Information Security and Third-Party Service Provider Agreements

Similar documents
American Bar Association (ABA) Cybersecurity Legal Task Force Vendor Contracting Project: Cybersecurity Checklist 1

H 7789 S T A T E O F R H O D E I S L A N D

BUSINESS ASSOCIATE AGREEMENT

Determining Whether You Are a Business Associate

Record Management & Retention Policy

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA Compliance Guide

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Negotiating SaaS and Cloud Contracts May 28, Peter J. Kinsella 303/

Hot Topics in Software as a Service and Cloud

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

2017 Copyright The Sequoia Project. All rights reserved.

Reviewing and Drafting IT Agreements

Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

ARTICLE 1. Terms { ;1}

REF STANDARD PROVISIONS

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

LICENSE AGREEMENT. Security Software Solutions

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

University Data Policies

Privacy and Data Breach Protection Modular application form

Negotiating Business Associate Agreements

Cyber, Data Risk and Media Insurance Application form

HIPAA and Lawyers: Your stakes have just been raised

SCHEDULE D HIPPA BUSINESS PARTNER AGREEMENT

SPRINT CLOUDCOMPUTE INFRASTRUCTURE SERVICES PRODUCT ANNEX

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

Building a Program to Manage the Vendor Management Lifecycle

HIPAA Business Associate Agreement

AFTER THE OMNIBUS RULE

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

BITS KEY CONSIDERATIONS FOR MANAGING SUBCONTRACTORS

Cyber Risk Proposal Form

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

South Carolina General Assembly 122nd Session,

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Privacy and Security Standards

Limited Data Set Data Use Agreement For Research

ARE YOU HIP WITH HIPAA?

HIPAA, Privacy, and Security Oh My!

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

ACORD 834 (2014/12) - Cyber and Privacy Coverage Section

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

BUSINESS ASSOCIATE AGREEMENT

HIPAA Background and History

APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

Cybersecurity Curveballs in Vendor Risk Management Programs

Section 1 - Errors and Omission

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

DATA PROCESSING AGREEMENT/ADDENDUM

DATA PROTECTION ADDENDUM

SUMMARY: The Federal Trade Commission ( FTC or Commission ) requests public

Compliance Steps for the Final HIPAA Rule

Interpreters Associates Inc. Division of Intérpretes Brasil

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

BUSINESS ASSOCIATE AGREEMENT

NEW CYBER RULES FOR NEW YORK-BASED BANKING, INSURANCE AND FINANCIAL SERVICE FIRMS HAVE FAR-REACHING EFFECTS

TERMS AND CONDITIONS OF SERVICE 1. DEFINITIONS: Affiliate means any entity which directly or indirectly owns or controls, is controlled by, or is

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

Business Associate Agreement

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:


ARTICLE 1 DEFINITIONS

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

COLUMBIA UNIVERSITY DATA CLASSIFICATION POLICY

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

HIPAA & The Medical Practice

MEDIATECH INSURANCE APPLICATION THIS APPLICATION IS FOR A CLAIMS MADE POLICY PLEASE INDICATE WHICH COVERAGES ARE REQUIRED Technology and Professional

b. "Documentation" means the user guides and manuals for installation and use of the Product regardless of format.

NOTICE OF CHANGE IN TERMS

ELECTRONIC TRADING PARTNER AGREEMENT

Business Associate Risk

HEALTHCARE BREACH TRIAGE

Border Federal Credit Union Electronic Services Agreement Terms and Conditions

SUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

HIPAA Basic Training for Health & Welfare Plan Administrators

BUSINESS ASSOCIATE AGREEMENT

Allocating Risk for Privacy and Data Security in Commercial Contracts and Related Insurance Implications

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

NASDAQ Futures, Inc. Off-Exchange Reporting Broker Agreement

Cyber ERM Proposal Form

Business Associate Agreement

BREACH MITIGATION EXPENSE COVERAGE

What You Need to Know to Make Sure Your Insurance Business Complies

HIPAA and ProAssurance

Take It or Leave It: Pitfalls and Challenges of IT Contracts Thursday, May 4, 2017 General Session; 9:00 10:30 a.m.

