Allocating Risk for Privacy and Data Security in Commercial Contracts and Related Insurance Implications

Similar documents
Cyber Risk Proposal Form

APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

DATA PROTECTION ADDENDUM

MEDIATECH INSURANCE APPLICATION THIS APPLICATION IS FOR A CLAIMS MADE POLICY PLEASE INDICATE WHICH COVERAGES ARE REQUIRED Technology and Professional

DATA COMPROMISE COVERAGE FORM

TERMS AND CONDITIONS OF SERVICE 1. DEFINITIONS: Affiliate means any entity which directly or indirectly owns or controls, is controlled by, or is

EU Data Processing Addendum

Privacy and Data Breach Protection Modular application form

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

ACCENTURE LLP PURCHASE ORDER TERMS AND CONDITIONS

DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY

Cyber, Data Risk and Media Insurance Application form

TERMS 1. OUR PRODUCTS AND SERVICES 2. INFORMATION SERVICES 3. INSTALLED SOFTWARE

Main Street Bank EXTERNAL FUNDS TRANSFER AGREEMENT

Preparing in Advance for a Natural Disaster: Insurance Coverage Issues and Tips for Companies Dealing with Such Losses

Internet Services and Central Link Broadband Agreement

When The Wind Blows: Renewable Energy Risk Management Strategies

Cyber ERM Proposal Form

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

Drake Hosted Hosted Service Agreement IMPORTANT PLEASE READ CAREFULLY THE FOLLOWING TERMS AND CONDITIONS

Cyber Insurance 2017:

PROQUIRE LLC PURCHASE ORDER TERMS AND CONDITIONS

NASDAQ Futures, Inc. Off-Exchange Reporting Broker Agreement

CLOUDINARY DATA PROCESSING ADDENDUM

Cyber Liability A New Must Have Coverage for Your Soccer Organization

AccessHosting.com TERMS OF SERVICE

Cyber Enhancement Endorsement

External Account Transfer Agreement July 16, 2014

Protecting Against the High Cost of Cyberfraud

The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage

Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor

Payment Card Industry (PCI) Data Security Standard Validation Requirements

CYBER LIABILITY REINSURANCE SOLUTIONS

Data Processing Appendix

DATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses)

INFORMATION AND CYBER SECURITY POLICY V1.1

Data Protection Agreement

PAYROLL SERVICE AGREEMENT

H 7789 S T A T E O F R H O D E I S L A N D

Cyber Risks & Insurance

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

Cyber Risk Insurance. Frequently Asked Questions

2017 Copyright The Sequoia Project. All rights reserved.

DOJ Postpones Website Accessibility Proceeding: How Businesses Can Prepare in Anticipation of a Lawsuit and How to Maximize Your Insurance Once Served

U.S. Eagle Federal Credit Union Mobile Banking Agreement

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

REF STANDARD PROVISIONS

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

Data Processing Agreement

Cyber & Privacy Liability and Technology E&0

Privacy and Security Standards

A GUIDE TO CYBER RISKS COVER

Kaiser Permanente Terms and Conditions for the Purchase of Goods and Services

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

GROUP HEALTH INCORPORATED SELLING AGENT AGREEMENT

Customer GDPR Data Processing Agreement

DATA PROCESSING ADENDUM

NZI LIABILITY CYBER. Are you protected?

Axosoft Software as a Service Agreement

TOKEN PURCHASE AGREEMENT

Combined Liability Insurance for Financial Technology Companies Proposal Form

Cyber Liability: New Exposures

Producer Agreement DDWA Product means an Individual or Group dental benefits product offered by Delta Dental of Washington.

CYBER AND INFORMATION SECURITY COVERAGE APPLICATION

THE MOST FREQUENT CLAIMS BROUGHT AGAINST HOTELS AND HOW TO PREVENT THEM v Anderson Kill P.C. All Rights Reserved.

B. Applicability of Agreement This software as a service agreement is valid for the term of the purchase period.

Cboe Global Markets Subscriber Agreement

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

PO Terms for Ariba (Effective as of ).DOC

CUSTOMER DATA PROCESSING ADDENDUM

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

DATA PROCESSING ADDENDUM

CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP

SPRINT CLOUDCOMPUTE INFRASTRUCTURE SERVICES PRODUCT ANNEX

Insurance Requirement Provisions in Technology Contracts: Mitigating Risk, Maximizing Coverage

Cyber Liability Insurance. Data Security, Privacy and Multimedia Protection

TOKEN PURCHASE AGREEMENT

Order Management Purchase Order General Terms

Trends in Cyber-Insurance Coverage to Meet Insureds Needs

COGNIBOX SAAS AGREEMENT FOR CONTRACTORS

TERMS AND CONDITIONS

South Carolina General Assembly 122nd Session,

DATA PROCESSING ADDENDUM

Kalo SaaS Terms of Use

ARE YOU HIP WITH HIPAA?

