The Iowa State Bar Association s ecommerce & Intellectual Property Law Sections presents 2016 Intellectual Property Law & ecommerce Seminar Information Security and Third-Party Service Provider Agreements 11:15 am 12:15 pm Presented By Amy McHugh CliftonLarsonAllen LLP 600 3rd Avenue SE Suite 300 Cedar Rapids, IA 52401 Phone: 319-363-2697 Friday, December 2, 2016
Information Security and Third-Party Service Agreements Amy McHugh JD, CISA, Network+, Security+ CLAconnect.com
What Information Are We Protecting? Gramm-Leach-Bliley Section 501(b) for the Safeguarding of Customer Information Customer information: any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of the institution. Nonpublic personal information (i) Personally identifiable financial information; and (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. Personally identifiable financial information (i) Information a consumer provides to you to obtain a financial product or service from you; (ii) Information about a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (iii) Information you otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.
What Information Are We Protecting? Health Insurance Portability and Accountability Act of 1996 (HIPAA) Protected Health Information: The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. Individually identifiable health information: Information, including demographic data, that relates to: (i) the individual s past, present or future physical or mental health or condition, (ii) the provision of health care to the individual, or (iii) the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. (ex. name, address, birth date, Social Security Number).
What Information Are We Protecting? Payment Card Industry (PCI) Payment card data Personally Identifiable Information: Information that can be utilized to identify an individual including but not limited to name, address, social security number, phone number, etc. Business information Don t Forget! Employee information Trade Secrets/IP Business plans M&A plans
Information Shared with Third-Parties Cornerstone of a Vendor Management Program Gramm-Leach-Bliley Section 501(b) for the Safeguarding of Customer Information Oversee Service Provider Arrangements: Each institution shall: Exercise appropriate due diligence in selecting its service providers; Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and Where indicated by the institution's risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, an institution should review audits, summaries of test results, or other equivalent evaluations of its service providers.
Information Shared with Third-Parties Health Insurance Portability and Accountability Act of 1996 (HIPAA) Business Associates: Covered providers and health plans may disclose PHI to business associates if they obtain satisfactory assurances (in writing) that the business associate will (i) use the information only for the purposes for which it was engaged by the covered entity; (ii) will safeguard the information from misuse; and (iii) will help the covered entity comply with some of the covered entity s duties under the Privacy Rule. A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Examples include claims processing or administration; utilization review; billing; etc.
ABA s Cybersecurity Legal Task Force Vendor Contracting Project Cybersecurity Checklist (October 17, 2016) http://www.americanbar.org/content/dam/aba/images/law_national_security/cybersecurity%20task %20Force%20Vendor%20Contracting%20Checklist%20v%201%2010-17- 2016%20cmb%20edits%20clean.pdf To assist procuring organizations, vendors, and their respective counsel to address information security requirements in their transactions. The Checklist frames the issues parties should consider consistent with common principles for managing cybersecurity risk. Develop a Vendor Management Program including: 1. Vendor product/service risk assessment 2. Vendor due diligence and selection process based on the results of the risk assessment 3. Contract negotiation to address information security concerns 4. Ongoing vendor oversight and management to monitor information security
Vendor Management Process Independent Reviews Planning Due diligence and third-party selection Documentation & Reporting Vendor Mgmt Process Contract Review & Negotiation Oversight & Accountability Ongoing Monitoring Termination
Risk Assessment 1. Identify all Information Assets Electronic, Physical, Human 2. Identify reasonably foreseeable internal and external threats to information assets that could negatively impact confidentiality, integrity, and availability of data. Also Strategic, Reputation, Operational, Transaction, Credit, and Compliance Risks. 3. Determine Inherent Risk based on the likelihood of a threat occurring and the resulting impact of that occurrence on the organization. 4. Identify mitigating controls (administrative, technical, and physical) to reduce the risk of the particular event 5. Determine the Residual Risk based on the effectiveness of the identified controls in actually reducing the risk.
Vendor Selection and Due Diligence What product or service is contemplated and what information assets will be required to complete the engagement? What information will the vendor receive, transmit, or store? What is the sensitivity of the data involved? PII, PHI, Financial Information? Where will the data be stored? Vendor or subcontractor networks, data centers, mobile devices, cloud systems, backups?
Vendor Selection and Due Diligence Identify the risk profile for the product or service What information will be transmitted, processed, or stored, and where will it ultimately reside? What access to information, internal network resources, or customers will the vendor have? What controls are in place/should be in place to manage the vendor s access? What legal or regulatory requirements are involved? What is the vendor s industry experience? Does the vendor use subcontractors or affiliates to provide the services? Will the vendor negotiate terms? If not, how will you mitigate any control concerns? Ex. insurance, audits, etc.
Vendor Selection and Due Diligence Will prospective vendors follow information security practices and how can you mitigate risks Develop a vendor rating process Vendor Risk Assessment: access to sensitive data, criticality to operations, ability to terminate and replace Assess the vendor based on its rating require more documentation, assurances from higher risk vendors Information Security Policy Business Continuity/Disaster Recovery/Incident Response Plans and testing program Audit and remediation program Vendor management program Employee security awareness training program Network monitoring and reporting Data protection in transit and at rest (ex. encryption)
Contract Provisions Contemplate the entire vendor lifecycle including: Performance monitoring (SLA tracking, credits) Cyber threat and incident communication Performance obligations of the parties, and Winding up and offboarding activities at the end of the relationship (including the secure return/erasure of the purchaser s data).
Definitions Contract Provisions Definitions a) Confidential information; b) Personally Identifiable Information (PII); c) Incident and data breach; d) Malware or similar concepts like harmful code e) Vulnerabilities in product or service
Contract Provisions Performance Performance a) What and for whom is the product/service b) Who will produce the product or provide the service who will have access to your information? c) How will the you and the vendor (and subcontractors) interact and share information? d) Will the vendor have access to your IP and technology? e) Who will have access to and own the resulting IP? f) Where will products be produced or services performed? Consider potential BC/DR risk, political risk, security risk, subcontractors.
Contract Provisions Representations and Warranties Consider with respect to bargaining leverage. a) No recent (material) security incidents/breaches not previously disclosed b) No claims threatened or pending, or events or circumstances known to the vendor likely to give rise to claims as a result of any security incident or vulnerability. c) No regulatory actions threatened or pending, or events or circumstances (noncompliance) known to the vendor likely to give rise to regulatory action as a result of any security incident or vulnerability. d) No processing, storage, or transmission of information by third-parties not previously disclosed. Cloud providers involved?
Contract Provisions Representations and Warranties (cont.) e) Vendor has all licenses and certifications required by applicable law to provide the product/service. f) Vendor has all rights necessary to provide the product/perform the service. If licensed to the vendor, the license authorizes vendor to use for third parties. g) Require vendor has an information security program in place. h) Vendor employs personnel qualified to maintain the information security program and has validated sufficiency of programs of subcontractors. i) Vendor handles your information consistent with its policies.
Contract Provisions - Confidentiality Confidentiality a) Mutual. Do both parties have CI of the other? Do all provisions apply equally and reasonably to both? b) Scope. Define CI in the possession or control of each party, including to any subcontractor, and data generated by the engagement. c) PII. Will the vendor collect, store, process, or transmit PII? From what jurisdiction(s) does the PII originate and where will it be stored? d) Permitted uses of confidential information. Used only as necessary for the product/service. e) Storage & Communication. Restrictions on location, notice of storage in any location not previously disclosed; encryption of data-at-rest and in-flight/transit.
Contract Provisions Confidentiality (cont.) f) Sharing with affiliates and downstream vendors or subcontractors. g) Customer-supplied information and record information, i.e., information accumulated about customers or as a byproduct of the customer relationship h) Return/destruction obligation at the end of contract term and at other times at the disclosing party s request. i) Exceptions to return Will the disclosing party agree to exceptions, such as for information stored in a backup in a manner that makes destruction of specific information impractical/commercially unreasonable?
Contract Provisions Confidentiality (cont.) j) Incident management. i. The definition of incident. ii. Notices to affected persons and law enforcement timing, content, method of delivery. iii. Delays attributed to law enforcement permitted? iv. Copies of any notice vendor is required to give parties in connection with any incident, unless prohibited by law v. Vendor s procedures/infrastructure for tracking notice requirements and implementing notices when required vi. Access to information about incidents and to compromised systems or images to assess impact and mitigate adverse effects. vii. Remediation access to information about root cause and observed impacts to aid response and recovery. viii. Costs allocate liability for direct costs of the incident, ex. breach notification ix. Duration of confidentiality obligation indefinite or confirm that the recipient returns/destroys information
Contract Provisions Information Security Program Information Security Program Vendor commitment to establish/maintain a comprehensive ISP for the CIA of information and systems commensurate with risk of loss, misuse, unauthorized access/modification. Involve knowledgeable employees/consultants in developing requirements, including: Physical, administrative, management, technical, logical controls. Threat/Vulnerability assessment, monitoring, response, intelligence Software management internally developed or purchased Change/Infrastructure Management patching, monitoring/remediation Personnel qualifications; training; insider threat monitoring/ response; new hire procedures; job descriptions; segregation of duties; user access controls Compliance with applicable laws and regulations
Contract Provisions Monitoring/Assessment of Vendor Performance Monitoring, assessment, remediation provisions and mechanisms to terminate if unable to remediate a) SLAs with key performance and risk indicators b) Vendor access to information and ability to remove access c) Audit of internal controls, performance monitoring and reporting, security issues d) Vendor financial health review e) Performance and issue remediation with option to suspend or terminate services f) Confirmation of personnel background investigations g) Access to vendor information, systems, and operations for audit/assessment by your regulators.