Transcription:

The Iowa State Bar Association s ecommerce & Intellectual Property Law Sections presents 2016 Intellectual Property Law & ecommerce Seminar Information Security and Third-Party Service Provider Agreements 11:15 am 12:15 pm Presented By Amy McHugh CliftonLarsonAllen LLP 600 3rd Avenue SE Suite 300 Cedar Rapids, IA 52401 Phone: 319-363-2697 Friday, December 2, 2016

Information Security and Third-Party Service Agreements Amy McHugh JD, CISA, Network+, Security+ CLAconnect.com

What Information Are We Protecting? Gramm-Leach-Bliley Section 501(b) for the Safeguarding of Customer Information Customer information: any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of the institution. Nonpublic personal information (i) Personally identifiable financial information; and (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. Personally identifiable financial information (i) Information a consumer provides to you to obtain a financial product or service from you; (ii) Information about a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (iii) Information you otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.

What Information Are We Protecting? Health Insurance Portability and Accountability Act of 1996 (HIPAA) Protected Health Information: The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. Individually identifiable health information: Information, including demographic data, that relates to: (i) the individual s past, present or future physical or mental health or condition, (ii) the provision of health care to the individual, or (iii) the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. (ex. name, address, birth date, Social Security Number).

What Information Are We Protecting? Payment Card Industry (PCI) Payment card data Personally Identifiable Information: Information that can be utilized to identify an individual including but not limited to name, address, social security number, phone number, etc. Business information Don t Forget! Employee information Trade Secrets/IP Business plans M&A plans

Information Shared with Third-Parties Cornerstone of a Vendor Management Program Gramm-Leach-Bliley Section 501(b) for the Safeguarding of Customer Information Oversee Service Provider Arrangements: Each institution shall: Exercise appropriate due diligence in selecting its service providers; Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and Where indicated by the institution's risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, an institution should review audits, summaries of test results, or other equivalent evaluations of its service providers.

Information Shared with Third-Parties Health Insurance Portability and Accountability Act of 1996 (HIPAA) Business Associates: Covered providers and health plans may disclose PHI to business associates if they obtain satisfactory assurances (in writing) that the business associate will (i) use the information only for the purposes for which it was engaged by the covered entity; (ii) will safeguard the information from misuse; and (iii) will help the covered entity comply with some of the covered entity s duties under the Privacy Rule. A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Examples include claims processing or administration; utilization review; billing; etc.

ABA s Cybersecurity Legal Task Force Vendor Contracting Project Cybersecurity Checklist (October 17, 2016) http://www.americanbar.org/content/dam/aba/images/law_national_security/cybersecurity%20task %20Force%20Vendor%20Contracting%20Checklist%20v%201%2010-17- 2016%20cmb%20edits%20clean.pdf To assist procuring organizations, vendors, and their respective counsel to address information security requirements in their transactions. The Checklist frames the issues parties should consider consistent with common principles for managing cybersecurity risk. Develop a Vendor Management Program including: 1. Vendor product/service risk assessment 2. Vendor due diligence and selection process based on the results of the risk assessment 3. Contract negotiation to address information security concerns 4. Ongoing vendor oversight and management to monitor information security

Vendor Management Process Independent Reviews Planning Due diligence and third-party selection Documentation & Reporting Vendor Mgmt Process Contract Review & Negotiation Oversight & Accountability Ongoing Monitoring Termination

Risk Assessment 1. Identify all Information Assets Electronic, Physical, Human 2. Identify reasonably foreseeable internal and external threats to information assets that could negatively impact confidentiality, integrity, and availability of data. Also Strategic, Reputation, Operational, Transaction, Credit, and Compliance Risks. 3. Determine Inherent Risk based on the likelihood of a threat occurring and the resulting impact of that occurrence on the organization. 4. Identify mitigating controls (administrative, technical, and physical) to reduce the risk of the particular event 5. Determine the Residual Risk based on the effectiveness of the identified controls in actually reducing the risk.

Vendor Selection and Due Diligence What product or service is contemplated and what information assets will be required to complete the engagement? What information will the vendor receive, transmit, or store? What is the sensitivity of the data involved? PII, PHI, Financial Information? Where will the data be stored? Vendor or subcontractor networks, data centers, mobile devices, cloud systems, backups?

Vendor Selection and Due Diligence Identify the risk profile for the product or service What information will be transmitted, processed, or stored, and where will it ultimately reside? What access to information, internal network resources, or customers will the vendor have? What controls are in place/should be in place to manage the vendor s access? What legal or regulatory requirements are involved? What is the vendor s industry experience? Does the vendor use subcontractors or affiliates to provide the services? Will the vendor negotiate terms? If not, how will you mitigate any control concerns? Ex. insurance, audits, etc.

