integrating information security protections in supplier ...media.straffordpub.com › products ›...

Integrating Information Security Protections in Supplier Agreements: Guidance for Business and Technology CounselEvaluating Data Security Risks During Due Diligence, Negotiating Contractual Protections, Monitoring Supplier Performance

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

WEDNESDAY, JANUARY 16, 2019

Presenting a live 90-minute webinar with interactive Q&A

Matthew A. Karlyn, Partner, Foley & Lardner, Boston

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-871-8924 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail [email protected] immediately so we can address

the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

©2015 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500

Integrating Information Security Into the

Supplier Contracting Process

Matt Karlyn | Partner | Foley & Lardner

[email protected] | (617) 502-3239

mailto:[email protected]

©2015 Foley & Lardner LLP

Overview

■ Information security requires a unified approach

− Security policies

− Employee education

− Use of technology (e.g., firewalls, encryption, intrusion

protection systems)

− Security audits

− Addressing security in contracts with business partners

and other suppliers

6


Overview

■ Security measures can be divided into three main

categories

− Administrative: Policies and procedures

− Technical: Firewalls, intrusion detection systems,

encryption

− Physical: Secure doors and facilities, video and other

monitoring, security guards

■ Many privacy and security laws are use this language

7


Types of Contracts and Relationships

■ Any agreement where a third party will have

access to the company’s

− Network

− Facilities

− Data

− Confidential information including information

about people as well as proprietary processes, etc.

■ Access can be remote or physical

8


What are we Protecting?

■ Confidential information

■ Intellectual property

■ Personally identifiable information

9


Why Protections are Important

■ Protect valuable assets of the company

■ Establish a due diligence process

■ Protect business reputation

■ Avoid public embarrassment

■ Minimize potential liability

■ Comply with laws

10


Three Step Approach to Incorporating

Information Security in IT Contracting

■ Step 1: Internal and vendor due diligence

■ Step 2: Contractual protections

■ Step 3: Information handling and security procedures and requirements, generally in the form of contract exhibits

■ Common errors

− Failure to involve all relevant stakeholders in the process

− Failure to assess the unique requirements of the particular transaction

− Failure to maintain flexibility

11


Scaling of Security in IT Contracting

■ Information security is a not an all or nothing proposition

■ Protections (and the company’s approach) must scale to meet the risk− Fees (i.e., how much the company is paying) should not be

part of the analysis

■ Most data security laws are written in terms of scaling meaning they take into account things like− The size, scope and type of business

− The resources available

− The amount and type of data stored

− The need for confidentiality and security

12


Scaling of Security

■ Massachusetts Data Security Law:

− “… safeguards that are appropriate to (a) the size, scope

and type of business of the person obligated to

safeguard the personal information under such

comprehensive information security program; (b) the

amount of resources available to such person; (c) the

amount of stored data; and (d) the need for security and

confidentiality of both consumer and employee

information.”

13


Step 1: Internal and Supplier Due Diligence

14


Initial Internal Due Diligence

■ What is the mix of data sensitivity and criticality of service / product provided?

− HIGH RISK

▪ Mission critical processes

▪ Highly sensitive data

− MEDIUM RISK

▪ Generally available data

▪ High service levels required

▪ Non-confidential enterprise data

− LOW RISK

▪ Non-mission critical service or process

▪ Generally available data

▪ Can accept outages and variable performance

15


Vendor Due Diligence

■ From the outset, vendors must be on notice that the

information they provide as part of the company’s

information security due diligence will be (1) relied

upon in making a vendor selection, and (2) part of

the contract

■ Make security part of RFP process (if you have one)

■ To ensure proper documentation and uniformity in

the due diligence process, companies should

develop a “vendor due diligence questionnaire”

16


Questionnaire Key Areas

■ Financial condition

■ Insurance coverage

■ Actions against the vendor (e.g., criminal convictions, litigation, regulatory enforcement actions, breaches of security, etc.)

■ Location of services

■ Offshore transmission of data

■ Intended use of subcontractors

■ Personnel security standards

■ Information security policies

■ Business continuity/disaster recovery requirements

■ Data destruction procedures

■ Physical security procedures

■ Access controls

■ Development and maintenance procedures

■ Privacy policies

17


Initial Vendor Due Diligence

■ Provides uniform framework for due diligence

■ Ensures key areas are addressed

■ Provides easy way to incorporate information into contract

■ Educates vendors with respect to compliance expectations

18


Step 2: Contractual Protections

19


U.S. Regulatory Language Should be

Treated as a Floor

■ Including the HIPAA, GLB and other statutory / regulatory minimally required security language, without more, may not adequately protect companies

− In many cases, cannot solely rely on “compliance with applicable laws” requirements

■ Even the more robust language provided in laws and regulations (e.g., HIPAA Security Rule, GLB Safeguards Rule) may not provide sufficient protection

20


Some Contract Protections are Not

Optional

■ Some security protections in vendor

agreements are required by law

− GLB

− HIPAA/HITECH

− Massachusetts, California, etc.

21


One Size Does Not Fit All

■ Important to maintain flexibility in the

contracting process

■ Develop library of alternative contractual

protections to address common areas of

disagreement between parties

22


Key Contractual Protections

■ Confidentiality

− Draft broadly – be sure to include all potential

confidential information

− Marking requirements are generally disfavored

and unworkable

− Ensure ongoing protection of trade secrets (i.e., no

term with respect to the confidentiality of trade

secrets)

23


Standard of Care for Confidentiality

■ Vendor shall treat Customer Confidential Information as strictly confidential and shall use the same care to prevent disclosure of such information as it uses with respect to its own most confidential or proprietary information, but in no event less than reasonable care.

■ Vendor shall treat Customer Confidential Information as strictly confidential and shall use the same care to prevent disclosure of such information as it uses with respect to its own most confidential or proprietary information, which shall not be less than the standard of care imposed by state and federal laws and regulations relating to the protection of such information and, in the absence of any legally imposed standard of care, the standard shall be that of a reasonable person under the circumstances.

24



■ Warranties− Compliance with best industry standard practices

− Compliance with state/federal law; privacy policy, etc.

■ Use of subcontractors− Limit; require approval; primary vendor remains responsible

− If subcontractor is providing critical functions (hosting, outsource provider)▪ Greater need for due diligence

▪ Control over changes to subcontractors− Ample notice of change

− Assistance in conducting diligence

− Termination right

− Consider use of subcontractor NDA▪ Where appropriate include specific security requirements in additional to

baseline confidentiality protections

25



■ Personnel due diligence – background checks and screening

■ Control of personnel

− Removal, inspection, monitor

− Compliance with access requirements/security

− No removal of data

■ Termination for failure to comply

■ Indemnity – protection from third party claims for breach of confidentiality or failure to comply with security obligations

26



■ General Security Obligations

− Take all reasonable measures to secure and defend its

systems and facilities from unauthorized access or

intrusion

− Periodically test systems and facilities for vulnerabilities

− Immediate reporting of breaches

− Joint security audits

− Regulatory access and compliance

− Firewalls, antivirus, etc.

■ Termination for compliance issues

27



■ Exceptions to Limitation of Liability

− Breach of confidentiality, indemnification

obligations, use of name, misappropriation of IP

■ Security breach notification

− Notice from vendor

− Customer controls notice

− Allocation of costs

■ Annual certification of compliance

28



■ Security breach notification for PII

− Associated costs

− Ensure prompt notice from vendor of actual and

potential breaches to ensure your ability to comply with

applicable laws

− Control of notice

− Allocate responsibility for costs

29


Step 3:Information Handling Requirements

30


Information Handling Requirements

■ Where appropriate, attach specific

information handling requirements in an

exhibit to the contract

− Securing PII

− Encryption

− Secure destruction of data

− Securing removable media

31


Negotiation Tips

■ Raise security requirements from the outset, including liability expectations

■ Educate the vendor about legal requirements that apply to your company

■ Flexibility is required, but usually for only a narrow range of requirements

■ Create alternatives to your required language

■ Think about how to address common vendor arguments

− “We cannot change the way we secure our systems for a single engagement”

− “Baseline security requirements prevent us from evolving security standards”

32


Flexibility in Contracting Process

■ Ongoing re-evaluation of contracting approach to reflect:− Changes in laws

− Feedback from vendors

■ Developing means to address vendor feedback can speed negotiations, lower costs and contribute to a more efficient contracting and procurement process

■ Contracting is a dynamic process – hire people who know how to procure goods and services efficiently!

33


Case 1: Information is Generally Available and

Service/Application is Low Risk

■ Commonly working from vendor forms where negotiation is impossible or limited

■ Difficult to impose company’s privacy and security requirements on the vendor

■ Thoroughly review vendor’s privacy and security practices and determine gaps with company’s practices

■ Vendors typically maintain right to alter privacy and security practices from time-to-time – attach policies to contract as of the effective date and ensure future revisions to not diminish obligations

■ Be prepared to agree to vendor’s privacy and security practices

34


Case 2: Highly Sensitive Data is Used/Processed as

Part of Mission Critical Application

■ Due diligence effort is critical

■ Ensure that vendors understand that security requirements will be a critical part of the transaction and the company is unlikely to rely solely on the vendor’s practices

■ Frequently (always?) appropriate to impose the company’s security practices on the vendor

■ Frequent compliance audits mandatory

■ Contractual protections extensive

35


Case 3: Data Somewhat Sensitive and Used/Processed

as Part of an Important Service or Application

■ The most difficult cases – often requires flexibility and creativity

■ Perform gap analysis between vendor security practices and company’s security requirements

■ Consider creating an addendum to the vendor practices to fill gaps

■ Consider contractual protections, but be flexible in approach – work with vendor to create correct solution

36


Post Execution

■ Ensure process includes an ongoing policing

of vendor performance and compliance

■ Develop means to address vendor feedback,

accommodate and adapt to changes

■ Anticipate that contracting is a dynamic

process

37


Questions?

Matt Karlyn

Partner

Foley & Lardner LLP

(617) 502-3239

[email protected]

39

integrating information security protections in supplier ...media.straffordpub.com › products ›...

Documents