Contract Provisions Risk Event Reporting Risk Events Events beyond breach/security incidents, e.g., loss of material downstream supplier, political risk or labor disputes in a location where key services are performed, and IP infringement claims that could enjoin use of key technology.
Contract Provisions Remedies Appropriate for the nature of the failed performance and actionable a) Elements of loss compensable as damages. Investigation/vulnerability and incident mitigation costs; notification and identity theft services. b) Liquidated damages appropriate or effective remedy? c) Specific performance available/enforceable? d) Limitations and disclaimers Consider incidental and consequential damage disclaimers relating to security breaches. What costs arising from response and recovery are direct damages and what costs are incidental/indirect?
Contract Provisions Termination Termination Provisions a) Default Acts, omissions, conditions give right to terminate? b) Terminate for other than for default (e.g., upon reasonable notice and without penalty): Regulator directs you to terminate or regulatory/legal requirements change Vendor is unable to respond adequately to a threat or breach? Disagreement about the significance of a vulnerability or remediation? For convenience? c) Transition Plan service/data transfer to you or another vendor. Hardware, third-party software, data, IP, etc. d) Offboarding/Turnover obligations verification/certification of data return/destruction; removal of vendor logical/physical access; include subcontractors/affiliates.
Contract Provisions Insurance Consider cyber risk insurance coverage First- and Third-Party Coverage: Data physical and electronic form Media and hardware Malware Identity theft and credit monitoring services Breach mitigation/forensics Legal services Regulatory actions/penalties Public relations and crisis management
Contract Provisions Indemnification Indemnification Provisions a) Loss of information breach notification/ investigation/remediation, litigation expenses. b) Intellectual property open source software? c) Limitation of liability If the agreement will include limitations of liability, consider caps for indemnification of third-party claims (information loss, breaches, IP infringement, remediation)
Contract Provisions Business Continuity/Resiliency What priority will the vendor give you in a contingency situation? a) Data retention and back-up procedures, failover to redundant systems, security of backup facilities. b) Ownership/license of material to maintain operations/support Rights to shift performance (internally or to a third party)? c) Identification of parties key personnel and training d) Access to vendor s continuity plan and test results. Participation in vendors and your testing exercises? e) Communication between parties during an event. f) Force Majeure Draft to maintain performance consistent with continuity/resiliency obligations.
Contract Provisions Miscellaneous Miscellaneous Provisions a) Notices Including prompt notice of incidents, vulnerabilities, etc. Base on applicable laws/regs and data b) Assignment and change of control Enable reviews of operations and systems if performance is moved to a different entity. c) Subcontracting Permitted? Subject to what conditions? Consider downstream vendors that provide services not exclusive to the purchaser s contract. d) Survival Confidentiality/security involving info retention/storage. e) Dispute resolution Escalation procedures involving knowledgeable representatives from both sides to determine if agree on facts and assessments
Contract Provisions Software Software Provisions a) Third-party/open source components inventory, monitoring and remediation of vulnerabilities, indemnification. b) Self-help remedies If not prohibited, disclose. Require notice and only to prevent harm to purchaser other customer infrastructure. c) Vulnerability reporting Vendor obligation to disclose software vulnerabilities. d) Threat intelligence coverage identification third-parties to which it reports vulnerabilities and that monitors its products. e) Support and maintenance security monitoring and remediation of vulnerabilities; SLA response provisions; severity determination f) Secure development environment and secure design practices Promise to maintain current environment; reference industry standards/best practices/applicable regulatory requirements. g) Warranties Vulnerabilities, development environment breaches, infringement claims h) Source code escrow agreement and audit
Amy McHugh, JD, CISA, Network+, Security+ Senior Associate (319) 363-2697 AmyMcHugh@CLAconnect.com CLAconnect.com twitter.com/ CLAconnect facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 31