Vendor Selection and Due Diligence Will prospective vendors follow information security practices and how can you mitigate risks Develop a vendor rating process Vendor Risk Assessment: access to sensitive data, criticality to operations, ability to terminate and replace Assess the vendor based on its rating require more documentation, assurances from higher risk vendors Information Security Policy Business Continuity/Disaster Recovery/Incident Response Plans and testing program Audit and remediation program Vendor management program Employee security awareness training program Network monitoring and reporting Data protection in transit and at rest (ex. encryption)

Contract Provisions Contemplate the entire vendor lifecycle including: Performance monitoring (SLA tracking, credits) Cyber threat and incident communication Performance obligations of the parties, and Winding up and offboarding activities at the end of the relationship (including the secure return/erasure of the purchaser s data).

Definitions Contract Provisions Definitions a) Confidential information; b) Personally Identifiable Information (PII); c) Incident and data breach; d) Malware or similar concepts like harmful code e) Vulnerabilities in product or service

Contract Provisions Performance Performance a) What and for whom is the product/service b) Who will produce the product or provide the service who will have access to your information? c) How will the you and the vendor (and subcontractors) interact and share information? d) Will the vendor have access to your IP and technology? e) Who will have access to and own the resulting IP? f) Where will products be produced or services performed? Consider potential BC/DR risk, political risk, security risk, subcontractors.

Contract Provisions Representations and Warranties Consider with respect to bargaining leverage. a) No recent (material) security incidents/breaches not previously disclosed b) No claims threatened or pending, or events or circumstances known to the vendor likely to give rise to claims as a result of any security incident or vulnerability. c) No regulatory actions threatened or pending, or events or circumstances (noncompliance) known to the vendor likely to give rise to regulatory action as a result of any security incident or vulnerability. d) No processing, storage, or transmission of information by third-parties not previously disclosed. Cloud providers involved?

Contract Provisions Representations and Warranties (cont.) e) Vendor has all licenses and certifications required by applicable law to provide the product/service. f) Vendor has all rights necessary to provide the product/perform the service. If licensed to the vendor, the license authorizes vendor to use for third parties. g) Require vendor has an information security program in place. h) Vendor employs personnel qualified to maintain the information security program and has validated sufficiency of programs of subcontractors. i) Vendor handles your information consistent with its policies.

Contract Provisions - Confidentiality Confidentiality a) Mutual. Do both parties have CI of the other? Do all provisions apply equally and reasonably to both? b) Scope. Define CI in the possession or control of each party, including to any subcontractor, and data generated by the engagement. c) PII. Will the vendor collect, store, process, or transmit PII? From what jurisdiction(s) does the PII originate and where will it be stored? d) Permitted uses of confidential information. Used only as necessary for the product/service. e) Storage & Communication. Restrictions on location, notice of storage in any location not previously disclosed; encryption of data-at-rest and in-flight/transit.

Contract Provisions Confidentiality (cont.) f) Sharing with affiliates and downstream vendors or subcontractors. g) Customer-supplied information and record information, i.e., information accumulated about customers or as a byproduct of the customer relationship h) Return/destruction obligation at the end of contract term and at other times at the disclosing party s request. i) Exceptions to return Will the disclosing party agree to exceptions, such as for information stored in a backup in a manner that makes destruction of specific information impractical/commercially unreasonable?

Contract Provisions Confidentiality (cont.) j) Incident management. i. The definition of incident. ii. Notices to affected persons and law enforcement timing, content, method of delivery. iii. Delays attributed to law enforcement permitted? iv. Copies of any notice vendor is required to give parties in connection with any incident, unless prohibited by law v. Vendor s procedures/infrastructure for tracking notice requirements and implementing notices when required vi. Access to information about incidents and to compromised systems or images to assess impact and mitigate adverse effects. vii. Remediation access to information about root cause and observed impacts to aid response and recovery. viii. Costs allocate liability for direct costs of the incident, ex. breach notification ix. Duration of confidentiality obligation indefinite or confirm that the recipient returns/destroys information

Contract Provisions Information Security Program Information Security Program Vendor commitment to establish/maintain a comprehensive ISP for the CIA of information and systems commensurate with risk of loss, misuse, unauthorized access/modification. Involve knowledgeable employees/consultants in developing requirements, including: Physical, administrative, management, technical, logical controls. Threat/Vulnerability assessment, monitoring, response, intelligence Software management internally developed or purchased Change/Infrastructure Management patching, monitoring/remediation Personnel qualifications; training; insider threat monitoring/ response; new hire procedures; job descriptions; segregation of duties; user access controls Compliance with applicable laws and regulations

Contract Provisions Monitoring/Assessment of Vendor Performance Monitoring, assessment, remediation provisions and mechanisms to terminate if unable to remediate a) SLAs with key performance and risk indicators b) Vendor access to information and ability to remove access c) Audit of internal controls, performance monitoring and reporting, security issues d) Vendor financial health review e) Performance and issue remediation with option to suspend or terminate services f) Confirmation of personnel background investigations g) Access to vendor information, systems, and operations for audit/assessment by your regulators.

