Terms Definitions (any other capitalised terms not contained in this section will be as defined in the IRIS Software Group General Terms & Conditions (
More informationHot Topics in Software as a Service and Cloud
Hot Topics in Software as a Service and Cloud Presented by: Robert J. Scott www.scottandscottllp.com Speaker Robert J. Scott Cloud Computing Trends Forrester Research estimates the cloud market will reach
More informationGDPR: The Most Frequently Asked Questions: Are the Standard Contractual Clauses Enough?
GDPR: The Most Frequently Asked Questions: Are the Enough? February 2, 2018 The European Union s General Data Protection Authors/Presenters Regulation ( GDPR ) is arguably the most comprehensive and complex
More informationData Processing Addendum
Data Processing Addendum This Data Processing Addendum ( DPA ) forms part of the Agreement(s) and is entered by and between the Customer and the Service Provider on the Effective Date. For the avoidance
More informationPRIVACY: BRIDGING THE GAP BETWEEN THIRD PARTY/VENDOR RISK MANAGEMENT AND CYBER RESILIENCY. Annmarie Giblin, Esq. Thursday, April 21, 2016
PRIVACY: BRIDGING THE GAP BETWEEN THIRD PARTY/VENDOR RISK MANAGEMENT AND CYBER RESILIENCY Annmarie Giblin, Esq. Thursday, April 21, 2016 AGENDA: I. INTRODUCTION II. DATA PRIVACY V. DATA SECURITY III. DEFINING
More informationData Processing Addendum
Data Processing Addendum Based on the General Data Protection Regulation (GDPR) This Data Processing Addendum ( Addendum ) forms part of your relevant Planet estream terms and conditions, defined as an
More informationGDPR Data Processing Addendum
GDPR Data Processing Addendum Effective Date 24 May 2018 This Data Processing Addendum for the GDPR (Addendum) is made as of the Effective Date by and between Fresh Relevance Ltd incorporated and registered
More informationNegotiating SaaS and Cloud Contracts May 28, Peter J. Kinsella 303/
Negotiating SaaS and Cloud Contracts May 28, 2015 Peter J. Kinsella 303/291-2328 Disclaimer The information provided in this presentation does not necessarily reflect the opinions of Perkins Coie LLP,
More informationU.S. Private-sector Privacy Certification
1 Page 1 of 5 U.S. Private-sector Privacy Certification Outline of the Body of Knowledge for the Certified Information Privacy Professional/United States (CIPP/US ) I. Introduction to the U.S. Privacy
More informationInformation Security and Third-Party Service Provider Agreements
The Iowa State Bar Association s ecommerce & Intellectual Property Law Sections presents 2016 Intellectual Property Law & ecommerce Seminar Information Security and Third-Party Service Provider Agreements
More informationData Processing Agreement
Data Processing Agreement This Data Processing Agreement with EU Standard Contractual Clauses (Processors), (the DPA ) supplements the Dropbox Business Agreement between Dropbox, Inc. and Dropbox International
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More informationReviewing and Drafting IT Agreements
Reviewing and Drafting IT Agreements March 10, 2015 Peter J. Kinsella 303/291-2328 The information provided in this presentation does not necessarily reflect the opinions of Perkins Coie LLP, its clients
More informationProcessing under the GDPR: risk and liability shifts
Processing under the GDPR: risk and liability shifts October 2016 With the GDPR now technically in force, and just over 18 months before it applies in Member States, we look at how this new regime will
More informationCybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do
ARTICLE Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do By Gene Griggs and Saad Gul This article analyzes cybersecurity issues for retirement plans. Introduction
More informationData Processing Agreement, the Contract
Data Processing Agreement, the Contract between Customer (as defined in the Service Agreement) the Controller hereinafter referred to as the Customer and Planview (as defined in the Service Agreement)
More informationBITS KEY CONSIDERATIONS FOR MANAGING SUBCONTRACTORS
BITS KEY CONSIDERATIONS FOR MANAGING SUBCONTRACTORS BITS 1001 PENNSYLVANIA AVENUE, NW SUITE 500 SOUTH WASHINGTON, DC 20004 202-289-4322 WWW.BITSINFO.ORG TABLE OF CONTENTS Executive Summary...3 Regulatory
More informationON24 DATA PROCESSING ADDENDUM
ON24 DATA PROCESSING ADDENDUM This Data Processing Addendum ( Addendum ) is entered into by and between ON24 Inc., on behalf of itself and its Affiliates ( ON24 ), and Client, on behalf of itself and its
More informationData Processing Appendix
Company Name* Execution Date *Company name indicated must conform to the name on customer s Master Subscription Agreement executed with SugarCRM. This Data Processing Appendix on the processing of personal
More informationCUSTOMER DATA PROCESSING ADDENDUM
CUSTOMER DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) and applicable Attachments apply when HP acts as a Data Processor and processes Customer Personal Data on behalf of Customer in order
More informationData Processing Appendix
Data Processing Appendix This Data Processing Appendix (the Appendix ) is attached to and forms part of the Supplier General Terms and Conditions (the Agreement ) between Nebula Oy ( Supplier ) and customer
More informationCyber ERM Proposal Form
Cyber ERM Proposal Form This document allows Chubb to gather the needed information to assess the risks related to the information systems of the prospective insured. Please note that completing this proposal
More informationMichael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)
Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty Overview of the EU General Data Protection Regulation (GDPR) WHAT YOU NEED TO KNOW ABOUT THE EU GENERAL DATA PROTECTION REGULATION (GDPR) What is the GDPR?
