4th annual cybersecurity law institute wednesday, may 25, 2016 … · 2018-08-10 · error! unknown...

Error! Unknown document property name.

Georgetown Law Continuing Legal Education 4th Annual Cybersecurity Law Institute

Wednesday, May 25, 2016 3:55 PM-4:55 PM

TACKLING VENDOR RISK

Moderator: Dori Anne Kuchinsky, Assistant General Counsel, Privacy, AOL Inc. Panel:

David C. Gryce, CIPP/US, Partner and Privacy Officer, Arent Fox LLP1

C.M. Tokë Vandervoort, CIPP/US, VP and Deputy General Counsel, Under Armour

Carmen B. Krueger, Senior Vice President & General Manager, Cloud Operations, SAP National Security Services

===================================================================================== 1. Introduction:

(a) 2015 was a year filled with data breaches. In fact, healthcare data breaches alone affected over 100 million people. As of April 12, 2016, 247 breaches have occurred exposing 11,270,651 records.2 One key takeaway is that companies that collect any personal data or other forms of protected data must be especially careful to secure such data and protect against data breaches. Cybersecurity is now a board level issue as data breaches can severely damage a company’s reputation and value, lead to significant liability for a company or even result in its ultimate bankruptcy. The risks associated with data breaches are compounded when third parties have access to a company’s data and, in fact, a company’s third-party vendors are often the root cause of the data breaches. Despite this, the PWC “2015 US State of Cybercrime Survey” found that 19% of CIOs are not concerned about supply-chain risks and most companies do not have a process for assessing security of third-party partners before they do business with them.3 These statistics are alarming as vendor management has now become a critical component of any company’s data privacy and security protection and risk mitigation program.

(b) These materials are broken down into five primary sections – (1) Introduction; (2) statutory and regulatory requirements for managing vendors having access to a company’s data; (3) the particular obligations of lawyers, law firms, and other legal service providers to protect the security and privacy of a company’s data (including personal data); (4) some practical guidance on how to implement a comprehensive vendor management program (“VMP”); and (5) appendices that include a sample vendor due diligence questionnaire, a matrix of contractual provisions to include in vendor contracts, and a sample privacy and data security compliance certification form.

1 Special thanks to Charlyn Ho of Arent Fox LLP for her assistance with developing these materials.

2 Identity Theft Resource Center Data Breach Reports, 3 (2016),

http://www.idtheftcenter.org/images/breach/DataBreachReports_2016.pdf. 3 Yelena Osin, Third Party Breaches Continue to Remain in the Media, Security Scorecard Insights & News (July 31,

2015), http://blog.securityscorecard.com/2015/07/31/third-party-security-vendor-risk-problem/.


(c) These materials do not cover international data privacy laws in any detail, though the appendices will include consideration of some common international jurisdictions.

2. Formal Pronouncements and Guidance for Vendor Oversight: Not only is it a good idea from a risk management and financial standpoint for a company to establish a VMP, it may also be legally required or at least highly recommended by regulators. Companies in the healthcare and financial industries in particular have been the subject of increased regulations.4 Below are a few examples of the legal requirements placed on companies to manage their vendors having access to protected information (as defined in the applicable statute or regulation):

(a) The Interagency Guidelines for Establishing Information Security Standards sets forth information security standards pursuant to section 39(a) of the Federal Deposit Insurance Act (12 U.S.C. 1831p-1), and sections 501 and 505(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805(b)). The guidelines apply to any customer information that is maintained or disposed by or on behalf of entities over which the Federal Deposit Insurance Corporation (“FDIC”) has jurisdiction, such as, an "insured depository institution" or other institution insured by the FDIC (other than members of the Federal Reserve System), state savings associations insured by the FDIC, insured state branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers). Specifically, Section III.D. of the Guidelines states:

III.D. Oversee Service Provider Arrangements. You shall: 1. Exercise appropriate due diligence in selecting your service providers; 2. Require your service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and 3. Where indicated by your risk assessment, monitor your service providers to confirm that they have satisfied their obligations ….. As part of this monitoring, you should review audits, summaries of test results, or other equivalent evaluations of your service providers.5

(b) In October 2013, the Office of the Comptroller of the Currency of the U.S. Department of the Treasury released a bulletin to provide guidance to national banks and federal savings associations (which are collectively, referred to as “banks” below) to assess and

4 Commentary on Privacy and Information Security: Principles and Guidelines for Lawyers, Law Firms, and Other

Legal Service Providers, The Sedona Conference, 7 (2015). 5 Interagency Guidelines Establishing Information Security Standards, 12 CFR § 570, Appendix B (§§I and III.D).


manage risks associated with their third-party relationships. The relevant portion of the bulletin states:

(i) A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.

(ii) A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities.

(1) An effective risk management process throughout the life cycle of the relationship includes

a. plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.

b. proper due diligence in selecting a third party.

c. written contracts that outline the rights and responsibilities of all parties.

d. ongoing monitoring of the third party’s activities and performance.

e. contingency plans for terminating the relationship in an effective manner.

f. clear roles and responsibilities for overseeing and managing the relationship and risk management process.

g. Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.

h. Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.

(c) The Health Insurance Portability and Accountability Act (“HIPAA”) states, “A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances … that the business associate will appropriately safeguard the information...”6 Additionally, under HIPAA, a Business Associate (which may include lawyers, law firms and other legal service providers that perform work involving protected health information or work for a covered entity) is responsible for any downstream transmission of protected health information and is

6 Health Insurance Portability and Accountability Act, 45 CFR § 164.308(a)(8)(b)(1) (1996).


responsible for all of its subcontractors or vendors.7 The business associate’s responsibilities to the covered entity (e.g., a hospital system) must be expressed in a formal, written contract referred to as a “Business Associate Agreement.”

(d) The National Association of Insurance Commissioners Standards for Safeguarding Customer Information Model Regulation (which has been adopted in 33 states and the District of Columbia) establish standards for “developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality, and integrity of customer information” pursuant to the Gramm-Leach-Bliley Act. With respect to third-party service providers, the Regulation requires “licensees” to comply with the requirements below. “Licensees” are defined generally as all licensed insurers, producers and other persons licensed, authorized, or registered or required to be licensed, authorized, or registered under the insurance law of the various states or any health maintenance organizations holding a certificate of authority pursuant to the applicable state’s Public Health Law.

Section 8. Oversee Service Provider Arrangements The licensee: A. Exercises appropriate due diligence in selecting its service providers; and B. Requires its service providers to implement appropriate measures designed to meet the objectives of this regulation, and, where indicated by the licensee’s risk assessment, takes appropriate steps to confirm that its service providers have satisfied these obligations.

(e) The use of cloud computing has been increasing dramatically every day, necessitating

the introduction of a key risk management framework in 2011 - the Federal Risk Authorization Management Program (FedRAMP). It is primarily focused on providers to the federal government.

The FedRAMP mandates compliance for all cloud services used by the federal government. The FedRAMP, through a risk-based approach, standardizes the security requirements and determinations of impact levels for a system. It also created a Joint Authorization Board that brings cross-government security experts to assess the authorization package. Finally, it establishes the Third-Party Auditor as a means of assessing the cloud service provider’s adherence to the controls. The output is a detailed overview of how one implements the controls (the system security plan), an outline of the deficiencies in that plan, the remediation steps, and an assessment of the risks in the system.

7 Sample Business Associate Agreement Provisions, HHS.gov (January 25, 2013), http://www.hhs.gov/hipaa/for-

professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.


There are areas where the FedRAMP, or the NIST controls that FedRAMP builds upon, have moved outside of a federal agency’s consideration in the procurement of systems. Federal tax information (FTI) under the Internal Revenue Service safeguards program outlines requirements for systems that house FTI.

o For example, state and local agencies regularly receive and store FTI. This has necessitated a requirement establishing a security baseline under the NIST controls and potentially the requirement for the state to procure services only from a FedRAMP certified IaaS, PaaS, or SaaS provider.

o Consolidated data centers need to ensure they have the appropriate controls to ensure the physical and logical separation outlined under IRS Publication 1075.

Defense Federal Acquisition Regulation Supplement (DFARS) Section 252.204-7012 imposed expanded guidance and obligations on defense contractors and subcontractors with regard to the protection of unclassified Covered Defense Information (CDI) and the reporting of cyber incidents occurring on unclassified information systems that contain such information.

NIST 800-171 provides the security standards for the protection of Controlled Unclassified Information.

Key implications for vendor risk management in this area are:

o The flow down applies broadly to contractors supplying services directly or indirectly to the U.S. Department of Defense and other federal agencies.

o The referenced DFARS clause needs to flow down to all suppliers/subcontractors storing, processing, and/or generating CDI as part of contract performance.

o The DFARS clause invokes the requirement for the contractor to certify it meets the NIST standards outlined for their internal systems. Contractors are directed to implement 800-171 standards “as soon as practical, but not later than December 31, 2017.” The interim rule has revised DFARS 252.204-7008(c)(1)) to include a statement that an offeror “represents that it will implement” the 800-171 security requirements not later than December 31, 2017.

3. Specific Data Security and Privacy Obligations for Lawyers

Lawyers (which, for the purposes of this section, include all lawyers, law firms, and many others who provide legal services) now rely heavily on technology in the practice of law. Although the advances in technology have allowed lawyers to become more efficient and communicate seamlessly with clients


across the globe, it has also brought with it risks that threaten the privacy and security of client information. As more and more law firms experience data breaches, clients have become sensitized to the risks posed by their lawyers as third party vendors, because lawyers have access to significant and highly sensitive client data. In fact, various bar associations have issued opinions regarding attorneys’ ethical obligations with respect to the use of technology, generally referring to two overarching ethical responsibilities: the duty of competence (ABA Rule 1.1) and the duty of confidentiality (ABA Rule 1.6). Some bar associations have implicated additional ethical rules, including Rule 1.4 (communication with clients), Rule 1.15 (safekeeping of property), and Rule 5.3 (responsibilities regarding nonlawyer assistants). See Pa. Eth. Op. 2011-200, infra. Below are some of the relevant ethical obligations imposed on lawyers.

(a) American Bar Association (“ABA”) Model Rules

ABA Model Rule 1.1: A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

Bar associations have interpreted this rule to require not only knowledge regarding the particular area of law at issue in the case, but also knowledge of the security issues involved in attorneys’ use of technology.

ABA Model Rule 1.6: A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation, or the disclosure is . . . reasonably . . . necessary . . . to secure legal advice about the lawyer’s compliance with these Rules . . . or to comply with other law or a court order.

Cmts. 16 & 17 to Rule 1.6: A lawyer must “act competently” to avoid inadvertent or unauthorized disclosures, either by the lawyer or by others participating in the representations. When transmitting information, a lawyer “must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.”

ABA Model Rule 1.18: (a) A person who consults with a lawyer about the possibility of forming a client-lawyer relationship with respect to a matter is a prospective client. (b) Even when no client-lawyer relationship ensues, a lawyer who has learned information from a prospective client shall not use or reveal that information…

Attorneys are generally held responsible for making reasonable efforts, including efforts to understand/address security risks, to ensure that client (and prospective client) data remain secure.