Contract Provisions Risk Event Reporting Risk Events Events beyond breach/security incidents, e.g., loss of material downstream supplier, political risk or labor disputes in a location where key services are performed, and IP infringement claims that could enjoin use of key technology.

Contract Provisions Remedies Appropriate for the nature of the failed performance and actionable a) Elements of loss compensable as damages. Investigation/vulnerability and incident mitigation costs; notification and identity theft services. b) Liquidated damages appropriate or effective remedy? c) Specific performance available/enforceable? d) Limitations and disclaimers Consider incidental and consequential damage disclaimers relating to security breaches. What costs arising from response and recovery are direct damages and what costs are incidental/indirect?

Contract Provisions Termination Termination Provisions a) Default Acts, omissions, conditions give right to terminate? b) Terminate for other than for default (e.g., upon reasonable notice and without penalty): Regulator directs you to terminate or regulatory/legal requirements change Vendor is unable to respond adequately to a threat or breach? Disagreement about the significance of a vulnerability or remediation? For convenience? c) Transition Plan service/data transfer to you or another vendor. Hardware, third-party software, data, IP, etc. d) Offboarding/Turnover obligations verification/certification of data return/destruction; removal of vendor logical/physical access; include subcontractors/affiliates.

Contract Provisions Insurance Consider cyber risk insurance coverage First- and Third-Party Coverage: Data physical and electronic form Media and hardware Malware Identity theft and credit monitoring services Breach mitigation/forensics Legal services Regulatory actions/penalties Public relations and crisis management

Contract Provisions Indemnification Indemnification Provisions a) Loss of information breach notification/ investigation/remediation, litigation expenses. b) Intellectual property open source software? c) Limitation of liability If the agreement will include limitations of liability, consider caps for indemnification of third-party claims (information loss, breaches, IP infringement, remediation)

Contract Provisions Business Continuity/Resiliency What priority will the vendor give you in a contingency situation? a) Data retention and back-up procedures, failover to redundant systems, security of backup facilities. b) Ownership/license of material to maintain operations/support Rights to shift performance (internally or to a third party)? c) Identification of parties key personnel and training d) Access to vendor s continuity plan and test results. Participation in vendors and your testing exercises? e) Communication between parties during an event. f) Force Majeure Draft to maintain performance consistent with continuity/resiliency obligations.

Contract Provisions Miscellaneous Miscellaneous Provisions a) Notices Including prompt notice of incidents, vulnerabilities, etc. Base on applicable laws/regs and data b) Assignment and change of control Enable reviews of operations and systems if performance is moved to a different entity. c) Subcontracting Permitted? Subject to what conditions? Consider downstream vendors that provide services not exclusive to the purchaser s contract. d) Survival Confidentiality/security involving info retention/storage. e) Dispute resolution Escalation procedures involving knowledgeable representatives from both sides to determine if agree on facts and assessments

Contract Provisions Software Software Provisions a) Third-party/open source components inventory, monitoring and remediation of vulnerabilities, indemnification. b) Self-help remedies If not prohibited, disclose. Require notice and only to prevent harm to purchaser other customer infrastructure. c) Vulnerability reporting Vendor obligation to disclose software vulnerabilities. d) Threat intelligence coverage identification third-parties to which it reports vulnerabilities and that monitors its products. e) Support and maintenance security monitoring and remediation of vulnerabilities; SLA response provisions; severity determination f) Secure development environment and secure design practices Promise to maintain current environment; reference industry standards/best practices/applicable regulatory requirements. g) Warranties Vulnerabilities, development environment breaches, infringement claims h) Source code escrow agreement and audit

Amy McHugh, JD, CISA, Network+, Security+ Senior Associate (319) 363-2697 AmyMcHugh@CLAconnect.com CLAconnect.com twitter.com/ CLAconnect facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 31

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback