integrating information security protections in supplier ...media.straffordpub.com › products ›...
TRANSCRIPT
Integrating Information Security Protections in Supplier Agreements: Guidance for Business and Technology CounselEvaluating Data Security Risks During Due Diligence, Negotiating Contractual Protections, Monitoring Supplier Performance
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
WEDNESDAY, JANUARY 16, 2019
Presenting a live 90-minute webinar with interactive Q&A
Matthew A. Karlyn, Partner, Foley & Lardner, Boston
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-871-8924 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can address
the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
©2015 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
Integrating Information Security Into the
Supplier Contracting Process
Matt Karlyn | Partner | Foley & Lardner
[email protected] | (617) 502-3239
©2015 Foley & Lardner LLP
Overview
■ Information security requires a unified approach
− Security policies
− Employee education
− Use of technology (e.g., firewalls, encryption, intrusion
protection systems)
− Security audits
− Addressing security in contracts with business partners
and other suppliers
6
©2015 Foley & Lardner LLP
Overview
■ Security measures can be divided into three main
categories
− Administrative: Policies and procedures
− Technical: Firewalls, intrusion detection systems,
encryption
− Physical: Secure doors and facilities, video and other
monitoring, security guards
■ Many privacy and security laws are use this language
7
©2015 Foley & Lardner LLP
Types of Contracts and Relationships
■ Any agreement where a third party will have
access to the company’s
− Network
− Facilities
− Data
− Confidential information including information
about people as well as proprietary processes, etc.
■ Access can be remote or physical
8
©2015 Foley & Lardner LLP
What are we Protecting?
■ Confidential information
■ Intellectual property
■ Personally identifiable information
9
©2015 Foley & Lardner LLP
Why Protections are Important
■ Protect valuable assets of the company
■ Establish a due diligence process
■ Protect business reputation
■ Avoid public embarrassment
■ Minimize potential liability
■ Comply with laws
10
©2015 Foley & Lardner LLP
Three Step Approach to Incorporating
Information Security in IT Contracting
■ Step 1: Internal and vendor due diligence
■ Step 2: Contractual protections
■ Step 3: Information handling and security procedures and requirements, generally in the form of contract exhibits
■ Common errors
− Failure to involve all relevant stakeholders in the process
− Failure to assess the unique requirements of the particular transaction
− Failure to maintain flexibility
11
©2015 Foley & Lardner LLP
Scaling of Security in IT Contracting
■ Information security is a not an all or nothing proposition
■ Protections (and the company’s approach) must scale to meet the risk− Fees (i.e., how much the company is paying) should not be
part of the analysis
■ Most data security laws are written in terms of scaling meaning they take into account things like− The size, scope and type of business
− The resources available
− The amount and type of data stored
− The need for confidentiality and security
12
©2015 Foley & Lardner LLP
Scaling of Security
■ Massachusetts Data Security Law:
− “… safeguards that are appropriate to (a) the size, scope
and type of business of the person obligated to
safeguard the personal information under such
comprehensive information security program; (b) the
amount of resources available to such person; (c) the
amount of stored data; and (d) the need for security and
confidentiality of both consumer and employee
information.”
13
©2015 Foley & Lardner LLP
Step 1: Internal and Supplier Due Diligence
14
©2015 Foley & Lardner LLP
Initial Internal Due Diligence
■ What is the mix of data sensitivity and criticality of service / product provided?
− HIGH RISK
▪ Mission critical processes
▪ Highly sensitive data
− MEDIUM RISK
▪ Generally available data
▪ High service levels required
▪ Non-confidential enterprise data
− LOW RISK
▪ Non-mission critical service or process
▪ Generally available data
▪ Can accept outages and variable performance
15
©2015 Foley & Lardner LLP
Vendor Due Diligence
■ From the outset, vendors must be on notice that the
information they provide as part of the company’s
information security due diligence will be (1) relied
upon in making a vendor selection, and (2) part of
the contract
■ Make security part of RFP process (if you have one)
■ To ensure proper documentation and uniformity in
the due diligence process, companies should
develop a “vendor due diligence questionnaire”
16
©2015 Foley & Lardner LLP
Questionnaire Key Areas
■ Financial condition
■ Insurance coverage
■ Actions against the vendor (e.g., criminal convictions, litigation, regulatory enforcement actions, breaches of security, etc.)