TERMS AND CONDITIONS FOR HEALTH INFORMATION EXCHANGE PARTICIPATION AGREEMENT

Cyber Security Liability:

Product Schedule Software Maintenance Services Schedule Definitions Form of Escrow Agreement (not included)

AWS GDPR DATA PROCESSING ADDENDUM

ACORD 834 (2014/12) - Cyber and Privacy Coverage Section

SCHEDULE A TERMS AND CONDITIONS

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

New Cumberland Federal Credit Union NCFCU Remote Xpress Deposit Terms and Conditions Agreement

Lystable SaaS Terms of Use

Reviewing and Drafting IT Agreements

SOFTWARE LICENSE AGREEMENT

06/22/2017. acceptance by Provider. The terms of this Order also apply to any Corrective Action required by Company pursuant to Section 3 hereof.

DATA PROCESSING ADDENDUM

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

1 Lek Securities Corporation One Liberty Plaza 52 nd Floor New York, NY R e v i s e d 8 / 1 0 /

Transcription:

Allocating Risk for Privacy and Data Security in Commercial Contracts and Related Insurance Implications Presented by: Selena J. Linde George Galt Aaron Coombs June 23, 2016 Perkins Coie LLP

Presenter: Selena Linde Selena Linde is a Partner in Perkins Coie's Insurance Recovery Practice and is a primary author and editor of the Association of Corporate Counsel's Policyholders Primer on Insurance. Ms. Linde has been honored as one of twenty-five worldwide recipients of Business Insurance's Women to Watch, one of eleven National Insurance Stars and one of the top 150 Women Litigators by Benchmark Plaintiff. Ms. Linde has recovered more than a billion dollars for her clients and has an active trial practice representing policyholders in complex insurance coverage cases throughout the country and an equally active arbitration, mediation, and counseling practice. Selected representations include: Lead Coverage Counsel for a Global 50 Pharmaceutical (D&O Claims related to Government Investigations and Anti-Trust Suits) Lead Coverage Counsel for Hospitality Company (Data/Privacy and Property Claims) Lead Coverage Counsel for Residential Capital ( E&O and D&O Claims related to packaging of mortgage backed securities) Lead Counsel NorthWestern Energy (CGL, D&O, Property, and EPL Claims) Co-lead Counsel Motors Liquidation Trust (CGL claims related to historical asbestos and environmental liability for pre-bk General Motors) 2 Join Ms. Linde's LinkedIn network for updates and articles on insurance coverage topics. She can be reached directly at (202) 654-6221 or SLinde@perkinscoie.com.

Presenter: George Galt George Galt is an Assistant General Counsel at AOL where he supports the advertising group. In that capacity, he negotiates agreements regarding data gathered through websites, applications and business interactions. Prior to AOL, George was the Associate General Counsel at The Associated Press managing the business transactions unit. He provided legal support for AP s efforts to gather behavior data regarding news usage and helped AP to develop a rights expression language to support automated content transactions. Prior to AP, George was in private practice at Drinker, Biddle & Reath. He can be reached at george.galt@teamaol.com. 3

Presenter: Aaron Coombs Aaron Coombs is Counsel in Perkins Coie s Insurance Recovery practice group. He has helped clients maximize their insurance assets under many different types of policies from spacecraft to cyber, property to casualty, and many others. He routinely counsels clients when purchasing insurance, and has extensive proficiency in identifying gaps in coverage and negotiating the terms and conditions for cyber-risk and management liability (D&O) insurance policies. He also helps clients with additional insured and contractual indemnification issues. Aaron has helped clients recover insurance proceeds for product liability claims, product recalls, government investigations, employment discrimination, as well as cases involving alleged violations of the Fair Labor Standards Act, Sherman Antitrust Act, and False Claims Act. Aaron is currently working on several cyber-risk insurance claims for clients that experienced malicious hacking attacks, as well as several product recall claims. He can be reached directly at (202) 654-6246 or Acoombs@perkinscoie.com 4