More informationHow to mitigate risks, liabilities and costs of data breach of health information by third parties
How to mitigate risks, liabilities and costs of data breach of health information by third parties April 17, 2012 ID Experts Webinar www.idexpertscorp.com Rick Kam President and Co-Founder richard.kam@idexpertscorp.com
More informationThis Webcast Will Begin Shortly
This Webcast Will Begin Shortly If you have any technical problems with the Webcast or the streaming audio, please contact us via email at: webcast@acc.com Thank You! QUESTIONS REGARDING TECHNOLOGY AGREEMENTS
More informationPRIVACY AND CYBERSECURITY ISSUES IN M&A TRANSACTIONS
PRIVACY AND CYBERSECURITY ISSUES IN M&A TRANSACTIONS Don Shelkey and Ezra Church May 22, 2018 2018 Morgan, Lewis & Bockius LLP Overview Introduction Why should I care? Five Key Legal Requirements Sector-Specific
More informationNEW CYBER RULES FOR NEW YORK-BASED BANKING, INSURANCE AND FINANCIAL SERVICE FIRMS HAVE FAR-REACHING EFFECTS
REGULATORY LAW ALERT JUNE 2017 NEW CYBER RULES FOR NEW YORK-BASED BANKING, INSURANCE AND FINANCIAL SERVICE FIRMS HAVE FAR-REACHING EFFECTS OVERVIEW In potentially the most significant state-level expansion
More informationWhat U.S.- Based Investment Advisers Should Know
BulletPoint June 2018 What U.S.- Based Investment Advisers Should Know The European Union s ( EU ) General Data Protection Regulation (the GDPR ) became effective on May 25, 2018, and provides individuals
More informationDesigning Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016
Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions June 2016 Program Overview Regulatory Environment Who Needs a Privacy Program and Common Questions Components of a Comprehensive
More informationStandard contractual clauses for the transfer of personal data to third countries - Frequently asked questions
MEMO/05/3 Brussels, 7 January 2005 Standard contractual clauses for the transfer of personal data to third countries - Frequently asked questions Directive 95/46/EC, on the protection of individuals with
More informationThe Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy? July 31, 2018
The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy? July 31, 2018 Upcoming Events: Sign up on our web site Associate Safety Professional (ASP) Examination Preparation,
More informationGDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS
GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS WHO SHOULD EXECUTE THIS DPA: If you have determined that you qualify as a data controller under the GDPR, and need a data processing addendum
More informationNATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE
NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE As many of you know, Gramm-Leach-Bliley requires "financial institutions" to establish and implement a Safeguard Rule Compliance
More informationDATA PROCESSING TERMS DEFINITIONS
DATA PROCESSING TERMS DEFINITIONS Agency: means KTS Events Limited (company registration number 05289039) and any business entity from time to time controlling, controlled by, or under common control or
More informationADDSECURES WAY OF PROCESSING PERSONAL DATA
Agreement Preface ADDSECURES WAY OF PROCESSING PERSONAL DATA For the processing of personal data that AddSecure performs on behalf of its customers, AddSecure becomes a Personal Data Processor. If you
More informationDATA PROCESSING ADDENDUM FOR CUSTOMERS AND USER OF AEROHIVE PRODUCTS AND SERVICES. Version May 2018
DATA PROCESSING ADDENDUM FOR CUSTOMERS AND USER OF AEROHIVE PRODUCTS AND SERVICES 1. Scope and Order of Precedence Version May 2018 This Data Processing Addendum (this DPA ) is deemed an addendum to the
More informationCLOUDINARY DATA PROCESSING ADDENDUM
CLOUDINARY DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms part of the agreement for the subscription by the Customer to the Cloudinary Service ("Subscription Agreement") between Cloudinary
More informationDATA PROCESSING ADDENDUM
DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms part of the End User License and Services Agreement (the Agreement ) between Customer and Ivanti, to reflect the parties agreement about
More informationDATA HANDLING AGREEMENT
DATA HANDLING AGREEMENT This agreement records the terms upon which Wonde will process the School Data for the purpose of transferring the School Data to one or more third party providers of services to
More informationMoxtra, Inc. DATA PROCESSING ADDENDUM
Moxtra, Inc. DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms a part of the Terms of Service found at http://moxtra.com/terms-of-service/, unless Company has entered into a superseding
More informationCLOUD COMPUTING RISKS AND HOW TO MITIGATE THEM
CLOUD COMPUTING RISKS AND HOW TO MITIGATE THEM Jeff Andrews April 20, 2017 TODAY S TOPICS Key Risks and Mitigating Contract Provisions Best Practices and Market Realities Data Safeguarding, Data Breaches
More informationM&A ACADEMY. Privacy and Data Security Issues in M&A Transactions. Ezra Church, Don Shelkey, Pulina Whitaker March 5, 2019
M&A ACADEMY Privacy and Data Security Issues in M&A Transactions Ezra Church, Don Shelkey, Pulina Whitaker March 5, 2019 2019 Morgan, Lewis & Bockius LLP Overview Introduction Why should I care? Five Key
More informationData Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor
Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor This Addendum is applicable only in those situations where the Selected
More informationThe GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018
The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018 GDPR so far The EU General Data Protection Regulation (Regulation (EU) 2016/679) comes into effect on 25 May 2018 Aims to protect:
More informationImpact of the European General Data Protection Regulation on U.S. M&A
CLIENT MEMORANDUM Impact of the European General Data Protection Regulation on U.S. M&A March 26, 2018 The winds of change will shortly sweep across the data privacy landscape in the European Union ( E.U.
More informationConducting KYC of Third Parties: Best Practices for Conducting Due Diligence
Conducting KYC of Third Parties: Best Practices for Conducting Due Diligence Risk-Based Due Diligence of Third Parties Shaswat Das Hunton Andrews Kurth LLP April 2018 Why Conduct Third Party Due Diligence?
More informationGDPR FOR PRIVATE EQUITY AND REAL ESTATE
GDPR FOR PRIVATE EQUITY AND REAL ESTATE Date: Friday, 3rd November 2017 Start time: 12:30GMT Panellists: Pat McIntyre GDPR Project Manager David Rowland Group Head of AML and Compliance Manager, Augentius
More informationDATA PROCESSING AGREEMENT
DATA PROCESSING AGREEMENT This Data Processing Agreement ( DPA or Agreement ), entered into by the CPI customer identified on the applicable CPI services agreement for CPI services ( Customer ) and the
More informationAgreement relating to Data protection in conjunction with the use of the Fujitsu K 5 Cloud
Agreement relating to Data protection in conjunction with the use of the Fujitsu K 5 Cloud between Fujitsu Technology Solutions GmbH, Mies-van-der-Rohe-Street 8, 80807 Munich, Germany hereinafter referred
More informationGDPR & The Ad Agency: Understanding the Impact of the GDPR on Agency Services Agreements
GDPR & The Ad Agency: Understanding the Impact of the GDPR on Agency Services Agreements 2018 LOEB & LOEB LLP Understanding Your Role and Obligations Controller legal person... which, alone or jointly
More informationThe Race to GDPR: A Study of Companies in the United States & Europe
The Race to GDPR: A Study of Companies in the United States & Europe Sponsored by McDermott Will & Emery LLP Independently conducted by Ponemon Institute LLC Publication Date: April 2018 2018 McDermott
More informationLegal Considerations in Negotiating Cloud Contracts
Legal Considerations in Negotiating Cloud Contracts 10 April 2017 Charmian Aw Director, Commercial Services Overview 1. Legal framework in Singapore 2. Stages in the cloud vendor and customer relationship
More informationLifecycle. https://www.occ.gov/news-issuances/bulletins/2013/bulletin html
Vendor Management Vendor Matchmaking 1. Determining the banks needs and wants. 2. Searching for a vendor to fill that need or want. 3. Request for Proposals 4. Selecting Vendor 5. Contract Negotiations
More informationEU Data Processing Addendum
EU Data Processing Addendum This EU Data Processing Addendum ( Addendum ) is made and entered into by and between AlienVault, Inc., a Delaware corporation ( AlienVault ) and the customer specified in the
More informationBroadbean Technology Limited - Data Processing Agreement (25th May 2018)
Broadbean Technology Limited - Data Processing Agreement (25th May 2018) This agreement and its associated schedules shall come into force with effect from 25 th May 2018 and shall from that date replace
More informationLifesize, Inc. Data Processing Addendum
Last updated May 1, 2018 Lifesize, Inc. Data Processing Addendum This Lifesize, Inc. Data Processing Addendum ( Addendum ) forms part of the Terms of Service (the Agreement ) between Lifesize, Inc. ( Lifesize
More informationDATA PROCESSING ANNEX
Page 1 (5) 1 BACKGROUND AND PURPOSE DATA PROCESSING ANNEX 1.1 The terms of this Annex shall apply to the Agreement between Solibri Oy and/or its Subsidiary/Subsidiaries (Solibri Oy and the Subsidiaries
More informationAFTER THE OMNIBUS RULE
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member
More informationDATA PROCESSING ADDENDUM
DATA PROCESSING ADDENDUM (European Union GDPR) (May 2018) This Data Processing Addendum ( DPA ) forms part of the Pancake Laboratories Inc, DBA ShortStack.com ( ShortStack) Terms and Conditions (https://www.shortstack.com/terms-andconditions/),
More informationData Processing Addendum
Data Processing Addendum This Data Processing Addendum (" DPA "), forms part of the Agreement or other written or electronic agreement between Pleo Technologies ApS (" Pleo ) and Customer for the purchase
More informationThe General Data Protection Regulation s Impact on M&A
The General Data Protection Regulation s Impact on M&A PRACTICAL ADVICE ON HOW TO CONTINUE A SMOOTH M&A PROCESS Presented by Avi Gesser, Davis Polk partner, Litigation/Cybersecurity Pritesh P. Shah, Davis
More informationDATA PROCESSING ADDENDUM
DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) is made between Cognito, LLC., a South Carolina corporation ( Cognito Forms ) and {OrganizationLegalName} ( Customer or Controller or {Organization}
More informationAudit Requirement Guide SURF Framework of Legal Standards for (Cloud) Services Annex D
Audit Requirement Guide SURF Framework of Legal Standards for (Cloud) Services Annex D Utrecht, October 2016 Version number: 1.0 Credits Audit Requirement Guide SURF Framework of Legal Standards for (Cloud)
More informationCyber Hot Topics: Vendor Management
Cybersecurity & Privacy Cyber Hot Topics: Vendor Management Paige M. Boshell September 20, 2017 Bradley Arant Boult Cummings LLP Agenda Vendor cyber risk Managing cyber risk through the lifecycle of the
More informationTake It or Leave It: Pitfalls and Challenges of IT Contracts Thursday, May 4, 2017 General Session; 9:00 10:30 a.m.
Take It or Leave It: Pitfalls and Challenges of IT Contracts Thursday, May 4, 2017 General Session; 9:00 10:30 a.m. Margarita Gutierrez, Deputy City Attorney, City and County of San Francisco Rosa M. Sanchez,
More informationAPPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London
APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London SECTION I. GENERAL INFORMATION 1. Name of Applicant: Physical Address: (as it should appear
More informationClient Relationship Agreement for Products
Client Relationship Agreement for Products This Client Relationship for Products (CRA) and applicable Attachments and Transaction Documents (TDs) are the complete agreement regarding transactions under
More informationDATA PROCESSING ADDENDUM (INCLUDING EU STANDARD CONTRACTUAL CLAUSES)
DATA PROCESSING ADDENDUM (INCLUDING EU STANDARD CONTRACTUAL CLAUSES) This Data Processing Addendum ( DPA ) shall become effective without any further action by the parties: (a) if Customer signing this
More informationASX SETTLEMENT OPERATING RULES Guidance Note 9
OFFSHORING AND OUTSOURCING The purpose of this Guidance Note The main points it covers To provide guidance to participants on some of the issues they need to address when offshoring or outsourcing their
More informationMEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013
More informationAmerican Bar Association (ABA) Cybersecurity Legal Task Force Vendor Contracting Project: Cybersecurity Checklist 1
Introduction American Bar Association (ABA) Cybersecurity Legal Task Force Vendor Contracting Project: Cybersecurity Checklist 1 The objective of this Cybersecurity Checklist is to assist procuring organizations,
More informationHEALTHCARE BREACH TRIAGE
IAPP Privacy Academy September 30 October 2, 2013 HEALTHCARE BREACH TRIAGE Theodore P. Augustinos EDWARDS WILDMAN PALMER LLP Kenneth P. Mortensen CVS/CAREMARK 2013 Edwards Wildman Palmer LLP & Edwards
More informationGUIDELINE ON OUTSOURCING
GL14 GUIDELINE ON OUTSOURCING Insurance Authority Contents Page 1. Introduction..... 1 2. Application of this Guideline........ 1 3. Interpretation... 2 4. Legal and Regulatory Obligations.. 3 5. Essential
More informationCover option 2. The Interplay of HIPAA, Privacy and Data Security Principles, and Health Information Interoperability. Subtitle or Company Name
The Interplay of HIPAA, Privacy and Data Security Principles, and Health Information Interoperability Cover option 2 MedInnovation Boston Subtitle or Company Name June 25, 2018 Colin J. Zick Month Day,
More informationEpiserver Data Processing Agreement
1 /12 Episerver Data Processing Agreement Last Modified: May 30, 2017 As referred to in Section 7 of the Episerver End-User Services Agreement ( E ), for the purposes of Article 26(2) of Directive 95/46/EC,
More informationData Processing Addendum
Data Processing Addendum Based on the General Data Protection Regulation (GDPR) and European Commission Decision 2010/87/EU - Standard Contractual Clauses (Processors) This Data Processing Addendum ( DPA
More informationRECITALS. WHEREAS, this Amendment incorporates the various amendments, technical and conforming changes to HIPAA implemented by the Final Rule; and
Amendment to Business Associate Agreements and All Other Contracts Containing Embedded Business Associate Provisions as stated in a Health Insurance Portability and Accountability Act Section between Independent
More informationTech and Cyber Claims Services
Tech and Cyber Claims Services Insurance Tech, Cyber Claims and our Breach Response Service The technology industry is a significant area of expertise for the Firm where we advise on contentious and non-contentious
More informationPIEDMONT ACCESS TO HEALTH SERVICES, INC. Contract Review and Approval
PIEDMONT ACCESS TO HEALTH SERVICES, INC. Policy Number: 01-04-005 SUBJECT: Contract Review and Approval EFFECTIVE DATE: 09/18/2013 REVIEWED/REVISED: 09/02/2014 PURPOSE: This policy defines appropriate
More informationDATA PROCESSING AGREEMENT/ADDENDUM
DATA PROCESSING AGREEMENT/ADDENDUM This Data Processing Agreement ( DPA ) is made and entered into as of this day of, 2018 forms part of our Terms and Conditions (available at www.storemaven.com/terms-of-service)
More informationBy David F. Katz, Richard D. Smith, Elizabeth K. Hinson, Jason Mark Anderman and Sarah Statz
CYBERSECURITY LAW & STRATEGY AUGUST 2017 Third-Party Cybersecurity Strategies Critical to Preparedness By David F. Katz, Richard D. Smith, Elizabeth K. Hinson, Jason Mark Anderman and Sarah Statz Understanding
More informationSample Privacy Notice for Agencies in States with the 1982 NAIC Privacy Model *
The Sample Privacy Notice for Agencies in States with the 1982 NAIC Privacy Model * (Policy regarding sharing nonpublic personal information with non-affiliated third parties.) [Insert name of financial
More informationDATA PROCESSING ADDENDUM
DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms part of the Master Purchase Agreement, Customer Agreement, Channel Partner Agreement, End User License Agreement or other written agreement
More informationHITRUST Third Party Assurance (TPA) Risk Triage Methodology
HITRUST Third Party Assurance (TPA) Risk Triage Methodology A streamlined approach to assessing the inherent risk posed by a third party and selecting an appropriate assurance mechanism leveraging the
More informationBreach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule
Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance
More informationHOW TO REGISTER ON THE OECD ESOURCING PORTAL
HOW TO REGISTER ON THE OECD ESOURCING PORTAL Bidder - User Guide OECD all rights reserved Create your Organisation Profile Access the esourcing Portal following the link: https://oecd.bravosolution.com
More informationHOW TO EXECUTE THIS DPA:
DATA PROCESSING ADDENDUM (GDPR, and EU Standard Contractual Clauses) (Rev. April 20, 2018) This Data Processing Addendum ( DPA ) forms part of the Master Subscription Agreement or other written or electronic
More informationADDENDUM TO THE BROKER AGREEMENT BETWEEN COMMON GROUND HEALTHCARE COOPERATIVE AND BROKER
ADDENDUM TO THE BROKER AGREEMENT BETWEEN COMMON GROUND HEALTHCARE COOPERATIVE AND BROKER This Addendum ( Addendum ) to the Broker Agreement ( Agreement ) by and between [INSERT BROKER LEGAL ENTITY] ( Broker
More informationThis Webcast Will Begin Shortly
This Webcast Will Begin Shortly If you have any technical problems with the Webcast or the streaming audio, please contact us via email at: webcast@acc.com Thank You! 1 Dealing Effectively with Difficult
More informationCustomer means any EEA entity that registers for or purchases products or services from SDL or SDL EEA Entities.
SDL Inc. : EU-US Privacy Shield Notice Policy version: 1.01 Effective Date: 26 September 2016 The SDL Group of companies is an international commercial organization which due to the nature of modern business
More informationFinancial Services Authority
Financial Services Authority FINAL NOTICE To: Of: Zurich Insurance Plc, UK branch The Zurich Centre 3000 Parkway Whiteley Fareham PO15 7JZ Date 19 August 2010 TAKE NOTICE: The Financial Services Authority
More informationDATA PROCESSING ADDENDUM (v1.0)
DATA PROCESSING ADDENDUM (v1.0) Progressive Voice Services Limited trading as Meetupcall of Premier House, Carolina Court, Doncaster, DN45RA ( Meetupcall ) and having its place of business at, ( Customer
More informationMULTI-SECTOR SERVICE ACCOUNTABILITY AGREEMENT April 1, 2011 March 31, 2014 SERVICE ACCOUNTABILITY AGREEMENT. with YOUTH HABILITATION QUINTE INC.
MULTI-SECTOR SERVICE ACCOUNTABILITY AGREEMENT April 1, 2011 March 31, 2014 SERVICE ACCOUNTABILITY AGREEMENT with YOUTH HABILITATION QUINTE INC. Effective Date: April 1, 2011 Index to Agreement Article
More informationUNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP
UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates
More informationTABLE OF CONTENTS. Compliance Manual Version: 4.9 Author: [Your Company Name] Updated: 28/10/2017
TABLE OF CONTENTS 1 Introduction... 10 1.1 Purpose & Scope of the Manual... 10 1.2 Responsibility for the Manual... 11 2 Regulatory Framework... 12 2.1 Introduction to the FCA... 12 2.2 Financial Services
More informationFINANCIER DATA PROTECTION & PRIVACY LAWS ANNUAL REVIEW ONLINE CONTENT DECEMBER 2016 R E P R I N T F I N A N C I E R W O R L D W I D E.
R E P R I N T F I N A N C I E R W O R L D W I D E. C O M ANNUAL REVIEW DATA PROTECTION & PRIVACY LAWS REPRINTED FROM ONLINE CONTENT DECEMBER 2016 2016 Financier Worldwide Limited Permission to use this
More informationURBAN AIRSHIP DATA PROCESSING ADDENDUM with EU Standard Contractual Clauses. (Revised September 2017)
URBAN AIRSHIP DATA PROCESSING ADDENDUM with EU Standard Contractual Clauses (Revised September 2017) This Data Processing Addendum ( Addendum ) forms part of the Master Subscription Agreement or the online
More informationGDPR update and its impact on accountancy practices
GDPR update and its impact on accountancy practices Richard Kemp, Kemp IT Law 29 March 2017 Presentation to The Alternative Accountancy Strategic IT Conference Elizabeth Denham speech to ICAEW, 17.01.17
More informationEmerging legal and regulatory risks
Emerging legal and regulatory risks Presentation for AusCERT2016 Matthew Pokarier and Ben Di Marco Structure Regulatory risks Third-party liability Actions by affected individuals Actions by banks and
More information