If self-education is not sufficient to render an attorney “competent,” then the attorney must retain experts who can handle security issues for the attorney.


(b) ABA Formal Opinion 11-459 (2011)

“A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, where there is a significant risk that a third party may gain access. [emphasis added].”

(c) Alabama Eth. Op. 2010-02 (2010):

A lawyer must exercise “reasonable care” in using “cloud computing.”

The lawyer must become knowledgeable about how the provider handles the storage and security of the data and must reasonably ensure that the provider abides by a confidentiality agreement in handling the data.

The lawyer has a continuing duty to stay abreast of appropriate security safeguards that should be employed by the lawyer and the third-party provider.

If there is a breach of confidentiality, the standard for judging the lawyer’s actions is whether he acted reasonably in selecting the method of storage and/or the provider.

When a lawyer discards electronic devices, he must take reasonable measures to ensure that confidential information has been erased.

(d) Arizona Eth. Op. 09-04 (2009):

A lawyer may provide clients with an online file storage and retrieval system that clients may access, provided the lawyer takes reasonable precautions to protect security and confidentiality and periodically reviews security measures as technology advances.

A lawyer who lacks competence in the field of online computer security must consult someone who does have this knowledge.

(e) California Proposed Formal Interim Opinion 11-0004

Attorneys must also stay reasonably informed about rapidly evolving technology, security threats, and legal developments in the field.

(f) Colorado Eth. Op. 119 (2008):

A lawyer who transmits electronic documents has a duty to use reasonable care to guard against the disclosure of metadata containing confidential information.


The duty to provide competent representation requires a lawyer to ensure that he is reasonably informed about the types of metadata that may be included in an electronic document and the steps that can be taken to remove metadata if necessary.

Within a law firm, a supervising lawyer must ensure that appropriate systems are in place so that the supervising lawyer, any subordinate lawyers, and any non-lawyer assistants are able to control the transmission of metadata.

(g) Florida Eth. Op. 07-2, 2008 WL 3556663:

A lawyer may engage an overseas provider for paralegal assistance, but confidentiality and competence issues must be afforded heightened security because of the less strenuous data-breach and identity-protection laws in foreign jurisdictions.

(h) Iowa Eth. Op. 11-01 (2011):

A lawyer may use “cloud computing” or “software as a service” (“SaaS”).

The attorney must have unfettered access to the data as needed and must perform due diligence regarding the degree of protection afforded to the data.

(i) Maine Eth. Op. 194 (2008):

A lawyer may use remote electronic storage services so long as he implements appropriate precautions to safeguard the client confidentiality.

The lawyer must take steps to ensure that the storage provider has a legally enforceable obligation to maintain the confidentiality of client data.

(j) Massachusetts Eth. Op. 2005-4 (2005):

A law firm may allow a software vendor to have remote Internet access to the firm's computer system so long as it makes “reasonable efforts” to ensure that the vendor's conduct complies with the firm’s obligations to clients.

“Reasonable efforts” may include: (a) notifying the vendor of the confidential nature of the stored information; (b) examining the vendor’s policies and procedures for handling confidential information; (c) obtaining the vendor’s written assurance that the firm’s computer system will be accessed only for technical support and only on an as-needed basis; (d) obtaining the vendor’s written assurance that the confidentiality of all client information will be preserved by the vendor and its employees; and (e) formulating additional procedures to protect any particularly sensitive confidential client information.


(k) Nevada Eth. Op. 33 (2006):

A lawyer may store electronic client files on a remote server maintained by an outside company if security is adequately safeguarded.

(l) New Jersey Eth. Op. 701, 2006 WL 1916396 (2006):

A lawyer must exercise “reasonable care” against the possibility of unauthorized access.

When confidential information is entrusted to a third party, (a) there must be an enforceable obligation to preserve confidentiality/security and (b) the provider must use available technology to guard against reasonably foreseeable attempts to infiltrate data.

Documents transmitted electronically must be password-protected because it is not possible to secure the Internet against third-party access.

(m) North Carolina Eth. Op. 2011-7 (2012):

Lawyers may conduct financial transactions over the Internet, “…provided the lawyers use reasonable care to minimize the risk of loss or theft of client property specifically including the regular education of the firm’s managing lawyers on the ever changing security risks of online banking and the active maintenance of end-user security. [emphasis added]”

The lawyer must “protect against security weaknesses…particularly “end-user” vulnerabilities found in the lawyer’s own law office.” This effort must be active, including strong password policies and procedures, the use of encryption, and security software, and “…the hiring of an information technology consultant to advise the lawyer or firm employees; and …insur[ing] that all staff members … receive training on and abide by security measures adopted by the firm.”

(n) North Carolina Proposed Eth. Op. 2011-6 (2011):

A lawyer who uses “cloud computing” must adhere to a “reasonable care” standard, meaning that due diligence and frequent, regular education are required.

There are no specific requirements because mandatory security measures would create a false sense of security in an environment where the risks are continually changing.

The extent of the lawyer’s obligation depends on the experience, stability, and reputation of the vendor.


(o) Pa. Eth. Op. 2011-200 (2011):

Lawyers may use “cloud computing” to warehouse confidential client information offsite, and e-mail to transmit sensitive data, so long as they take reasonable precautions to ensure that the security of the information will not be compromised.

If the information is being stored overseas, the lawyer must ensure that the data is protected by privacy laws that reasonably mirror those of the United States, and that the vendor conforms to the same rules that govern the lawyer.