Introduction Heightened state of data and IT security How to protect your company Landscape of contract negotiations on data and IT security Avoiding the pitfalls of 3 rd parties dictating your company s policies: allocation of risk and contract tips 5

Heightened State of Data and IT Security Public Breaches Regulators What is Data? What is PII? 6

7

8

How Do You Protect Your Company? Breach response plan Insurance application requirements problematic exclusions 9

Contract Negotiations on Data & IT Security Broadened clauses of indemnification Third party standards Security audits Reps and warranties 10

Allocation of Risk and Contract Tips Your own insurance policies Your contracts 11

Cyber Risk/Privacy Policies Coverage Grants Vary Greatly "First-Party" Coverage: Losses due to destroyed or damaged data; data restoration Business Interruption Extortion demands "Third-Party" Coverage Privacy Liability Unauthorized disclosure of confidential information Costs to investigate breaches, satisfy notification obligations, defend against regulatory proceedings 12

Available Coverage Components Network Security Liability: Third-party liability resulting from a failure of your network security to protect against destruction, deletion or corruption of a third-party electronic data, denial of service attacks against internet sites or computers; or transmission of viruses to third-party computers and systems. Privacy Liability: Liability to a third-party as a result of your failure to properly handle, manage, store or otherwise control personally identifiable information, corporate information identified as confidential and protected under a nondisclosure agreement and unintentional violation of privacy regulations. Crisis Management & Identity Theft Response Fund: Expenses to comply with privacy regulations, such as communication to and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm for the purpose of protecting/restoring your reputation as a result of the actual or alleged violation of privacy regulations. Cyber Extortion: Ransom or investigative expenses associated a threat directed at you to release, divulge, disseminate, destroy, steal, or use the confidential information taken from the insured, introduce malicious code into the your computer system; corrupt, damage, or destroy your computer system, or restrict or hinder access to your computer system. Network Business Interruption: Reimbursement of your own loss of income and/or extra expense resulting from an interruption or suspension of its systems due to a failure of network security to prevent a security breach. Data Asset Protection: Recovery of your costs and expenses incurred to restore, recreate, or regain access to any software or electronic data from back-ups or from originals or to gather, assemble and recreate such software or electronic data from other sources to the level or condition in which it existed immediately prior to its alteration, corruption, destruction, deletion, or damage. 13

Negotiate Insurance Policy Language Coverage Grants Vary Greatly No standard form language Customize and do not buy off the shelf policies Ensure your policy covers cyber losses not resulting from theft Review proposed policy language with a critical eye Who is the insured? How are defense costs treated? Who chooses defense counsel and breach response firms? What is the retroactive date? Are you comfortable with the proposed sublimits? 14

Negotiate Insurance Policy Language Be Wary of Certain Exclusions Terrorism and war Regulatory actions Breach of contract (PCI-DSS?) Fines and penalties Third-party vendor Insured vs. insured Misappropriation of intellectual property Eliminate Duplicate Coverages 15

Do Your Traditional Policies Cover Cyber/Privacy Risks? Many Facets of a Data Breach: Multiple Policies May Respond Errors & Omissions (E&O)/Professional Liability Directors and Officers (D&O) Fidelity Commercial General Liability New ISO CGL data breach exclusions Property Other Policies/Indemnification Agreements 16

Model Contract Provisions: Privacy, Data Security, and Insurance Framework to address privacy and data security and insurance in the context of an agreement between Company and a service provider or vendor Vendor/service provider will have access to Company information, information related to Company information or other confidential information of Company 17

Model Contract Provisions: Privacy, Data Security, and Insurance NOTE: sample provisions must be tailored and supplemented to fit particular facts and circumstances If Company will also be hosting vendor data you may not be willing or able to make mutual many of the provisions we will discuss, because hosting or storing information on behalf of other companies is not Company's business. 18

Model Contract Provisions: Privacy, Data Security, and Insurance Confidentiality Provisions Security of Personal Information Provisions Establishing Contractual Insurance Provisions 19

Confidentiality Provisions Confidentiality Provisions Definition Marking Survival Return or Destruction Boilerplate Confidentiality Carve Outs Ownership and Use 20

Confidentiality Provisions Definition of Confidentiality Must capture all sensitive data Also protect information that a party should reasonably understand to be of a confidential nature Marking Tangible medium Specify handling procedures Oral Information 21

