Embed Size (px)
Citation preview
Patty Bednarczyk
Overview
Standard Data Security Clauses Areas of concern in contracts relating to
Data Security Ever changing landscape of Global
Privacy Laws Key Data Privacy Language inclusion in
your Saas, IaaS and Cloud contracts Summary
Standard Security Clauses
Common Information Security Clauses• Confidential Information
The definition usually amounts to “proprietary,” nonpublic information that could be legally protected as trade secrets or confidential commercial information.
A simple, reciprocal confidentiality obligation works well where the parties have similar interests and capabilities in information protection.
Personal Information Security Clauses• Personal Information or Personal Data provision
designed to help ensure compliance with any applicable privacy laws or standards, such as the federal HIPAA and HITECH acts governing medical data in the US (part of the 2009 American Recovery and Reinvestment Act), state personal information security and breach notice laws, and data protection legislation outside the US.
• HITECH (The Health Information Technology for Economic and Clinical Health Act) The Health Information Technology for Economic and Clinical Health Act (HITECH Act) legislation was
created in 2009 to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States. President Obama signed HITECH into law on Feb. 17, 2009, as part of the American Recovery and Reinvestment Act of 2009 (ARRA) economic stimulus bill.
• HIPPA ( The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers with
important privacy rights and protections with respect to their health information, including important controls over how their health information is used and disclosed by health plans and health care providers.
Standard Security and Data Privacy Clauses
Prudent to add a specific reference such as PCI DSS (payment cards), HIPAA and HITECH (medical records), GLBA (financial accounts), FCRA (consumer reports), national laws based on the EU Data Protection Directive, or the Massachusetts personal information security requirements contained in Massachusetts M.G.L. c. 93H and 201 CMR §§ 17.00-17.05. plus more
• PCI DSS (Payment Card Industry Data Security Standard The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and
procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.
• GLBA (The Gramm-Leach-Bliley Act) The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a
federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections: The Financial Privacy Rule, which regulates the collection and disclosure of private financial information; the Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information; and the Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false pretenses). The Act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices.
• FCRA (The Fair Credit Reporting Act) The Fair Credit Reporting Act (FCRA) is a federal law that regulates how consumer reporting agencies use your
information. Enacted in 1970 and substantially amended in the late 1990s and again in 2003, the FCRA, among other things, restricts who has access to your sensitive credit information and how that information can be used
Standard Security and Data Privacy Clauses
EU Data Protection DirectiveUnder EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organizations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.
• Every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries.
• Therefore, common EU rules have been established to ensure that your personal data enjoys a high standard of protection everywhere in the EU. You have the right to complain and obtain redress if your data is misused anywhere within the EU.
• The EU's Data Protection Directive also foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of your data when it is exported abroad
Massachusetts Personal Information Security Requirements• This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own
or license personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.
Standard Security and Data Privacy Clauses
Trans border Personal Data Transfer Agreement
• Personal data from the European Union, European Economic Area (the EU plus Norway, Iceland, and Liechtenstein), and other jurisdictions (such as Switzerland and Russia) with laws based on the EU Data Protection Directive are usually covered as well by a trans border data transfer clause.
• Data from EU / EEA countries, Switzerland, and Israel may be received lawfully in the United States by a company that participates in the International Safe Harbor program.
• The most common of these are EU-approved standard contract clauses (or “model contracts”) and, more recently, nationally approved binding corporate rules (BCRs).
Data Privacy in U.S.
Federal Protections • HIPPA, HITECH, PCI DSS, GLBA
State • California leads the way in the privacy arena (first state to enact Civil
code 1798.82 California data breach notification law, California Civil Code Section 1798.82, which has been in effect in
California since July 1, 2003. That law already requires businesses and governmental agencies to notify consumers when a security breach occurs involving “an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver’s license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. (4) Medical information. (5) Health insurance information.” Cal. Civ. Code Section 1798.82(h).
• Most of the early state to enact breach notifications mirrored California law and tended to be reactive.
• Massachusetts Regulation (201 CRM 17.00) which is the best example of preventative type of law.
Data Privacy in U.S.
• As of March of 2014, 46 states have enacted laws requiring notifications of security breaches involving personal data
• California has since added two new privacy laws S.B. 46 amends Section 1798.82(h) to expand the definition of “personal information” for which breach notification is
required. The new law adds to the definition: “A user name or email address, in combination with a password or security question and answer that would permit access to an online account.” [Emphasis added] Once the amendment is made to the statue, this new prong of the definition will appear as Cal. Civ. Code Section 1798.82(h)(2) and the existing definition will be predesignated as Section 1798.82(h)(1).
• Texas HB300• Texas patient privacy protections will soon become more substantial. During the 82nd legislative session in 2011, the Texas
Legislature adopted House Bill 300 ("HB 300"), which amends the Texas Medical Records Privacy Act ("Texas Act") and takes effect on September 1, 2012.[1] Since HB 300's effective date is nearing, Texas covered entities, including out-of-state companies that use and/or disclose protected health information ("PHI") in Texas, must be aware of, and take steps now to ensure compliance with, the new statutory requirements. In particular, HB 300 significantly expands patient privacy protections for Texas covered entities beyond those federal requirements as outlined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health (or "HITECH") Act[2] by:
• revising the definition of a "covered entity";
• increasing mandates on covered entities, including requiring customized employee training;
• establishing standards for the use of electronic health records ("EHRs");
• granting enforcement authority to several state agencies; and
• increasing civil and criminal penalties for the wrongful electronic disclosure of PHI
Data Privacy and Security Clauses to Look for
After ensuring the Global, Federal and State laws are being followed there are other items of consideration• HIPPA Data in the cloud is till your responsibility
• SAS70 Type II or SSAE 16 report Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service
Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations. SSAE 16 was formally issued in April 2010 and became effective on June 15, 2011.
• Other regulatory scoping documents 27001
• Breach Notifications, breach details, and remedy
• A business continuation plan
• Termination rights to Data
• Vendor notification to customer of inquiry from third party
• Vendor cooperation with customer’s inquiry in a timely manner
Data Privacy and Security Clauses to Look for (cont.)
• Inspection and Audit rights
• Store and Transmit data per industry best practice (AES-256 or greater preferred; 3DES and AES-128 are deprecated)
AES256 is a symmetrical encryption algorithm that has become ubiquitous, due to the acceptance of the algorithm by the U.S. and Canadian governments as standards for encrypting transited data and data at rest
Vendor Subcontractor protection language
Execute business associates agreements as required (BAA)
Vendor bears all cost of security breach-
Terminations rights tied to all vendor inappropriate actions not only for breach
Changing Global Privacy Laws
EU Model Clause - EU Data Protection directive EU BCR (WP29) – November 2014
• Document to facilitate the use of the EU Model clauses across multiple jurisdictions in Europe
Within the past years, the Article 29 Working Party ("WP29") designed an innovative legal tool, the so-called Binding Corporate Rules ("BCR") to protect international flows of data internal to a corporate group. BCR are a code of conduct defining a group's policy in terms of data transfers and permit to adduce sufficient safeguards to data transferred from the European Union ("EU") to non-EU countries within a same group. On the basis of such guarantees, CNIL can rapidly deliver authorizations to transfer data.
Korea – March 2012• The new Act replaces the existing Public Agency Data Protection Act in
whole and in relation to the private sector it replaces in part the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.
Changing Global Privacy Laws
New China National Security Law (July 2015)• The scope of the law, China’s most comprehensive piece of national security legislation to date, is broad. It covers
issues of political security, military security, economic and financial security, social and cultural security, nuclear security, ecological security, and more. The final version of the law makes clear that the country’s leadership sees its security interests as extending far beyond the physical borders of mainland China, reaching to the depths of the sea, into outer space, and perhaps most importantly, into cyberspace. - See more at: http://www.natlawreview.com/article/china-s-new-national-security-law#sthash.XqosAbUx.dpuf
Australia (March 2014 – changes in 1988 law)• The Privacy Act now includes a set of 13 new harmonized privacy principles that regulate the handling of personal
information by Australian and Norfolk Island Government agencies and some private sector organizations. These principles are called the Australian Privacy Principles (APPs). They replace both the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to some private sector organizations.
Russian data protection rules (effective 9/15)• On 31 December, the Russian President signed into Federal Law No. 526-FZ a proposal to change the effective date
of Russia’s Data Localization Law, first passed last summer, from 1 September 2016 to 1 September 2015. This follows our earlier report that the State Duma (the lower chamber of the Russian Parliament) approved the legislation on 17 December, after which it was approved by the Federation Council (the upper chamber) on 25 December.
• Under the Data Localization Law, businesses collecting data of Russian citizens, including on the Internet, are obliged to record, systematize, accumulate, store, update, change, and retrieve the personal data of Russian citizens in databases located within the territory of the Russian Federation
Security and Data Privacy sample language
See Handout
