© copyright 2011, vorys, sater, seymour and pease llp. all rights reserved. higher standards make...
TRANSCRIPT
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
CISO Executive NetworkExecutive Breakfast Roundtable
June 29, 2011
The Cloud and The Law
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
If something goes wrong:
• What performance standard was met or not met?
oWas that clearly referenced in the contract?
o How clearly can we demonstrate the miss?
• How do we know that something went wrong?
o Do the contract specifications conform to real world expectations?
oWill the provider notify us in the event of a breach? When?
o How much control do we have in crafting the response?
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Where is my Data?
› For a lawyer, one of the most important facts but also can be difficult to fully grasp.
› Essential to understanding which party has control of the data and can be held responsible for:• Securing physical access to the data• Securing electronic access to the data• Encrypting the data (if required)• Monitoring for unauthorized access
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
What Data? What Jurisdiction?
Federal: Multiple sector-specific privacy laws:
› Education records – FERPA
› Medical records – HIPAA, the HITECH Act
› Financial data – Gramm-Leach-Bliley (“GLBA”)
› Disclosure to law enforcement – USA Patriot Act
› Electronic communications – ECPA
› E-Discovery/Litigation Holds – Federal and State Rules of Civil ProcedureState:
› Data-breach statutes, SSN laws, health privacy, financial privacy and the like.International:
› Personal data within EU – The European Union Data Protection Directive;
› Data laws of non EU-States (i.e. Australia, Canada and now, Mexico)Contract:
› Payment Card Industry Standards and any other contractual privacy provisions.
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Is My Data Secure?
› What security measures does the provider have in place?• Is the data segregated from other parties’?
If so, how?
› Are the security measures documented?
› Do we have the right (and ability) to conduct security assessments?
› What monitoring do we do of the provider’s security practices?
› What are our rights in the event of a data breach? Can we bring in our forensic company?
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Is a Password Required?Is a Password Enough?
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Is My Data Available?
› Service Level Agreements• Uptime/Downtime Definitions• 24x7 or 8x5?• Measurement/metrics – who provides?• Measurement Periods – short enough? • Remedies: meaningful and incentivizing
› Practical Redundancies• Data sources• Power supplies • Communication links
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Do you know who your neighbors are?
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
And, It Wasn’t the First Time . . .
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Any Subcontractors?
› Is the provider hiring a third party which will have access to our data?
› What subcontractors will have access to which data?
› What written confidentiality and privacy obligations do they have?
› What security assessments have been done on the subcontractors’ practices?
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Data Ownership and Use
› Does the contract provide that the data is “owned” by the customer?• Typically, state laws require that the
provider is only obligated to notify the “owner” - so you will have to take care of the rest.
› Does the contract provide that the data cannot be used except in the performance of the services?
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Data Retention and Access
› What are the provider’s data search, retention and destruction practices?
› Can the provider implement a “legal hold” on request (because of actual or potential litigation)?
› Are sufficient processes and controls in place for necessary authentication of data?
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Notice Required?
› Does the agreement mandate that that provider give notice within a specific (and short) time in the event of:• Any subpoena or other legal process
seeking access to the data?• Any security event or unauthorized
access?
› Is the provider obligated to provide assistance and support if such an event occurs?
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Insurance vs. Contracts
› Insurance: If a covered “something” happens and you suffer a covered loss, we will pay according to policy limits.
› Contract: If I have failed to do what I said I would do and you suffer a loss as a result, I will pay you for the types of losses that I have agreed to pay up to the limits in my contract.
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Insurance vs. Contracts
› Insurance Promise: If a covered event happens and you suffer a covered loss, we will pay according to policy limits.
› Contract Promise: If I have failed to do what I said I would do and you suffer a loss as a result, I will pay you for the types of losses that I have agreed to pay up to the limits in my contract.
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
Indemnification;Limits of Liability
› Typically, these are the most contentious contract provisions.
› Provider wants to exclude liability for certain kind of damages and to put a cap on the rest.
› Consider the types of damages that are most likely to be incurred and do not allow them to be excluded.
› Do not allow a cap that is lower than the likely loss. Even better to have a cap at a multiple of the likely loss. The best is no cap.
› Consider excluding from caps or limitations damages from: › willful misconduct,
› breach of confidentiality or privacy,
› bodily injury (if any work is to be done on site),
› property damage and
› infringement claims.
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers.®
A Key Question:
› What happen to our data when the contract terminates? • Is it destroyed? • Returned?• Do we get machine readable copies? • If so, in what formats?• Will they provide transition assistance
at a reasonable cost?