Confidentiality Provisions Survival Must survive termination of the Agreement (non-negotiable) Ownership and Use Limit to purpose for which it was provided Specify recipient does not own 22

Confidentiality Provisions Return or Destruction Company should elect at time of termination or request Consider confidential information will be transmitted, and where copies may be retained (i.e. email / corporate server backups, etc.) Certificate of destruction 23

Confidentiality Provisions BE CAREFUL of Boilerplate Carve-Outs Typically carve out certain information Publicly available through no fault of Vendor/Service Provider Disclosed via breach or other wrongful act provisions still apply to the use of the information 24

Security of Personal Information Provisions Company Information Representations, Warranties and Covenants. Audit rights Remedies for breach Security Breach Notification Subcontractors and Flow-Down Provisions Location of Data/Employee Issues Disaster Recovery 25

Company Information Company exclusively owns all Company Information. "Company Information" is any information about persons or entities that Vendor obtains in any manner from any source under this Agreement, which concerns prospective and existing customers or employees of (1) Company, (2) Company's affinity marketing partners, (3) Company s contracting parties and (4) Company s suppliers. Company Information includes, without limitation, names, addresses, telephone numbers, e-mail addresses, social security numbers, credit card numbers, call-detail information, purchase information, product and service usage information, frequent flier information, account information, credit information, demographic information and any other personally identifiable information. Company Information is the Confidential Information of Company under the Agreement. Vendor (a) may collect, store, access, use, process, maintain and disclose Company Information only to fulfill its performance obligations under the Agreement and for no other purpose, and (b) shall, without limiting any other obligations applicable to Company Information hereunder, treat all Company Information as Confidential Information of Company. For this Agreement, the acts or omissions of Vendor and anyone with which it is associated (e.g., employees of Vendor and its subsidiaries and affiliates, and Vendor's agents and approved contractors and subcontractors, and their respective employees) are Vendor s acts or omissions. 26

Representations, Warranties and Covenants Compliance with Applicable Laws Vendor hereby represents and warrants that it is and will remain in compliance with all applicable domestic laws, including without limitation any national, regional and local laws, and all applicable international laws ("Applicable Laws") and that it will not cause Company to be in material violation of any Applicable Laws. Vendor represents and warrants that Vendor is not and has not been a party to any current, pending, threatened or resolved enforcement action of any government agency, or any consent decree or settlement with any governmental agency or private person or entity regarding any Security Breach (defined below) or otherwise regarding data privacy or information security. 27

Representations, Warranties and Covenants Compliance with Industry Rules or Guidelines If Vendor processes, stores, transmits or has access to Company Information that includes payment information (including, without limitation, credit card, debit card, or financial account information), Vendor represents and warrants that it is, and will remain, in compliance with the data security rules of any applicable payment network or organization, including, but not limited to, (1) the Payment Card Industry Data Security Standard for protecting credit and debit cardholder information, as the same may be amended, updated, replaced or augmented, and (2) the NACHA Operating Rules, developed and administered by NACHA The Electronic Payments Association, for protecting financial account information and the Automated Clearing House network, as they may be amended, updated, replaced or augmented. 28

Representations, Warranties and Covenants Vendor should be required to: Use administrative, physical and technical safeguards that prevent any unauthorized collection, use or disclosure of, or access to, Company Information Implement and maintain an information security program to protect Company Information Can be covenant or representation and warranty Strict Liability Vendor fully responsible 29

Representations, Warranties and Covenants: Security Vendor is fully responsible for any authorized or unauthorized collection, storage, disclosure and use of, and access to, Company Information. 30 Vendor shall implement and maintain administrative, physical and technical safeguards ("Safeguards") that prevent any collection, use or disclosure of, or access to, Company Information that this Agreement does not expressly authorize, including, without limitation, an information security program that meets the highest standards of best industry practice to safeguard Company Information. Such information security program will include, without limitation, (i) adequate physical security of all premises in which Company Information will be processed and/or stored; (ii) reasonable precautions taken with respect to the employment of and access given to Vendor personnel, including background checks and security clearances that assign specific access privileges to individuals, training employees on the proper use of Vendor s computer systems and the importance of personal information security, and restricting access to records and files containing Company Information to those who need such information to perform their job duties; and (iii) an appropriate network security program, including designation of one or more employees to coordinate the security program, monitoring of systems for unauthorized use of, or access to, personal information, appropriate access and data integrity controls, testing and auditing of all controls, appropriate corrective action and incident response plans, and encryption of all records and files containing personal information that will travel across public networks, be transmitted wirelessly, or be transmitted outside of the secure system of the business; and (iv) encryption of all Company Information stored on laptops and other portable devices.

