Embed Size (px)
Citation preview
Managing Risk in Cloud Computing Contracts
Henry Ward and Todd Taylor
April 30, 2015
Discussion Topics
• Data Security.
• Compliance.
• Indemnification.
• Limitation on Liability and Insurance.
Data Security
Ownership and Access• Acknowledgment that all data you input into the software or
provide the vendor is owned by you.
• Requirement that, at the termination of the contract, the vendor will provide you a copy of your data in an agreed-upon format.
• Requirement that vendor permanently deletes all copies of your
data at the termination of the contract (including back-up media).
• Litigation-cooperation clause requiring the vendor to preserve your data and cooperate with any discovery requests if you become involved in any litigation.
Data Security
Back-Up Capability
• Redundant systems in place so that if vendor’s main data center goes down (e.g., because of a natural disaster or cyber attack), you will continue to be able to access and use the services
• Required procedure for backing up your data
Data Security
Confidentiality
• Restrict who can have access to your information.
• Restrict how your information can be used.
• Require vendor to use at least reasonable measures to protect your information.
• Require vendor to be responsible for any data that is lost, stolen or compromised while in the possession or control of vendor.
Data Security
Encryption
• Requirements when transmitting data.
• Requirements when storing data.
Data Security
Audit Rights and Reporting Obligations
• You should have right to audit the security procedures and data centers of vendor.
• Requirement that the vendor have Type II SSAE 16 examinations conducted on its controls and procedures for storing, processing and transmitting data, and to provide you copies of the examination reports.
Data Security
Security Breach Procedures
• Requirement for prompt notification of actual or suspected breach.
• Requirement to cooperate and provide assistance in remedying breach.
• Remedial obligations, including payment of notification and credit monitoring costs, if applicable.
Compliance
Federal Data Security Law and Regulations
• The Federal Information Security Management Act (“FISMA”)
• The Veterans Benefits, Heath Care, and Information Technology Act (the “VA Information Security Act”)
• The Privacy Act
• Gramm-Leach-Bliley Act (“GLBA”)
• The Health Insurance Portability and Accountability Act (“HIPAA”) & the HITECH Act
• The Federal Trade Commission Act (the “FTC Act”)
• The Telecommunications Act
• The Fair and Accurate Credit Transactions Act (“FACTA”)
Compliance
Industry Data Security Standards
• Payment Card Industry Data Security Standard (PCI DSS) –
• PCI DSS was originally adopted by Visa, MasterCard, Discover, American Express and Japan Credit Bureau.
• PCI DSS sets forth minimum technical and operational requirements for the
protection of cardholder data.
• PCI DSS applies to all entities involved in payment card processing – including Merchants.
• ISO/IEC 27000 – Series of information security standards promulgated by the International Organization for Standardization and the International Electrotechnical Commission.
• NIST 800-53 – a set of security controls promulgated for U.S. federal information systems and their party service providers by the National Institute of Standards and Technology.
Compliance
State Data Security Law and Regulations
• California Civil Code §1798.1.5 – Businesses that own, license or maintain personal information shall implement and maintain reasonable security procedures and practices.
• Connecticut General Statute §42-471 – Any person in possession of another’s personal information shall safeguard the data, computer files and documents containing such personal information.
• Maryland Personal Information Protection Act – Businesses owning or licensing personal information shall implement and maintain reasonable security procedures.
Compliance
State Data Security Law and Regulations (cont.)
• Massachusetts Safeguards Rule --
• Persons owning or licensing personal information shall develop, implement and maintain a comprehensive written information security program setting forth administrative, technical and physical safeguards.
• If personal information is electronically stored, the information security program must cover computers and wireless systems.
• Minnesota Plastic Card Security Act - Prevents merchants from retaining various card related data for more than 48 hours after authorization of a transaction.
• Nev. Rev. Stat. Ann. §§ 603A.210 & 603A.215 -- Require, among other things: (a) data collectors maintaining records of personal information to implement and maintain reasonable security measures, and (b) business entities accessing payment cards for the sale of good or services to comply with PCI DSS.
Compliance
State Breach Notification Laws and Regulations
• Widespread Adoption – Currently 47 states have adopted some form of data breach notification laws.
• Protect “personally identifiable information” – State data breach laws, generally speaking, protect a name in combination with other data (driver’s license#, ss#, financial account numbers – sometimes in combination with passcode), if not publicly available.
• Notice Requirements -- There is some variation in notice requirements across the states, but notice to affected persons (and/or governmental agencies) is typically triggered when the data holder reasonable believes there has been disclosure or access to personally identifiable information by an unauthorized person of information not rendered unusable when illegal use of the information has occurred or is reasonably like to occur
Indemnification
Types of Claims
• Tortious acts and omissions.
• Intellectual property infringement (beware of combination carve-out).
• Note publicity restrictions.
• Personal injury/property damage.
• Breach of confidentiality/security breach.
Limitation on Liability
Exclusions• Exclusion for indemnity obligations.
• Exclusion for willful misconduct.
• Exclusion for breach of confidentiality obligations (and data breach, if possible).
• Exclusion for property damage/bodily injury.
• Exclusion for remedial obligations for data breach. If not obtainable, consider a negotiated cap on liability.
Insurance
• General commercial liability
• Cybersecurity (data breaches, business interruption, and network damage)
QUESTIONS?
