Académique Documents
Professionnel Documents
Culture Documents
Roadmap
What is a breach? What is security? Who is covered How are third parties treated? How is risk transferred?
What is a breach?
What is security?
Regulatory climate
HIPAA
Specific Safeguards Protect against reasonably anticipated uses Ensure that workforce complies with rule Civil penalties Actions by state AG HHS investigations
GLB
Security and confidentiality of customer information Protect against anticipated threats or hazards to security and integrity Protect against unauthorized access or use.
FCRA
Identification / Authentication procedures Disposal rules Procedures to ensure accuracy Integrity / accuracy of information sent out Attempts to prevent impersonation fraud.
FTC
COPPA
Secure webservers Delete personal information after use Limit employee access to day Provide training Screen third parties
FCC
Protect the confidentiality of CPNI Reasonable measures to prevent and discover unauthorized access
Massachusetts sets standard Focus on identification numbers Increasingly includes biometric No private right of action Nexus requirement Encryption exemption No exemption for deminimus disclosures 7 states with no law
Regulatory climate
Data governance laws are here to stay Expectation that in some format data breach will be extended to cover not just telecoms General data breach requirements in some EU Member States already Accountability and transparency principles Broad scope of definition of personal data Cloud and jurisdictional challenges The role of controllers and processors
EU Enforcement Priorities
Tempered by: Need for cloud adoption Fundamental right to data protection Security and privacy rules with uniform standards Transparency Fairness User control Certainty Proportionality
Define breach.
Security Define breach Determine when a breach happens Assume there will be data breach laws Review any laws that my currently exist Understand who will be responsible for security Create enforceable contract terms Remember post termination issues Understand that you may not be made whole
Contract provisions
Breach: benign and malicious. Breach: parties, third parties, subcontractors, vendors Breach laws: national, provincial. Responsibility for security: parties, third parties, subcontractors vendors Post termination issues: data belongs to customer, breach liability extends post termination.
Security policy: made part of contract. Revisions subject to customer review. Flow down to subcontractors and vendors
Whose law governs Jurisdiction over the data Where the dispute is heard Change in judicial presumptions
Jurisdiction over the data Data protection directive Export control laws
Creating contracts that work Choice of law This Agreement shall be governed by the laws of the District of Columbia, without reference to its choice of law provisions. Jurisdiction and venue shall be proper before the U.S. District Court for the District of Columbia locatedof in Washington, D.C. The parties Split choice law if you agree not to contest notice from, or the jurisdiction of, this court. have differing regulatory Notwithstanding the preceding sentences, the parties agree that all issues regarding the processing, transfer, protection and privacy of obligations. any information transferred from X or any End User to Vendor shall be governed by the laws of the United Kingdom. All disputes between the parties, and between a party and an End User regarding Vendors access to this data shall be heard before the appropriate court located in London, United Kingdom
Upon termination or expiration of this Agreement, Vendor shall delete all data and provide X with written confirmation of this deletion. Vendor shall also instruct any entities who have had access to the data to also delete it When and provide Vendor with written certification of agreement this deletion. The security obligations set out in this Agreement terminates, rights relating to the data shall survive your termination or expiration of this Agreement until such time as the data is completely deleted by terminate. Vendor and/or Vendors suppliers. Vendor shall require this provision, or one similarly protective of Xs rights in all its contracts with suppliers or other vendors who provide aspects of the Services.
Limited collection of sensitive data Security measures appropriate to data Disposed of / Deleted Disclosure events considered
Toolkit
Determine how services will be used Evaluate cloud structure Understand data collection, processing and transfer Security breach notification High risk regulatory areas Disposition of data on termination