■ Location of services
■ Offshore transmission of data
■ Intended use of subcontractors
■ Personnel security standards
■ Information security policies
■ Business continuity/disaster recovery requirements
■ Data destruction procedures
■ Physical security procedures
■ Access controls
■ Development and maintenance procedures
■ Privacy policies
17
©2015 Foley & Lardner LLP
Initial Vendor Due Diligence
■ Provides uniform framework for due diligence
■ Ensures key areas are addressed
■ Provides easy way to incorporate information into contract
■ Educates vendors with respect to compliance expectations
18
©2015 Foley & Lardner LLP
Step 2: Contractual Protections
19
©2015 Foley & Lardner LLP
U.S. Regulatory Language Should be
Treated as a Floor
■ Including the HIPAA, GLB and other statutory / regulatory minimally required security language, without more, may not adequately protect companies
− In many cases, cannot solely rely on “compliance with applicable laws” requirements
■ Even the more robust language provided in laws and regulations (e.g., HIPAA Security Rule, GLB Safeguards Rule) may not provide sufficient protection
20
©2015 Foley & Lardner LLP
Some Contract Protections are Not
Optional
■ Some security protections in vendor
agreements are required by law
− GLB
− HIPAA/HITECH
− Massachusetts, California, etc.
21
©2015 Foley & Lardner LLP
One Size Does Not Fit All
■ Important to maintain flexibility in the
contracting process
■ Develop library of alternative contractual
protections to address common areas of
disagreement between parties
22
©2015 Foley & Lardner LLP
Key Contractual Protections
■ Confidentiality
− Draft broadly – be sure to include all potential
confidential information
− Marking requirements are generally disfavored
and unworkable
− Ensure ongoing protection of trade secrets (i.e., no
term with respect to the confidentiality of trade
secrets)
23
©2015 Foley & Lardner LLP
Standard of Care for Confidentiality
■ Vendor shall treat Customer Confidential Information as strictly confidential and shall use the same care to prevent disclosure of such information as it uses with respect to its own most confidential or proprietary information, but in no event less than reasonable care.
■ Vendor shall treat Customer Confidential Information as strictly confidential and shall use the same care to prevent disclosure of such information as it uses with respect to its own most confidential or proprietary information, which shall not be less than the standard of care imposed by state and federal laws and regulations relating to the protection of such information and, in the absence of any legally imposed standard of care, the standard shall be that of a reasonable person under the circumstances.
24
©2015 Foley & Lardner LLP
Key Contractual Protections
■ Warranties− Compliance with best industry standard practices
− Compliance with state/federal law; privacy policy, etc.
■ Use of subcontractors− Limit; require approval; primary vendor remains responsible
− If subcontractor is providing critical functions (hosting, outsource provider)▪ Greater need for due diligence
▪ Control over changes to subcontractors− Ample notice of change
− Assistance in conducting diligence
− Termination right
− Consider use of subcontractor NDA▪ Where appropriate include specific security requirements in additional to
baseline confidentiality protections
25
©2015 Foley & Lardner LLP
Key Contractual Protections
■ Personnel due diligence – background checks and screening
■ Control of personnel
− Removal, inspection, monitor
− Compliance with access requirements/security
− No removal of data
■ Termination for failure to comply
■ Indemnity – protection from third party claims for breach of confidentiality or failure to comply with security obligations
26
©2015 Foley & Lardner LLP
Key Contractual Protections
■ General Security Obligations
− Take all reasonable measures to secure and defend its
systems and facilities from unauthorized access or
intrusion
− Periodically test systems and facilities for vulnerabilities
− Immediate reporting of breaches
− Joint security audits
− Regulatory access and compliance
− Firewalls, antivirus, etc.
■ Termination for compliance issues
27
©2015 Foley & Lardner LLP
Key Contractual Protections
■ Exceptions to Limitation of Liability
− Breach of confidentiality, indemnification
obligations, use of name, misappropriation of IP
■ Security breach notification
− Notice from vendor
− Customer controls notice
− Allocation of costs
■ Annual certification of compliance
28
©2015 Foley & Lardner LLP
Key Contractual Protections
■ Security breach notification for PII
− Associated costs
− Ensure prompt notice from vendor of actual and
potential breaches to ensure your ability to comply with
applicable laws
− Control of notice
− Allocate responsibility for costs
29
©2015 Foley & Lardner LLP
Step 3:Information Handling Requirements
30
©2015 Foley & Lardner LLP
Information Handling Requirements
■ Where appropriate, attach specific
information handling requirements in an
exhibit to the contract
− Securing PII
− Encryption
− Secure destruction of data
− Securing removable media
31
©2015 Foley & Lardner LLP
Negotiation Tips
■ Raise security requirements from the outset, including liability expectations
■ Educate the vendor about legal requirements that apply to your company
■ Flexibility is required, but usually for only a narrow range of requirements
■ Create alternatives to your required language
■ Think about how to address common vendor arguments
− “We cannot change the way we secure our systems for a single engagement”
− “Baseline security requirements prevent us from evolving security standards”
32
©2015 Foley & Lardner LLP
Flexibility in Contracting Process
■ Ongoing re-evaluation of contracting approach to reflect:− Changes in laws
− Feedback from vendors
■ Developing means to address vendor feedback can speed negotiations, lower costs and contribute to a more efficient contracting and procurement process
■ Contracting is a dynamic process – hire people who know how to procure goods and services efficiently!
33
©2015 Foley & Lardner LLP
Case 1: Information is Generally Available and
Service/Application is Low Risk
■ Commonly working from vendor forms where negotiation is impossible or limited
■ Difficult to impose company’s privacy and security requirements on the vendor
■ Thoroughly review vendor’s privacy and security practices and determine gaps with company’s practices
■ Vendors typically maintain right to alter privacy and security practices from time-to-time – attach policies to contract as of the effective date and ensure future revisions to not diminish obligations
■ Be prepared to agree to vendor’s privacy and security practices
34
©2015 Foley & Lardner LLP
Case 2: Highly Sensitive Data is Used/Processed as
Part of Mission Critical Application
■ Due diligence effort is critical
■ Ensure that vendors understand that security requirements will be a critical part of the transaction and the company is unlikely to rely solely on the vendor’s practices
■ Frequently (always?) appropriate to impose the company’s security practices on the vendor
■ Frequent compliance audits mandatory
■ Contractual protections extensive
35
©2015 Foley & Lardner LLP
Case 3: Data Somewhat Sensitive and Used/Processed
as Part of an Important Service or Application
■ The most difficult cases – often requires flexibility and creativity
■ Perform gap analysis between vendor security practices and company’s security requirements
■ Consider creating an addendum to the vendor practices to fill gaps
■ Consider contractual protections, but be flexible in approach – work with vendor to create correct solution
36
©2015 Foley & Lardner LLP
Post Execution
■ Ensure process includes an ongoing policing
of vendor performance and compliance
■ Develop means to address vendor feedback,
accommodate and adapt to changes
■ Anticipate that contracting is a dynamic
process
37
©2015 Foley & Lardner LLP 38
A Guide to IT Contracting:
Checklists, Tools, and Techniques
©2015 Foley & Lardner LLP
Questions?
Matt Karlyn
Partner
Foley & Lardner LLP
(617) 502-3239
39