Building a Program to Manage the Vendor Management Lifecycle

Transcription

1 Building a Program to Manage the Vendor Management Lifecycle Libbie Canter Amelia Hukoveh Daniel Nazar October 5, 2017

2 Overview 1. Introduction and Background 2. Three Pillars of Third-Party Risk Management Due Diligence Contractual Negotiations Oversight and Monitoring 3. Key Contractual Terms and Risk management 2

3 Introduction and Background

4 Introduction There is a complex web of suppliers that support most business enterprises, for example: Cloud providers (SaaS, IaaS, PaaS) HR vendors, like benefits providers, payroll firms, recruitment Marketing, advertising and media companies Professional services companies, like law firms, consultants, outsourced IT, accountants, third-party auditors Security firms that monitor network traffic Call centers Software developers Payment processing and fraud detection services 4

5 Introduction These suppliers can provide expertise, scale and efficiency However, use of third parties also can create business and legal risks that need to be managed prudently 5

6 Legal Risks U.S. regulatory expectations FTC interpretations of section 5 of the FTC Act Sector-specific federal laws, such as: Interagency Guidelines Establishing Information Security Standards (Section 501 of the Gramm-Leach-Bliley Act) HIPAA Privacy, Security, and Breach Notification Rules State laws and regulations State data security laws Two that are most prescriptive around third-party risk management are Massachusetts regulation and New York Department of Financial Services regulation Data breach notification obligations 6

7 Legal Risks International data protection laws, e.g., EU Directive and GDPR May require specific language for data processing agreements Data controller typically is responsible for processing activities of data processor acting on its behalf Cross-border transfer restrictions Breach notification obligations 7

8 Business and Commercial Risks Vendor misuse of non-personal data also has risks: Securities law implications when financial controls are implicated Risks to trade secrets protections Data has commercial value that is diminished when a vendor commercializes data without authorization Costs of remediating a personal data security incident exceed costs of addressing regulatory requirements and litigation Examples: retaining forensic firm and PR firm, brand diminution By the end of 2014, the costs to Target exceeded $150 million, CEO resigned Ponemon Institute s 2015 U.S. Cost of Data Breach Study reports that third-party involvement in a data breach increased the per capita cost of data breaches more than any other factor 8

9 Third Party Risk Management

10 Three Pillars 1. Due Diligence 2. Contractual Negotiation 3. Oversight and Monitoring 10

11 Due Diligence Goal: Identify the legal and business risks created by the relationship and extent to which they can be managed by contractual and noncontractual controls Toolkit Template security questionnaires Interviews with vendor privacy and security professionals Review of most recent third-party audits or assessments and industry-standard certifications Research based on publicly and commercially available materials 11

12 Contractual Negotiation Goal: To manage risks identified through due diligence through appropriate contractual controls Toolkit: Template data processing and security requirements Non-contractual controls should also be explored to mitigate risk: Security training for certain vendor personnel (e.g., on-site professional services personnel) Vulnerability, penetration, and other security testing Insurance coverage 12

13 Use of Subcontractors Vendor s subcontractors also create privacy and security risks for the organization (so-called fourth party risk) Consider how to ensure that sub-contractors meet the same standards that the vendor has met Non-U.S. laws may contemplate that vendor will not use contractors without the client s authorization One common resolution of this is to build into the contract a general authorization to use subcontractors identified on a list that is updated from time to time; and provide the client a right to terminate following any change to the list of subcontractors. 13

14 Security Breach Notification and Remediation Clients often seek notice of breaches of personal data to satisfy regulatory obligations and notices of other kinds of cybersecurity incidents to protect proprietary data and their systems The language that triggers notice and other obligations often is heavily negotiated, including with respect to: Type of compromise that should trigger notices; and When vendor should provide notice of compromise, both in terms of (1) how far along in confirming (or ruling out) a compromise vendor should be; and (2) specific timeframe for notice The parties may also negotiate remediation obligations following a compromise distinct from indemnification obligations (e.g., obligations to pay for notices to individuals, credit monitoring, establishment of number), 14

15 International Transfers To address international frameworks that restrict cross-border transfers of personal data, companies may have to put in place transfer mechanisms. For example: Privacy Shield certification (U.S. only) Standard Contractual Clauses Processor Binding Corporate Rules Given annulment of Safe Harbor and fluidity of current dynamic, consider future proofing language instead of relying on one specific mechanism 15

16 GDPR Requirements Article 28 imposes a number of new requirements to include in data processing agreement: Description of processing (subject matter, duration, nature and purpose, types of personal data, categories of data subjects, obligations and rights of controller) Processing limitation Confidentiality Subcontracting Security Data subject rights Compliance assistance Deletion Information and audit 16

17 GDPR Requirements Data processors are now directly subject to certain obligations: May process personal data only on documented instructions from the controller Must notify data controllers without undue delay of a personal data breach Must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. (This should take into account the state of the art, etc.) Unless exempt, must maintain a written record of categories of processing activities carried out on behalf of controller Depending on core activities, may need to appoint a DPO Must comply with cross-border transfer restrictions 17

18 Contractual Negotiations: Other Key Terms We have touched on just a few of many relevant contractual terms! Privacy and Data Protection Obligations Compliance with Laws Data Handling/Storage/Transfer Cybersecurity Program/System Standards/Integrity Subcontractors/Service Partners Right to Audit Remediation for Breach/Discovery of Security Incident Liability Provisions Damages Exclusions Liability Cap Indemnity Insurance Service Levels Back-up/Disaster Recovery Recovery Point Objective Data Ownership/Permissions Treatment as Confidential Information 18

19 Oversight and Monitoring Goal: Monitor to confirm vendor s safeguarding of client data and systems and compliance with relevant contractual requirements Key Challenge: Vendors may not be able to grant third parties access to their systems without compromising other clients information security Toolkit There should be system in place for conducting and keeping records relating to ongoing oversight and monitoring For specific contracts, consider: Review vendor s third-party audit reports and/or certifications of compliance with third-party frameworks Audit right, even if limited to vendor s own premises or in circumstances where required by law or following a breach 19

20 Questions?