When storing, transmitting, and accessing client information on computer equipment owned and maintained by others, lawyers generally should implement internal mechanisms to: (i) back up data; (ii) install firewalls; (iii) limit access by unauthorized parties; (iv) avoid inadvertent disclosure of information; (v) encrypt confidential data; (vi) implement electronic audit trail procedures; (vii) craft plans to address security breaches; and (viii) have alternate ways to connect to the Internet.

(p) Vermont Eth. Op. 2003-03 (2003):

Lawyers must clearly communicate confidentiality rules to outside contractors who have access to confidential information and must ensure that contractors institute adequate safeguards to preserve and protect confidential information.

If a significant breach of confidentiality should occur by an outside contractor, a law firm is obligated to disclose the breach to affected clients.

4. Guidance on Establishing an Effective Vendor Management Program (VMP)

Managing cybersecurity and privacy risks is hard enough when dealing with the company’s own data practices, but adding third parties to the “mix” only compounds the complexity of maintaining information security. Vendors can put the company at risk for a data security breach in several key ways:

Vendor has poor data governance practices;

Vendor has weak security practices and does not properly or sufficiently educate its workforce on data privacy and security issues;

Vendor is not in good financial health;

Vendor is located in a country or jurisdiction that does not have privacy and security regulations as stringent as those in the United States;

Vendor does not manage its subcontractors well; and

Vendor lacks leadership in managing security and privacy risks.


Despite these risks, few companies are capable of performing or find it efficient to perform all functions utilizing only their own internal resources. This situation causes most companies to outsource at least some of their business functions, which then necessitates the use of vendors and the implementation of a VMP. Below is a checklist of some important steps the company can take to develop an effective VMP:

(a) Establishing Policies and Procedures: Once the company has decided that it needs to develop and implement a VMP, the company may begin the process by determining which departments are critical to the function involved and coordinate with those departments, typically including legal, information technology, human resources, marketing, customer service, and records. The goal is to develop a team that can develop the policies and procedures necessary to address information security holistically, rather than in silos. It is also a good idea to appoint a single individual to lead the coordination effort and report to senior management, such as a Chief Privacy Officer. Whoever is tasked with this responsibility needs not only the responsibility, but the authority, to accomplish the important task of protecting the critical data that may be shared with the company’s vendors. The company should then consider establishing procedures for how vendors are selected, vetted, and ultimately approved as a fundamental step in managing vendors for information security. As companies have multiple departments requiring vendors to have contact with numerous stakeholders at the company, it is also important to understand how each vendor may come into the system or network. The company can then coordinate internally among the affected departments to ensure the company as a whole manages vendor risk consistently.8

(b) Risk Assessments: Once the company has established the governing policies and procedures of the VMP, the company then needs to consider how to implement both a security risk assessment to evaluate each vendor’s data security practices and a privacy impact assessment (“PIA”) to evaluate each vendor’s privacy practices (collectively, the “Risk Assessments”). Without conducting Risk Assessments, the company would not be able to appreciate the nature and extent of risks posed by the vendor or protect against those risks. The company should repeat this step for each vendor and each product or service purchased.

Below is a summary of the steps the company may want to take into consideration as part of its Risk Assessments:

(i) Step 1. Perform due diligence on the vendor and the product/service being purchased. There is no one right way to conduct due diligence. Many companies use a questionnaire to get answers from a vendor regarding its data privacy and security practices. Appendix I includes a sample Vendor Data Privacy Due Diligence Questionnaire.

(ii) Step 2. Describe the information lifecycle by identifying what information will be collected, from whom, why it will be collected, how it will be used, where and how long it will be stored, where and how it will be transferred, and when and how it will be destroyed. Creating data maps is a useful way to answer these

8 K Royal, Third-Party Vendor Management Means Managing Your Own Risk: Chapter Two, International Association

of Privacy Professionals (September 23, 2014), https://iapp.org/news/a/third-party-vendor-management-means-managing-your-own-risk-chapter-two/.


questions and visually display the analysis performed in this step. Then, one can look into who will touch the information. Here is a simple array of questions to consider with respect to each vendor and each product or service sourced from the vendor:

Who will have access to the company’s data?

Who is:

creating,

acquiring,

storing,

accessing, and

processing

the company’s data?

Of course, this assumes the company has a clear understanding of the data it processes.

(iii) Step 3. Classify the information collected by the vendor based on the level of sensitivity and risk to the company and its customers, patients, and employees. The lower sensitivity and risk categories of information may require less stringent privacy and security protections. Price and risk are not the same. Often, free services present substantial risks from a privacy and security point of view.

(iv) Step 4. Identify the privacy, security, and other risks to the various categories of data based on the assessments performed in Steps 2 and 3. This includes identifying the laws, regulations, and other rules that apply to the various categories of company data.9

(c) Developing and Implementing Actionable Solutions to Address Risks: After conducting the Risk Assessments, the company is then in a position to identify and evaluate solutions to address or mitigate the risks identified. These solutions can be technical (e.g., using alternative methods for collecting, storing, processing, transferring, or otherwise handling the company’s data), administrative (e.g., developing policies and procedures to reduce risk by limiting who can access the company’s sensitive data), physical (e.g., key fobs, identification badges, and monitoring equipment), or contractual (e.g., obligating vendors to maintain a certain standard of data security and privacy protections). To this end, the company would be well served by developing a formal,

9 Privacy Impact Assessment, International Association of Privacy Professionals

https://iapp.org/resources/topics/privacy-impact-assessment-2/.


documented process by which vendor contracts are drafted, reviewed, negotiated, and executed. The cloud poses particular data security and privacy risks. As noted above, with cloud computing becoming more ubiquitous, companies need to be particularly careful when contracting with cloud vendors to make sure the security is adequate and that there are no issues posed by the transfer of data across jurisdictional boundaries that inject additional layers of risk. Appendix II provides guidance on key contract provisions in vendor contracts, including certain provisions that are particularly applicable in a cloud context.

(d) Ongoing Monitoring of Vendors: Even after a vendor is approved, the company will need to have procedures for performing ongoing assessments and monitoring of the vendor to ensure continued compliance with the company’s requirements and policies. The level of monitoring and ongoing due diligence required will depend upon the risk profile of the vendor and the information collected by the vendor. Ensuring that a vendor properly and securely disposes of any data that the vendor has collected in connection with providing services or products is just as important as the security provided for data when it is collected and stored. Appendix III provides a sample Privacy and Data Security Compliance Certification form that can be used to require a vendor to certify compliance with its privacy and security obligations.

(e) Data Breaches: If a data breach occurs, the company must be prepared in advance and not be caught off guard. Responding to a security event is an organic, fast-moving, and highly fluid process. The company should expect each involved vendor to be transparent and collaborative in addressing any data breach. A comprehensive review of how to respond to a data breach is beyond the scope of these materials. Below are a few factors to consider in developing the vendor-specific portion of a data breach response plan.

(i) Notice and Good Communication is Key:

(1) How will you know a vendor has experienced a breach? How will you know if the company’s data has been affected? What is the trigger for when a vendor is required to notify the company of the data breach?

(2) The vendor and the company may each have legal and regulatory obligations to notify data subjects that have been affected by the data breach. Forty-seven U.S. states and the District of Columbia have some form of breach notification laws.10 Often these data breach notification statutes provide an exception for encrypted information, unless the encryption key has been compromised, as well.

(3) The vendor should be expected to engage in ongoing dialog – within the ordinary course of the relationship, but certainly during and after any data breach – with the company.

(4) Is there insurance coverage? Is the company in a position to assess what policies may be implicated, who needs to provide notice of a

10

Only Alabama, New Mexico, and South Dakota have no laws relating to security breach notification.


breach to each insurer, and when should the notice be delivered to ensure maximum coverage?

(ii) Coordinated Response. Responding to the data breach in a coordinated and organized fashion is crucial. It is important to have a single voice leading the effort, but the company must make sure the single voice is supported by a broad cross-section of internal and external stakeholders of the company. If there is insurance coverage involved, it is critically important that the response and its leadership are in close coordination with the insurer.

(1) Who in the company’s organization and the vendor’s organization is in the lead?

(2) The data breach response team should include, among others, members from executive management, legal (both in-house and external counsel), information technology, information security, risk management, public relations, breach response specialists, and computer forensics.11

(iii) Investigation. The vendor should promptly provide the company with all relevant details in the event of an actual or reasonably suspected breach of the company’s data. Both need to agree - ideally in advance in the vendor contract, but certainly as the investigation progresses - how the investigation will be conducted and how much is enough. Questions the vendor may be expected to answer are:

(1) What happened? Was it an internal or external breach? Was the data breach caused by a negligent or purposeful employee or a hacker? Was it an unintentional breach or an intentional one?

(2) What is the vendor doing in response to the data breach? What is the company doing in response to the data breach?

(3) Is the vendor or the company offering support for affected data subjects, such as credit monitoring, identity theft services, or a hotline to answer questions? It is best that these details are clearly spelled out in the vendor contract.

(iv) Mitigation. Both the vendor and the company need to take immediate steps to mitigate the effect of the data breach on all parties, including the vendor, the company, and the affected data subjects. Hiring external legal counsel and involving them in the data breach investigation and mitigation process from the beginning can offer the company a high level of confidence in attorney-client privilege and work-product protections. Working with in-house counsel may provide a lesser degree of protection as there are greater limits to the

11

Advisen Transforming Insurance & ID Experts, Mitigating the Inevitable: How Organizations Manage Data Breach Exposures, 7 (2016).


protection provided to attorney-client communications between in-house counsel and the company’s employees.12

(v) Lessons Learned. Learning from a data breach experience is an important element in the prevention of similar events in the future. In fact, the company may contractually require each vendor to conduct a thorough review after a data breach to evaluate what can be done better in the future and implement those process improvements at no additional cost to the company.

Some final thoughts. When looking at the acquisition of systems or services consider including establishing:

Data spillage roles and responsibilities,

Cyber incident roles and responsibilities,

Data ownership,

Continued adherence to required standards,

Citizenship requirements for physical and/or logical access to the environment,

Data sovereignty requirements, including if the support function of the service housed outside of the United States,

Required evidence of adherence to the regulatory or policy requirements for security (e.g. PCI certification),

The extent to which the information or service involves an encryption requirement: o Is data at rest required to be encrypted? o Is data in transit required to be encrypted?

The extent to which supply chain risk management requirements are leveraged in the delivery of the good or service.

In the end, vendor risk management is a complicated, necessary, ongoing, and (of course) resource-constrained effort. That said, data security and privacy concerns are not the sole issues involved in vendor selection and management. Indeed, there are many additional facets to selection and management of vendors. However, today, data security and privacy have become critical considerations in the selection, retention, and termination of vendors, including legal and accounting professional service firms.

12

Leslie Thorne & Laurel Brewer, How to Preserve Privilege During Data Beach Investigations, American Bar Association (March 11, 2015), http://apps.americanbar.org/litigation/committees/businesstorts/articles/winter2015-0315-preserving-privilege-during-data-breach-investigations.html (Stating that in Upjohn Co. v. United States, 449 U.S. 383 (1981), the Court held that communications between in-house counsel and employees are protected when (1) the communications are made “at the direction of corporate superiors in order to secure legal advice from counsel”; (2) the information is “not available from upper-echelon management”; (3) “the communications concern[] matters within the scope of the employees’ corporate duties”; and (4) “the employees themselves [a]re sufficiently aware that they [a]re being questioned in order that the corporation could obtain legal advice.”)


Appendix I. Sample Vendor Data Privacy Due Diligence Questionnaire

In order to evaluate a vendor’s data privacy and security practices, the company should conduct a thorough review and assessment of the vendor. One way to gather information is by requiring Vendor to respond to a due diligence questionnaire such as the one below and update the questionnaire on at least an annual basis or whenever there are material changes to the way that the vendor handles Company Data, as defined below. Note that the company should incorporate the vendor’s responses to the questionnaire into the vendor contract by reference, thereby making the vendor’s responses, as may be updated by the vendor, a contractual obligation of the vendor.

Questionnaire [Company name] is committed to protecting the data of our employees, customers, business partners and other persons (“Company Data”), particularly when that data is shared with third party vendors. Company Data includes personal data of our employees, customers, business partners and other persons. To enable the company to evaluate your privacy practices and procedures, please respond fully to the following questions.

1. Vendor Business and Server Location. Please provide the location of the business office that will be processing Company Data; if more than one office is involved please describe. If any Company Data is to be stored on a server not located in the business office processing such data, please indicate the location of such server(s). If any non-vendor owned servers/cloud services are to be used, please describe all such servers/services.

2. EU Data Transfer Mechanism. If you are located in the United States or other non-EU location,

please indicate how you handle the transfer of personal data from the EU, if applicable. Please address whether you typically execute model clauses to cover data transfers of personal information, and if not, how you handle such transfers. Although the Safe Harbor has been invalidated, if you have been Safe Harbor certified in the past, please indicate this as well.

3. Compliance with EU Data Privacy Laws and other data protection laws. If applicable, please describe how you comply with the EU General Data Protection Regulation or other country-specific data protection laws, and what policies and procedures you have in place to ensure such compliance. Please provide copies of your privacy and security policies, standards, and guidelines.

4. Data Access and Segregation. Please describe who will have access to Company Data. To the extent that data belonging to other clients will reside on the same server as Company Data, please describe how Company Data will be segregated and secured.

5. Privacy and Data Security Audit. Do you perform data privacy/security audits at regular intervals? If so, please describe what types of audits you conduct. Do you allow customers to audit your privacy and data security procedures? Are you SSAE 16 compliant? If so, please provide your latest SSAE 16 audit report.

6. Data Security. Please describe your security practices and how you ensure the security and confidentiality of Company Data provided to you and protect such information against unauthorized access or use. Do you encrypt Company Data and if so, at what times and under


what circumstances? Do you decrypt Company Data and if so, at what times and under what circumstances?

7. Data Breach. Have you ever experienced a data breach involving Company Data? If so, please

detail the circumstances of the breach, its resolution, and how the conditions which allowed the breach to occur have been remedied.

8. Company Data Back-up/Disaster Recovery. Please state whether you back-up Company Data and how/when/where that back-up is performed. Is any data backed-up at a location other than one previously described in response to question 1? If so, please describe. Do you have a disaster recovery plan. If so, how often do you test your disaster recovery plan and please provide a copy.

9. Sharing of Company Data. Do you share Company Data with any third parties? If so, please describe the circumstances under which such data may be shared.

10. Supporting Documentation. Please provide the supporting documentation listed below and complete the table below.

1

General

Link/Attachment

View onsite only?

1.1 Results of your most recent Disaster Recovery/ Business Continuity test

1.2 ISO status

2 Risk Management

2.1 Risk Assessment Program

2.2 Evidence related to risk and control assessment

3 Security Policy

3.1

Copies of Policies, Procedures, Standards and plans for security and control of data

