Information Security & Regulatory Compliance:
The Bottom Line
January 22, 2014
Los Angeles, California
Sponsored by LexisNexis
Presented by Foley & Lardner LLP
Michael R. Overly, Esq.
Wendy Coticchia,
Panelists:Esq.
CISA, CISSP, ISSMP, CIPP, CRISC Applied Computer Solutions
Foley & Lardner LLP
#IHCC14
#IHCC12
David R. Alberton, Esq.,
CIPP/IT
Foley & Lardner LLP
© 2014 Foley & Lardner LLP
2014 ACC-SoCal In-House Counsel Conference
1
Agenda and Overview
Overview of the current landscape of privacy and
security laws and regulations.
Privacy is only part of the problem.
Identifying three common threads in privacy and
security laws and regulations.
Potential risks of non-compliance.
Application to vendor contracting process.
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_2
2
Information Security Risks Are At
An All Time High
In the last year, there were almost a dozen major
incidents in which personal information has been
severely compromised.
According to the FBI, incidence of hacking and
insider misappropriation or compromise of
confidential information is at an all time high.
– Insiders include not only the company’s own
personnel, but also its contractors and business
partners.
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_3
3
Information Security Risks Are At
An All Time High
FTC, OCC, HHS and other regulators increasingly
focusing on information security.
– States becoming increasingly active in this area.
Possibility of FTC, AG, and other regulatory action
at an all-time high.
Sanctions can scale to the millions of dollars
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_4
4
Biggest Misconceptions
It’s all about the data
– Security of systems
– Security of data
It’s all about privacy
– Privacy is only a subset of security
It’s all about confidentiality
– CIA: Confidentiality, Integrity, Availability.
– This requirement is seen in many privacy/security laws
and regulations.
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_5
5
Examples of Federal & State Laws
and Regulations
Gramm-Leach-Bliley
HIPAA Security Rule / HITECH Act
California, Massachusetts, New Jersey, and many
others
Federal Trade Commission
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_6
6
Standards
Australia, US, US State: “Reasonable” measures
Others: “Appropriate,” “necessary” measures
Contract requirements
– EU Model Contracts
– Other Agreements
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_7
7
What Are We Protecting
General Confidential Information
Intellectual Property
Protected Health Information (HIPAA)
Personally Identifiable Non-Public Financial
Information (GLB), and other information protected
under state privacy and security laws
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_8
8
What Are We Protecting
Other PII, e.g., HR data, investors, business
contact information
System operations
System integrity
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_9
9
Expanding definitions of
“personal information”
California Civil Code Section 1798.29 and 1798.82
Expanded the definitions of “personal
information” and notice requirements after an
unauthorized disclosure of a “user name or email
address, in combination with a password or
security question and answer that would permit
access to an online account.”
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_10
10
Why Protections Are Important
Protect valuable assets of the business
Establish due diligence
Protect business reputation
Avoid public embarrassment
Minimize potential liability
Regulatory compliance
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_11
11
Three Common Threads
Attempt to gain a broader picture of compliance
obligations.
Three common themes or “threads.”
Threads run through laws and regulations and,
also, common industry standards (PCI DSS, CERT
at Carnegie Mellon, and the International Standards
Organization).
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_12
12
First Common Thread
Confidentiality, Integrity, and Availability (CIA).
Foundational principle in information security.
– Data must be held in confidence
– Data must be protected against unauthorized
modification
– Data must be available for use when needed
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_13
13
Second Common Thread
Acting “Reasonably” or taking “Appropriate” or
“Necessary” measures to protect data.
EU, Australia, Canada, US, and many other
countries.
Business must do what is reasonable or
necessary. Perfection is not required.
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_14
14
Third Common Thread
Scaling security measures to reflect nature of data
and risk presented.
Closely related to acting reasonably or doing what
is necessary.
Security measures must be adjusted to reflect the
sensitivity of the data and severity of the risk.
The greater the risk and sensitivity of data, the
greater the effort to secure the data.
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_15
15
Scaling of Security
Security isn’t an all or nothing proposition.
Protections must scale to meet the risk.
– Fees should not be part of the analysis.
Data security regulations and laws written in terms
of scaling.
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_16
16
Scaling of Security
Massachusetts Data Security Law:
“. . . safeguards that are appropriate to (a) the size, scope and
type of business of the person obligated to safeguard the
personal information under such comprehensive information
security program; (b) the amount of resources available to
such person; (c) the amount of stored data; and (d) the need
for security and confidentiality of both consumer and
employee information.”
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_17
17
Scaling of Security
HIPAA Security Rule: Factors to consider:
(i)
The size, complexity, and capabilities of the Covered
Entity.
(ii)
The Covered Entity's technical infrastructure, hardware,
and software security capabilities.
(ii)
The costs of security measures.
(iv)
The probability and criticality of potential risks to ePHI.
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_18
18
Applying Common Threads to
Vendor Contracting Relationships
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_19
19
Three Step Approach
Vendor due diligence
Contractual protections
Information handling procedures and
requirements, generally in the form of contract
exhibits
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_20
20
Common Errors
Failure to involve all relevant stakeholders in the
process
Failing to assess the unique requirements of the
transaction at-hand
– Example: Mobile applications
Inflexibility
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_21
21
Step One: Due Diligence
From the outset, Vendors must be on notice that
the information they provide as part of the
company’s information security due diligence will
be (i) relied upon in making a vendor selection; and
(ii) part of the ultimate contract.
To ensure proper documentation and uniformity in
the due diligence process, companies should
develop a “Vendor Due Diligence Questionnaire.”
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_22
22
Step One: Questionnaire
Advantages
Provides a uniform framework for due diligence
Ensures “apples-to-apples” comparison of vendor
responses
Ensures all key areas of diligence are addressed
Provides an easy means for incorporating due
diligence information into the final contract
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_23
23
Step One: Questionnaire Use
The Questionnaire will address security standards
with which Vendors will be required to comply
under the laws (e.g, HIPAA, FCRA/FACTA, GLB,
etc.). Many Vendors will lack true understanding of
these requirements.
The Questionnaire will be a tool to educate your
Vendors about your compliance expectations.
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_24
24
Step One: Questionnaire Use
The Questionnaire should be presented to
potential vendors at the earliest possible stage in
the relationship.
Include as part of all relevant RFPs. If no RFP is
used, submit to the vendor as a stand-alone
document.
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_25
25
Step Two: Contractual
Protections – Threat Scaling
NDA or Confidentiality Clause
General security obligations
Security and data warranties
Use of subcontractors/offshore entities
Personnel controls, diligence
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_26
26
Step Two: Contractual
Protections
Breach notification, cost reimbursement
Indemnity – Protection from third party claims
Limitation of Liability
Insurance
Incorporation of Due Diligence Questionnaire
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_27
27
Step Three: Information Handling
Requirements
Where appropriate, attach specific information
handling requirements in an exhibit
–
–
–
–
–
Securing PII
Encryption
Secure destruction of data
Securing of removable media
Communication and coordination
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_28
28
Negotiation Tips
 Raise security requirements from the outset, including
liability expectations.
 The way in which the requirements are presented to the
vendor is key.
 In many cases, it is necessary to educate the vendor
about legal/regulatory requirements.
 Major push-back to baseline technical requirements is
common and almost never difficult to overcome.
 Flexibility is frequently required, but generally only for
a narrow range of requirements.
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_29
29
Negotiation Tips
Create a ready library of “plug-and-play”
alternatives to standard required terms.
Addressing the common argument that “we cannot
change the way we secure our systems for a single
engagement.”
Addressing the argument that baseline security
requirements somehow prevent the vendor from
evolving its security standards.
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_30
30
Negotiation Tips
Moving target language
“Industry best practices” provisions
Compliance with laws/regulations that may not
directly apply to the vendor’s business
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_31
31
Post-Execution Follow-up
Ongoing policing of vendor performance and
compliance is crucial
– Audit rights
– Access to third party audit reports (e.g., SAS 70 Type II,
SSAE 16)
– Updating of due diligence questionnaire is key
Annual compliance statement
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_32
32
Questions?
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_33
33
Contact Information
Michael R. Overly, Esq., Partner
CISA, CISSP, ISSMP, CIPP, CRISC
Technology Transactions & Outsourcing Group
Foley & Lardner LLP
555 South Flower Street
Suite 3500
Los Angeles, California 90071
(213) 972-4533
moverly@foley.com
Wendy Coticchia, Esq.
Senior Corporate Counsel
Applied Computer Solutions
15461 Springdale Street
Huntington Beach, CA 92649
(714) 861-2267
wendy.coticchia@acsacs.com
David R. Albertson, Esq.,
CIPP/IT
Technology Transactions & Outsourcing Group
Foley & Lardner LLP
555 South Flower Street
Suite 3500
Los Angeles, California 90071
(213) 972-4726
dalbertson@foley.com
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_34
34
Introducing Lexis® Practice Advisor, a topical, transaction guide designed to address the needs of in-house counsel
specializing in transactional matters. Our practice area-specific modules are chock-full of model documents, forms,
checklists and commentary that are expertly annotated by seasoned attorneys in leading firms across the country.
Practice Advisor content is organized to be easier to use than your traditional research platforms and is combined
with pinpoint sections of Matthew Bender® treatises and relevant case law and statutes. This “stand-alone” offering
will save the transactional attorney time as well as offering peace of mind that you haven’t missed something by
relying on outdated and questionable resources.
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_35
35
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_36
36
A Sampling of the Lexis Practice Advisor® Modules Currently Available:
Corporate Counsel –A practical guidance resource for in-house attorneys who handle transactional matters. Written
and enhanced by seasoned practicing attorneys with extensive in-house and law firm experience, the Corporate
Counsel module covers issues that are relevant to a broad range of industries. It is an excellent starting point for
simplifying the drafting process and enables users to handle matters quickly and efficiently.
Mergers & Acquisitions featuring Market Tracker® – An extensive database of M&A agreements and unique
data capabilities to provide legal professionals the ability to quickly and easily search SEC filings. Market Tracker
identifies “what’s market” by finding and comparing similar deals, giving you the ability to confidently draft documents
based on the latest deal information.
Securities & Capital Markets featuring Knowledge Mosaic – A comprehensive resource providing unique
insight on the topics, transactions and perspectives that are critical to securities practitioners. Knowledge Mosaic
brings together multifaceted securities, federal regulatory, disclosure and transaction information into one brilliant
resource. You will get fast access to a unique blend of information and resources, such as SEC EDGAR filings that are
updated in real time that you won’t find from any other single source.
Intellectual Property & Technology – A comprehensive resource that provides unique insight for the Intellectual
Property attorney. - including access to topical portions of Nimmer® on Copyright, Milgrim on Trade Secrets and
Gilson on Trademarks; some of the leading IP treatises on the market.
California Jurisdictional – A comprehensive resource that provides unique insight for California attorneys or
lawyers practicing in California. Unique insight for a California attorney’s specific needs.
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_37
37
Visit us at our booth or for more information contact:
Jeanne Briggs – Transactional Practice Specialist
810.772.9870 / jeanne.briggs@lexisnexis.com
#IHCC14
2014 ACC-SoCal In-House Counsel Conference
090701_38
38
11th Annual In-House Counsel Conference
January 22, 2014 (Los Angeles, CA)
www.acc.com/chapters/socal/
#IHCC14
39
000000_39