PRIVACY: BRIDGING THE GAP BETWEEN THIRD PARTY/VENDOR RISK MANAGEMENT AND CYBER RESILIENCY. Annmarie Giblin, Esq. Thursday, April 21, 2016

Similar documents
NEW CYBER RULES FOR NEW YORK-BASED BANKING, INSURANCE AND FINANCIAL SERVICE FIRMS HAVE FAR-REACHING EFFECTS

AFTER THE OMNIBUS RULE

Building a Program to Manage the Vendor Management Lifecycle

U.S. Private-sector Privacy Certification

RIMS Cyber Presentation

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Hot Topics in Software as a Service and Cloud

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

American Bar Association (ABA) Cybersecurity Legal Task Force Vendor Contracting Project: Cybersecurity Checklist 1

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

The Security Risk Analysis Requirement for MIPS. August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist

PRIVACY AND CYBERSECURITY ISSUES IN M&A TRANSACTIONS

OMNIBUS RULE ARRIVES

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

503 SURVIVING A HIPAA BREACH INVESTIGATION

Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor

REF STANDARD PROVISIONS

Information Security and Third-Party Service Provider Agreements

Negotiating SaaS and Cloud Contracts May 28, Peter J. Kinsella 303/

HEALTHCARE BREACH TRIAGE

Payment Card Industry Data Security Standards (PCI DSS) Initial Training

Determining Whether You Are a Business Associate

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber

Re: Proposed Cybersecurity Requirements for Financial Services Companies DFS P

Reviewing and Drafting IT Agreements

HIPAA STUDENT ASSOCIATE AGREEMENT

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

WEEK 1/FEBRUARY 17, 2016 MODULE #1

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

SAFE DESTRUCTION OF DOCUMENTS

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

Record Management & Retention Policy

Cyber Risks & Insurance

H 7789 S T A T E O F R H O D E I S L A N D

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

How to mitigate risks, liabilities and costs of data breach of health information by third parties

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

University Data Policies

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY

HIPAA and Lawyers: Your stakes have just been raised

Cyber Insurance 2017:

Presented by Max Muller. Records Retention and Destruction for Human Resources

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Cyberinsurance: Necessary, Expensive and Confusing as Hell. Presenters: Sharon Nelson and Judy Selby

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

ARE YOU HIP WITH HIPAA?

Negotiating Business Associate Agreements

The Privacy Rule. Health insurance Portability & Accountability Act

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

ACORD 834 (2014/12) - Cyber and Privacy Coverage Section

Cyber Risk Proposal Form

Secure Information Destruction; A Legal Imperative

Compliance With the Red Flags Rules

Largest Risk for Public Pension Plans (Other Than Funding) Cybersecurity

CYBER AND INFORMATION SECURITY COVERAGE APPLICATION

RISK TRACK. Privacy and Data Protection

LEGAL ISSUES IN HEALTH IT SECURITY

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

CYBER LIABILITY REINSURANCE SOLUTIONS

Cyber Risk Management

HIPAA P11 Retention and Destruction of Protected Health Information

Cyber ERM Proposal Form

What You Need to Know to Make Sure Your Insurance Business Complies

NACHA Third-Party Sender Certification Program Criteria

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

PRIVACY AND CYBER SECURITY

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

DATA COMPROMISE COVERAGE FORM

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

Cyber Liability Launch Event Moscow

HIPAA OMNIBUS FINAL RULE

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

H E A L T H C A R E L A W U P D A T E

Interpreters Associates Inc. Division of Intérpretes Brasil

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Cyber Risk Mitigation

APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

Federal Banking Agencies Request Comment on Enhanced Cybersecurity Standards

Testimony. Submitted for the Record. American Bankers Association. Financial Institutions and Consumer Credit Subcommittee

MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

Cyber Risks & Cyber Insurance

Priciest HIPAA Incidents of 2015

BREACH MITIGATION EXPENSE COVERAGE

A Step By Step Guide To Dealership Compliance Team One research and Training /Summit Group

APPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE

NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM ACCREDITATION STANDARD AND AUDIT CRITERIA Version 2.0. Potential Verification for Onsite Audit

Except as otherwise provided in this title, 1 for purposes of this title, 1 the following definitions shall apply:

RECITALS. WHEREAS, this Amendment incorporates the various amendments, technical and conforming changes to HIPAA implemented by the Final Rule; and

Privacy and Security Issues Facing Qualified Retirement Plans

Transcription:

PRIVACY: BRIDGING THE GAP BETWEEN THIRD PARTY/VENDOR RISK MANAGEMENT AND CYBER RESILIENCY Annmarie Giblin, Esq. Thursday, April 21, 2016

AGENDA: I. INTRODUCTION II. DATA PRIVACY V. DATA SECURITY III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS IV. CURRENT REGULATORY OBLIGATIONS REGARDING THIRD PARTIES/VENDORS V. INCREASED OVERSIGHT THE FUTURE OF REGULATION CONCERNING THIRD PARTIES/VENDORS VI. MITIGATION AND MANAGEMENT OF THIRD PARTY/VENDOR RISK VII.CONCLUSION

I. INTRODUCTION The Internet has brought incredible opportunity, incredible wealth. It gives us access to data and information that are enhancing our lives in all sorts of ways. It also means that more and more of our lives are being downloaded, being stored, and as a consequence are a lot more vulnerable. That s true for the private sector. That s true for individual Americans. That true for federal, state, and local governments. It s true for our critical infrastructure. - Remarks by the President of the United States on the Cybersecurity National Action Plan, February 17, 2016

II. DATA PRIVACY V. DATA SECURITY The collection and storage of information v. the expectation, and now legal duty to protect the information collected Data includes both information collected and stored electronically and on paper/hardcopy. Consistently evolving legal landscape on collection of data, protection of data and its use.

Data Privacy Privacy in the United States v. Privacy in the European Union II. DATA PRIVACY V. DATA SECURITY OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data Clinton and Gore Framework for Global Electronic Commerce General Privacy Laws in the United States Privacy Act of 1974 Right to Financial Privacy Act of 1978 Gramm-Leach-Bliley Act Regulation S-P (17 CFR 248.1-248.30) Fair Credit Reporting Act 15 USC 1681-1681u HIPAA Dissolution of Safe Harbor and creation of the US-EU Privacy Shield

Data Security II. DATA PRIVACY V. DATA SECURITY 31 States and Puerto Rico have laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable. * The Federal Trade Commission has a data disposal rules which is a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), and mandates that sensitive information from consumer reports be appropriately disposed of. * National Conference of State Legislatures, http://www.ncsl.org/research/telecommunications-andinformation-technology/data-disposal-laws.aspx, viewed on April 17, 2016

Data Security Cont. II. DATA PRIVACY V. DATA SECURITY There are currently 47 States that have laws requiring notification of security breaches of information involving personally identifiable information. The District of Columbia, Puerto Rico, and the United States Virgin Islands also have notification laws. These laws are varied and have different definitions of personal information, as well as different requirements for notification. Several States have introduced legislation this year expanding these laws and tightening the regulations.

II. DATA PRIVACY V. DATA SECURITY Data Security Cont. Cyber Security Act of 2015 Pending Federal Legislation Cybersecurity National Action Plan Commission on Enhancing National Cybersecurity Dodd-Frank Financial Stability Oversight Council SEC OCIE s 2015 Cybersecurity Examination Initiative

Defining Third Parties/Vendors Who has access to the institutions data? What data do they have access to? Why do they have access to this data? How do they protect the institutions data? How do they protect their own data? III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS

III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS Third Parties/Vendors include any party/company that has access to or can have access to your data and can include: Fintech providers Insurance Companies Auditors Outside IT companies Repairmen Cleaning service providers Document Shredding companies Attorneys Etc.

III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS New York State Department of Financial Services Update on Cyber Security in the Banking Sector: Third Party Service Providers, April 2015 Key findings from the Report include: Nearly 1 in 3 (approximately 30 percent) of the banks surveyed do not require their third-party vendors to notify them in the event of an information security breach or other cyber security breach. Fewer than half of the banks surveyed conduct any on-site assessments of their third-party vendors. Approximately 1 in 5 banks surveyed do not require third-party vendors to represent that they have established minimum information security requirements. Additionally, only one-third of the banks require those information security requirements to be extended to subcontractors of the third-party vendors. Nearly half of the banks do not require a warranty of the integrity of the third-party vendor s data or products (e.g., that the data and products are free of viruses). * *http://www.dfs.ny.gov/about/press/pr1504091.htm, last viewed on April 18, 2016.

III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS

State Breach Notification Laws Fair Credit Reporting Act 15 USC 1681-1681u IV. CURRENT REGULATORY OBLIGATIONS REGARDING THIRD PARTIES/VENDORS The Health Information Technology for Economic and Clinical Health (HITECH) Act SEC OCIE s 2015 Cybersecurity Examination Initiative PCI Security Standards Gramm-Leach-Bliley Act Regulation S-P (17 CFR 248.1-248.30)

Pending Federal Legislation Pending State Legislation V. INCREASED OVERSIGHT THE FUTURE OF REGULATION CONCERNING THIRD PARTIES/VENDORS New York State Department of Financial Services Potential New Cyber Security Requirements NIST Framework EU General Data Protection Regulation Codification of PCI Security Standards

VI. MITIGATION AND MANAGEMENT OF THIRD PARTY/VENDOR RISK Mitigation of Risks Associated with Third Parties/Vendors who have access to the Institutions Data: Incorporate management of data that third parties/vendors have access to in data retention policy. Consider creating separate policy solely dealing with management of data to third parties/vendors. Document and continually update specifically what data third party/vendor has access to, when they received access, when that access was terminated and how that data will be retrieved when it is no longer needed. Incorporate response to incident stemming from Third Parties/Vendors into Institution s Incident Response Plan. Organize Third Parties/Vendors by Risk and treat accordingly Assignment of Risk Category should focus on role of the third party/vendor and the data they will have access to. High Risk Third Parties/Vendors should receive the most scrutiny Evaluation of Third Parties/Vendors should start before retention/signing of contract Due Diligence is key Prioritize Resources

VI. MITIGATION AND MANAGEMENT OF THIRD PARTY/VENDOR RISK Put expectations in writing. Mandate immediate reporting of a data incident/breach and negotiate the right to be included in forensic evaluation and recovery. Depending on the information they have access to, require that third parties/vendors store and protect the institutions data separately from other data. Consider limiting access to data to only certain high level and/or necessary personnel at the third party/vendor. Require registration and security training of those persons on how to protect and manage the institution s data. Require that the third party/vendor provide proof of their data security policies, testing and controls. Require that they provide results of penetration testing and security evaluations, copies of their incident response plan and assurances about how they treat data security with their third parties/vendors. For High Risk Third Parties/Vendors require cyber liability insurance and ask to be named as an additional insured. Obtain proof of this.

VI. MITIGATION AND MANAGEMENT OF THIRD PARTY/VENDOR RISK Include indemnification provision in contract. Identify specifically, indemnification for first party losses and third party losses First party losses are losses suffered by the institution Third party losses are losses suffered by others (customers, business partners, etc.). Limit access to only essential information. Be suspicious of requests for new or additional information that do not seem essential or go beyond your understanding of what was agreed to be necessary. Encrypt data and require multi-factor authentication. Do not give open access to your system unless essential. If essential, limit the access to certain employees of the third party/vendor. Visit higher risk third parties/vendors places of business, conduct a visual inspection. Remember information can still be stolen the old fashioned way. Do not discredit the threat of a data breach that originates from the loss of hard copy.

VII. CONCLUSION **This PowerPoint and the information contained within is for informational purposes only. Nothing contained within is intended to be used or relied on as Legal Advice or opinion.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback