PRIVACY: BRIDGING THE GAP BETWEEN THIRD PARTY/VENDOR RISK MANAGEMENT AND CYBER RESILIENCY Annmarie Giblin, Esq. Thursday, April 21, 2016
AGENDA: I. INTRODUCTION II. DATA PRIVACY V. DATA SECURITY III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS IV. CURRENT REGULATORY OBLIGATIONS REGARDING THIRD PARTIES/VENDORS V. INCREASED OVERSIGHT THE FUTURE OF REGULATION CONCERNING THIRD PARTIES/VENDORS VI. MITIGATION AND MANAGEMENT OF THIRD PARTY/VENDOR RISK VII.CONCLUSION
I. INTRODUCTION The Internet has brought incredible opportunity, incredible wealth. It gives us access to data and information that are enhancing our lives in all sorts of ways. It also means that more and more of our lives are being downloaded, being stored, and as a consequence are a lot more vulnerable. That s true for the private sector. That s true for individual Americans. That true for federal, state, and local governments. It s true for our critical infrastructure. - Remarks by the President of the United States on the Cybersecurity National Action Plan, February 17, 2016
II. DATA PRIVACY V. DATA SECURITY The collection and storage of information v. the expectation, and now legal duty to protect the information collected Data includes both information collected and stored electronically and on paper/hardcopy. Consistently evolving legal landscape on collection of data, protection of data and its use.
Data Privacy Privacy in the United States v. Privacy in the European Union II. DATA PRIVACY V. DATA SECURITY OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data Clinton and Gore Framework for Global Electronic Commerce General Privacy Laws in the United States Privacy Act of 1974 Right to Financial Privacy Act of 1978 Gramm-Leach-Bliley Act Regulation S-P (17 CFR 248.1-248.30) Fair Credit Reporting Act 15 USC 1681-1681u HIPAA Dissolution of Safe Harbor and creation of the US-EU Privacy Shield
Data Security II. DATA PRIVACY V. DATA SECURITY 31 States and Puerto Rico have laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable. * The Federal Trade Commission has a data disposal rules which is a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), and mandates that sensitive information from consumer reports be appropriately disposed of. * National Conference of State Legislatures, http://www.ncsl.org/research/telecommunications-andinformation-technology/data-disposal-laws.aspx, viewed on April 17, 2016
Data Security Cont. II. DATA PRIVACY V. DATA SECURITY There are currently 47 States that have laws requiring notification of security breaches of information involving personally identifiable information. The District of Columbia, Puerto Rico, and the United States Virgin Islands also have notification laws. These laws are varied and have different definitions of personal information, as well as different requirements for notification. Several States have introduced legislation this year expanding these laws and tightening the regulations.
II. DATA PRIVACY V. DATA SECURITY Data Security Cont. Cyber Security Act of 2015 Pending Federal Legislation Cybersecurity National Action Plan Commission on Enhancing National Cybersecurity Dodd-Frank Financial Stability Oversight Council SEC OCIE s 2015 Cybersecurity Examination Initiative
Defining Third Parties/Vendors Who has access to the institutions data? What data do they have access to? Why do they have access to this data? How do they protect the institutions data? How do they protect their own data? III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS
III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS Third Parties/Vendors include any party/company that has access to or can have access to your data and can include: Fintech providers Insurance Companies Auditors Outside IT companies Repairmen Cleaning service providers Document Shredding companies Attorneys Etc.
III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS New York State Department of Financial Services Update on Cyber Security in the Banking Sector: Third Party Service Providers, April 2015 Key findings from the Report include: Nearly 1 in 3 (approximately 30 percent) of the banks surveyed do not require their third-party vendors to notify them in the event of an information security breach or other cyber security breach. Fewer than half of the banks surveyed conduct any on-site assessments of their third-party vendors. Approximately 1 in 5 banks surveyed do not require third-party vendors to represent that they have established minimum information security requirements. Additionally, only one-third of the banks require those information security requirements to be extended to subcontractors of the third-party vendors. Nearly half of the banks do not require a warranty of the integrity of the third-party vendor s data or products (e.g., that the data and products are free of viruses). * *http://www.dfs.ny.gov/about/press/pr1504091.htm, last viewed on April 18, 2016.
III. DEFINING THIRD PARTIES/VENDORS AND IDENTIFYING ASSOCIATED RISKS
State Breach Notification Laws Fair Credit Reporting Act 15 USC 1681-1681u IV. CURRENT REGULATORY OBLIGATIONS REGARDING THIRD PARTIES/VENDORS The Health Information Technology for Economic and Clinical Health (HITECH) Act SEC OCIE s 2015 Cybersecurity Examination Initiative PCI Security Standards Gramm-Leach-Bliley Act Regulation S-P (17 CFR 248.1-248.30)
Pending Federal Legislation Pending State Legislation V. INCREASED OVERSIGHT THE FUTURE OF REGULATION CONCERNING THIRD PARTIES/VENDORS New York State Department of Financial Services Potential New Cyber Security Requirements NIST Framework EU General Data Protection Regulation Codification of PCI Security Standards
VI. MITIGATION AND MANAGEMENT OF THIRD PARTY/VENDOR RISK Mitigation of Risks Associated with Third Parties/Vendors who have access to the Institutions Data: Incorporate management of data that third parties/vendors have access to in data retention policy. Consider creating separate policy solely dealing with management of data to third parties/vendors. Document and continually update specifically what data third party/vendor has access to, when they received access, when that access was terminated and how that data will be retrieved when it is no longer needed. Incorporate response to incident stemming from Third Parties/Vendors into Institution s Incident Response Plan. Organize Third Parties/Vendors by Risk and treat accordingly Assignment of Risk Category should focus on role of the third party/vendor and the data they will have access to. High Risk Third Parties/Vendors should receive the most scrutiny Evaluation of Third Parties/Vendors should start before retention/signing of contract Due Diligence is key Prioritize Resources
VI. MITIGATION AND MANAGEMENT OF THIRD PARTY/VENDOR RISK Put expectations in writing. Mandate immediate reporting of a data incident/breach and negotiate the right to be included in forensic evaluation and recovery. Depending on the information they have access to, require that third parties/vendors store and protect the institutions data separately from other data. Consider limiting access to data to only certain high level and/or necessary personnel at the third party/vendor. Require registration and security training of those persons on how to protect and manage the institution s data. Require that the third party/vendor provide proof of their data security policies, testing and controls. Require that they provide results of penetration testing and security evaluations, copies of their incident response plan and assurances about how they treat data security with their third parties/vendors. For High Risk Third Parties/Vendors require cyber liability insurance and ask to be named as an additional insured. Obtain proof of this.
VI. MITIGATION AND MANAGEMENT OF THIRD PARTY/VENDOR RISK Include indemnification provision in contract. Identify specifically, indemnification for first party losses and third party losses First party losses are losses suffered by the institution Third party losses are losses suffered by others (customers, business partners, etc.). Limit access to only essential information. Be suspicious of requests for new or additional information that do not seem essential or go beyond your understanding of what was agreed to be necessary. Encrypt data and require multi-factor authentication. Do not give open access to your system unless essential. If essential, limit the access to certain employees of the third party/vendor. Visit higher risk third parties/vendors places of business, conduct a visual inspection. Remember information can still be stolen the old fashioned way. Do not discredit the threat of a data breach that originates from the loss of hard copy.
VII. CONCLUSION **This PowerPoint and the information contained within is for informational purposes only. Nothing contained within is intended to be used or relied on as Legal Advice or opinion.