Representations, Warranties and Covenants Compliance with Company Policies Vendor should comply with your company s written privacy and security policies Provide policy not less than 30 days prior to effective date of policies Compliance does not relieve Vendor of duties to protect Company Information or other Confidential Information 31

Representations, Warranties and Covenants Prior Audits Require vendor to represent and warrant that its network, systems and premises have undergone annual audits Audits did not reveal vulnerabilities! What if Vendor objects to materiality standard? Will vendor agree to use language of audit standard? Provide copies of audits? Provide summaries? 32

Representations, Warranties and Covenants Disclosure of Prior Breaches Require vendor to represent and warrant no prior security breaches or disclosure Prior enforcement actions? Non mutual provisions 33

Representations, Warranties and Covenants Disclosure of Prior Breaches: Vendor represents and warrants that the Vendor Systems have (a) not suffered any actual, probable or reasonably suspected breach of any safeguards or of any other actual, probable or reasonably suspected unauthorized access to or acquisition, use, loss, destruction, compromise or disclosure of any information maintained on the Vendor Systems (each, a "Security Breach"); or (b) if the Vendor Systems have suffered one or more Security Breaches, that Vendor has disclosed each Security Breach to Company. Vendor represents and warrants that Vendor is not and has not been a party to any current, pending, threatened or resolved enforcement action of any government agency, or any consent decree or settlement with any governmental agency or private person or entity regarding any Security Breach or otherwise regarding data or information security. 34

Representations, Warranties and Covenants NO overriding disclaimers! 35

Audit Rights Is Vendor hosting sensitive or mission critical data? Annual 3 rd party audits Report audit results Promptly correct vulnerabilities Right to terminate for breach of this provision? Liquidated damages? 36

Audit Rights Independent Auditor Costs Visitation and Inspection Right 37

Remedies for Breach Injunctive Relief Liquidated Damages Termination Indemnification Limitation of Liability 38

Security Breach Notification Definition Notification Point of Contact Notice of Third-Party Legal Process Expense Responsibilities 39

Subcontractors and Flow-Down Provisions Prior approval All data security provisions must flow down Necessary to fulfill subcontractor obligations Notification Require express consent? 40

Location of Data/Employee Issues Domestic or Overseas Storage Requirements Applicable to Overseas Storage and Processing EU Safe Harbor EU-US Privacy Shield Additional Requirements US Citizenship or Permanent Residence No Citizenship or Permanent Residence Requirement/Prohibition on Access by Individuals on Export Control Lists 41

Disaster Recovery During the term of this Agreement, Vendor shall implement and maintain a disaster recovery plan that ensures that all Company Confidential Information in Vendor's possession or control at a given time is capable of being recovered, and that the integrity of all such recovered Company Confidential Information is retained, in the event that Vendor's network, systems or other facilities experience a Security Breach or any significant interruption or impairment of operation or any loss, deletion, corruption or alteration of data ("Disaster Recovery Plan"). Vendor shall, at minimum, conduct annual internal information security audits of its Disaster Recovery Plan and certify the results of each such audit to Company within ten (10) days of completing each such audit. 42

Service Level Agreement Issues Data storage Encryption Access logging Records monthly/on request 43

Model Insurance Requirements Establishing Contractual Insurance Provisions: General Recommendations for all Maintenance of Insurance Provisions Types of Insurance Coverage to Consider Including In Maintenance of Insurance Provisions Minimum Insurance Provision Recommended 44

Contractual Insurance Provisions What kind of work is being done? Types of potential losses or accidents? Worst case scenario? Is entity responsible for the risk the same entity in the best position to control the risk? Additional insured status? Limits? 45

Contractual Insurance Provisions Licensed and approved in states Minimum A.M. Best Rating Additional Insured status Primary and non-contributory Notice of cancellation/renewal Evidence of Insurance Indemnification excess of insurance 46

Types of Policies to Consider Cyber Risk/Privacy Policies Errors and Omissions Commercial General Liability Workers Compensation 47

Questions? Selena J. Linde 202-654-6221 Aaron Coombs 202-654-6246 48

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback