Data Privacy and Security Agreements:

Defining, Allocating, and Mitigating

Risks From Data Security Breaches

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

WEDNESDAY, NOVEMBER 20, 2019

Presenting a live 90-minute webinar with interactive Q&A

Amy Lawrence, Attorney, Frankfurt Kurnit Klein & Selz, Los Angeles

Alex C. Nisenbaum, Attorney, Pepper Hamilton, Los Angeles

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-877-447-0294 and enter your Conference ID and PIN when prompted.

Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately

so we can address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the ‘Full Screen’ symbol located on the bottom

right of the slides. To exit full screen, press the Esc button.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the link to the PDF of the slides for today’s program, which is located

to the right of the slides, just above the Q&A box.

• The PDF will open a separate tab/window. Print the slides by clicking on the

printer icon.

FOR LIVE EVENT ONLY

Title Slide Layout

Enter title in the text box

Alex C. Nisenbaum | Pepper Hamilton LLPAmy Lawrence | Frankfurt Kurnit Klein & Selz PC

Data Privacy and Security Agreements: Defining, Allocating and Mitigating Risks From Data Security Breaches

November 20, 2019 | 1:00 pm EST

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Can’t outsource liability for legal compliance

Federal, state, international regulatory framework

Not just for “IT” vendors

- Target breach

6

Service Providers and the Lifecycle of Data in the Business

Background

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Federal Laws

- Section 5 of FTC Act

- HIPAA

- GLBA

State Laws

- California Consumer Privacy Act

- Massachusetts Data Security Regulations

- NYDFS Cybersecurity Regulation

- Cal. Civ. Code Section 1798.80 et. seq. and similar state laws

International Laws

- EU (GDPR), Canada, APAC may be more stringent

Self-Regulatory Regimes

7

Legal Obligations

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Pre-Contract Due Diligence

Contract – Conversation to Commitment

Verify Compliance

8

Vendor Contracting Process

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Review relevant privacy and security policies

Review security controls

- Vendor security questionnaires

- Independent third party audit reports (SOC1/SOC 2)

- Certifications/Attestations

• ISO/IEC 27001

• HITRUST

• PCI DSS

9

Pre-Contract Due Diligence

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Every situation is unique

- Sensitivity of data

- Type of service

- Criticality of service

- Operational delivery realities

- Negotiating leverage

10

Vendor Contracts

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Ownership and control of data

Compliance with law; compliance with policies/procedures

Administrative, technical and physical safeguards

Audit rights

Breach notification, response and cooperation

Indemnification

Limits of Liability

Insurance

Service Levels

End of relationship/transition

Legally mandated agreements

11

Vendor Contracts

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Ownership and Control of Data

- Cloud vendors

- Secondary uses

- Access/suspension

12

Ownership and Control of Data

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Can’t outsource compliance

Fines, penalties and other regulator-imposed costs can be substantial

On-site/Access to systems

13

Compliance with law; compliance with policies/procedures

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Mandated by state, federal and international law

Basic to complex

Access controls, authorization protocols, monitor audit logs, network security, malware defense, physical safeguards, training, incident response, penetration tests…

14

Administrative, technical and physical security safeguards

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Customer/vendor/independent third party audits

Regulator audits

Remediation of deficiencies

15

Audit rights

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Timeframe for notice of breach from vendor

Information sharing and cooperation

Preservation of documents and information

Control over notices to individuals and regulators

16

Breach Notification, Response and Cooperation

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

First party costs

- Legal costs

- Forensic investigation

- Notice costs, credit monitoring, call center

- Regulatory fines and penalties

Third party costs

- Class actions and other lawsuits

- Third party contractual claims

17

Indemnification

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Caps - supercaps

Carve outs

Consequential Damages

What is appropriate will be unique to risk and relationship

- Sensitivity of data

- Criticality of business function

- Negotiation leverage

18

Limits of Liability

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Cyber liability coverage

Coverage for whose costs

Coverage limits

19

Insurance

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Data needs to be available to be useful to business

Availability service levels

Recovery point objectives / Recovery time objectives

Severity level response times

Review of Disaster Recovery / Business Continuity

20

Service Levels

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Data retrieval/format

Return or destruction of data

How long will it take to transition to new solution?

Mandated continuation during transition period

21

End of Relationship/Transition

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Compliance chain

- Business Associate Agreements (HIPAA)

- Agreements with Service Providers (GLBA)

- Data Processing Agreements (GDPR)

- Recipients of Personal Information (CCPA)

- Other State laws

22

Legally Mandated Agreements

Title and Content with

Sub

Click in text box to insert

text

Use “Increase/Decrease

List Level” to format each

level of sub

Alex C. Nisenbaum | nisenbauma@pepperlaw.com

Amy Lawrence | alawrence@fkks.com

23

Questions ? Contact Us