3.2 Organizational Security

3.3 Asset Management

3.4 Physical and Environmental Security

3.5 Communications & Connectivity

3.6 Change Control

3.7 Disaster Recovery and Business Continuity

3.8 Incident Response

3.9 Vulnerability Monitoring & Maintenance

3.10 Information Classification

3.11 Data-Handling

3.12 Internet/Intranet Access and Use

3.13 Information security policy exception approval process


3.14 Logical Access provisioning, including Leave/Transfer Handling

3.15 Encryption

4 Organization Security

4.1 General Employment Contract

4.2 Sample training material

4.3 Sample employee background checks

4.4 Role based access protocols

5 Asset Management

5.1 Evidence of Identifying Unsupported Hardware/Software

5.2 Personal Asset Policy (BYOD policy)

6 Physical and Environmental Security

6.1 Facility & Secure Space Access controls

6.2 CCTV footage retention

6.3 Physical access log retention

6.4 Clear desk, clean screen policy

6.5 Operational controls (e.g., email, USB, smartphones, etc. in secure space)

7 Communication and Connectivity

7.1 Network and Dataflow Diagram

7.2 Firewall Administration

8 Change Control

8.1 Master Change Log

8.2 Emergency Change Procedure

8.3 Company contact information for communication of changes

9 Operations

9.1 Operations Manuals/Procedures

9.2 Contract document between parties

10 Logical Access Control

10.1 User access review report

10.2 Password Policy

10.3 List of Administrators/Privileged User Accounts

10.4 Evidence of Password File Encryption

11 Encryption

11.1 Encryption for mobile devices

11.2 Encryption for removable storage devices

12 Incident Response Plan


12.1 Escalation process related to Client/Company incidents

12.2 Last IR plan test/tabletop

13 BC & DR Plans

13.1 Call tree list

13.2 Last test of plan(s)

14 Standard Builds

14.1 Security configuration standards for networks, O/S, applications and desktops

14.2 Procedure for authorizing and tracking administrator passwords

14.3 Patch procedure

14.4 Security baseline for all OS

14.5 Evidence of controlling read/writeable devices at desktop

15 Vulnerability Monitoring

15.1 Penetration/vulnerability testing performed on external/internal network or specific hosts

15.2 Evidence of Intrusion Detection Tools used and procedures for investigation of violations

15.3 Evidence pertaining to log enablement and log reviews

16 Privacy

16.1 Privacy impact assessment process

16.2 Privacy breach identification

16.3 Company impacting incident notification procedure

16.4 Segregation, Segmentation, Return/Destruction of data

17 Other Business Practices

17.1 Policies for granting subcontractor access

17.1 Key Vendor privacy and security executive(s) and staff


Appendix II. Important Data-Related Provisions to Include in the Vendor Contract

Below are some sample provisions and practice tips relating to contracts with vendors that handle company data. The contract language provided in this Appendix is provided for illustrative purposes only and may not be appropriate for use in an actual contract.

Term Considerations for Vendor Contract

Definitions Make sure the definitions in the vendor contract are precisely drafted. In particular, it is important to ensure that the definitions of Company Data, Personal Data, Confidential Information, and Data Breach are included and sufficiently protective of the company.

Note that from the company’s perspective, it is often helpful to include Personal Data as a subset of Company Data and Company Data as a subset of Confidential Information. Vendor, however, may want to separate Company Data from Confidential Information because it may want to distinguish its obligations with respect to Company Data and Confidential Information.

The definition of “Data Breach” should include actual disclosure, loss or unauthorized access of Company Data caused by the vendor and any disclosure of, access to, use of or processing of any Company Data in violation of any applicable law.

The definition of “Vendor” should expressly include all of its employees, contractors, agents, and affiliates that are performing any of Vendor’s obligations under the vendor contract (this then eliminates the need to say “Vendor and its employees, contractors and agents” repeatedly throughout the contract).

Background Checks and Training

Vendor shall properly screen and conduct background checks on employees and will not permit those with negative screenings or background checks to have access to any Company Data.

Vendor will ensure all its personnel are properly trained on Vendor’s data privacy and security obligations.

Vendor is responsible for ensuring that its personnel follow the data privacy and security provisions agreed to between Company and the Vendor.

Third Parties to whom Vendor provides Company Data

Vendor is responsible for ensuring that third parties to which Vendor supplies Company Data will follow the security and data protection provisions agreed to between Company and the Vendor.

Vendor is liable for breach by its third parties resulting in unauthorized use, disclosure or access of Company Data.

Vendor must require its third parties to provide notification of such breach


to Vendor which must then in turn notify Company in accordance with the timing set forth in the Vendor contract (if any) and at a minimum, as required by applicable data breach notification laws.

Company’s Access to Company Data

Company shall have access to its Company Data at all times and Vendor shall reasonably cooperate and assist Company to access its Company Data at all times at no additional cost to Company.

Use Vendor agrees to properly use the Company Data pursuant to Company’s direction and only in order to perform the contracted services.

Vendor agrees not to sell, rent, lease or otherwise use any Company Data

unless expressly permitted by the contract.

Vendor shall not have the right to aggregate Company Data with other data

to perform benchmarking, analytics or data-mining unless expressly

authorized by Company in writing.

Compliance with Laws

Each Party is responsible for compliance with privacy and data protection laws.

Vendor shall cooperate in good faith with Company to provide Company with any information or assistance necessary for Company to comply with its own privacy and data protection obligations.

Audits of systems and processes

Upon reasonable advance notice, each year during the term of the contract, Company (or its designee) may audit Vendor’s security processes for handling Company Data at Company’s expense. Vendor shall implement any changes reasonably requested by Company in Vendor’s data privacy and security processes as a result of any negative findings revealed by such audits.

Each year during the term of the contract, Vendor shall deliver a copy of its SSAE-16 report or other applicable audit report at no cost to Company. The SSAE 16 audit report should cover all data centers that Vendor owns but also any third party data centers that process or have any access to Company Data.

Protection of Data

Vendor agrees to process Company Data as directed by Company and in

accordance with law.

Vendor will not disclose Company Data except as instructed by Company or

required by law. If Vendor is required to disclose any Company Data by law

or by any government authority, Vendor will promptly notify Company, if

allowed by law, to allow Company to attempt to restrict disclosure.

Vendor will implement appropriate measures to protect Company Data at

least as strict as it uses to protect its own data of a similar sensitivity. Vendor

shall continuously test and monitor its compliance with such measures.

Vendor agrees Company Data will only be transmitted in encrypted format

and will not store Company Data on a portable device unless the data or


device is encrypted. Vendor will only decrypt Company Data if agreed to in

advance by Company.

If Vendor replaces or disposes of any device or hardware which stored any

Company Data, Vendor will ensure that such device or hardware will be

digitally sanitized or physically destroyed such that no Company Data is

recoverable. Vendor shall provide Company with a chain of custody report

to demonstrate compliance with this provision.

Retention/ Destruction

Vendor will return (or destroy at Company’s option) all Company Data on

Company’s request or upon the termination or expiration of the contract in

accordance with law. Company Data should be destroyed in such a way that

it cannot be recreated by any person or entity.

If Company is purchasing cloud services from Vendor, Company may wish to

negotiate a wind down period after the termination or expiration of the

contract, during which Vendor provides Company all of its Company Data in

a mutually agreed to format and assists Company to transition its Company

Data off of Vendor’s cloud onto a new platform.

Data Breach (Generally)

In the event of a Data Breach, Vendor should promptly notify Company, investigate the Data Breach and reasonably cooperate with Company to minimize the impact of the Data Breach on any Company Data. Vendor shall regenerate or restore any Company Data (whether Personal Data or not) that is damaged or lost due to the Data Breach.

Indemnification Relating to Data Breach

Vendor shall indemnify, defend and hold Company harmless from and

against all third party claims arising from or relating to loss of or

unauthorized access, use or disclosure of Company Data caused by Vendor

(which, includes its employees, contractors and agents).

Without limiting Vendor’s indemnification obligations, Vendor will pay all

legally required fines and penalties imposed on Company, and pay for all

costs relating to notifying affected individuals, providing credit monitoring

and call center services to answer questions of affected individuals and any

other costs incurred by Company as a result of the Data Breach.

Note that Company should try to exclude Vendor’s indemnification

obligations as well as any of the costs and expenses mentioned in the

previous bullet from the cap on direct damages as well as indirect damages.

Vendor may push back on this as this is a significant risk exposure for them.

A proposed compromise is to agree to a “super cap” that is higher than the

ordinary cap but lower than unlimited damages.

Limitation of Liability

Notwithstanding any other provision of this Agreement, neither Party will be liable to the other Party or any other person or entity for any punitive, indirect, incidental, special, or exemplary damages of any kind incurred by such other Party in connection with this Agreement, even if advised of the


possibility thereof. THE LIMITATION OF LIABILITY IN THIS SECTION SHALL NOT APPLY: (1) WITH RESPECT TO VENDOR, TO VENDOR’S INDEMNIFICATION OBLIGATIONS HEREUNDER; OR (2) DAMAGES INCURRED BY COMPANY CAUSED BY VENDOR’S BREACH OF ITS DATA SECURITY AND PRIVACY OBLIGATIONS IN THIS AGREEMENT THAT RESULT IN AN UNAUTHORIZED DISCLOSURE OF COMPANY DATA.

Data Transfers If Vendor will handle, store, transmit, or otherwise process Personal Data of citizens in the EU and transfer that data to the US, Vendor must abide by all applicable data transfer laws and regulations. If requested by Company, Vendor shall execute the appropriate set of Standard Contractual Clauses for the transfer of Personal Information to third countries under the General Data Protection Regulation.

Insurance Company should include in the contract the minimum amounts of insurance that Vendor is required to carry. Company may consider requiring Vendor to carry cyber liability insurance.

Health Information If Vendor will handle US protected health information that is subject to HIPAA/HITECH and is a “Covered Entity” or “Business Associate”, Company will need to enter into a Business Associate Agreement with Vendor.

If Company is using Vendor to provide services to its clients, Company should flow down the BAA that Company entered into with its client.

Client Terms If Company is using Vendor to provide services to Company’s clients, Company needs to flow down the applicable terms of Company’s client contract to Vendor.


Appendix III. Sample Privacy and Data Security Compliance Certification

In addition to the Vendor Data Privacy Due Diligence Questionnaire, another way for a company to perform ongoing due diligence on vendor ’s data privacy and security processes is by requiring the vendor to certify annually that it has met and will continue to meet the relevant data privacy and security obligations in the vendor contract. *Completed certificates must be signed by Vendor’s designated executive for security and/or breach response and provided to Company [e.g., IA, Vendor Management, Security] at _________ by [e.g., fixed date/agreement anniversary] annually. Initial the space(s) below as applicable: ___Vendor has identified an individual responsible for Data Breach response. Vendor Contact Name and Title: ________________________________________________________ ___ Vendor’s access, use, collection, maintenance and disclosure of any Company Data has been limited to purposes strictly related to Vendor’s performance under the Agreement or as otherwise required by law. ___ Vendor has not modified any Company Data, merged or co-mingled either with other Vendor data or data of other Vendor customers except as expressly authorized in the Agreement for the sole and limited purpose of providing Services to Company. ___ Vendor has not commercially exploited the Company Data outside the scope of the Services being provided by Vendor under the Agreement. ___ Vendor has not disclosed Company Data to any third party (not otherwise required by law).

If such disclosure has been made, confirm Vendor notified Company. ___ Vendor has not experienced a Data Breach that Vendor knows, or reasonably should know, has resulted in or may result in unauthorized access, use or disclosure of Company Data nor experienced any other event that may in any manner adversely affect the integrity, security or confidentiality of such data. ___ Vendor maintains:

physical security policies and practices

staff security policies and practices o employee screening and disciplinary processes o employee awareness training to address Company Data o subcontractor flow down requirements

business continuity and disaster recovery plans o indicate when last tested ______

a breach response plan o indicate when last tested ______

cyber and data breach insurance


___ Vendor’s information systems security policies include:

o strong authentication and password protocols necessary for its authorized personnel to gain any access to Company Data;

o an access control list of its authorized personnel; o contemporaneous records of each log-on event by such personnel, including

name/log-on id, date, log in/log out time or duration, and all activity during each log-on session

o real time logs of all access to and traffic activity accomplished or effected by its systems or personnel related to Company Data.

___To complete this certification, Vendor uses/used: (select all that apply):

a third party assessment tool to assess its compliance with these requirements. o If so, please identify the tool _____________________________

independent auditors to assess its compliance with these requirements o If so, please provide a summary of the auditor’s report

Self-assessment By signing below, the undersigned, on behalf of VENDOR, hereby ACKNOWLEDGES AND CERTIFIES that the above statements are true and accurate as of the date set forth below and, in the case of subsequent certifications, since at least the date of Vendor’s last certification. Any element which is not certified above shall be immediately disclosed by Vendor in accordance with the Agreement.

Signature:

Printed Name:

Title:

Date: