The details matter: Security laws that demand attention

Cloud Security Alliance New York City W. David Snead

Attorney + Counselor Washington, D.C.

Tactical Legal Advice for Internet Business

Roadmap

What is a breach? What is security? Who is covered How are third parties treated? How is risk transferred?

What is a breach?

Confidentiality Integrity Access

What is security?

Methods of protecting information

Administrative Technical Physical

The definition of confidential is crucial

Regulatory climate

Issue Based Proactive National implementation

Sectoral Based Reactive Generally state based Narrowly tailored

HIPAA

Specific Safeguards Protect against reasonably anticipated uses Ensure that workforce complies with rule Civil penalties Actions by state AG HHS investigations

GLB

Security and confidentiality of customer information Protect against anticipated threats or hazards to security and integrity Protect against unauthorized access or use.

FCRA

Identification / Authentication procedures Disposal rules Procedures to ensure accuracy Integrity / accuracy of information sent out Attempts to prevent impersonation fraud.

FTC

Unfair or deceptive acts

COPPA

Secure webservers Delete personal information after use Limit employee access to day Provide training Screen third parties

FCC

Protect the confidentiality of CPNI Reasonable measures to prevent and discover unauthorized access

Massachusetts sets standard Focus on identification numbers Increasingly includes biometric No private right of action Nexus requirement Encryption exemption No exemption for deminimus disclosures 7 states with no law

Regulatory climate

Data governance laws are here to stay Expectation that in some format data breach will be extended to cover not just telecoms General data breach requirements in some EU Member States already Accountability and transparency principles Broad scope of definition of personal data Cloud and jurisdictional challenges The role of controllers and processors

EU Enforcement Priorities

Tempered by: Need for cloud adoption Fundamental right to data protection Security and privacy rules with uniform standards Transparency Fairness User control Certainty Proportionality

Creating contracts that work

Break down your cloud transaction.

Understand what security means to you.

Define breach.

Decide what kind of snowflake you are.

Creating contracts that work

Where will the data be physically located?

Should jurisdiction be split?

How will data be collected, processed, transferred?

What will happen to the data on termination?

Creating contracts that work

Security Define breach Determine when a breach happens Assume there will be data breach laws Review any laws that my currently exist Understand who will be responsible for security Create enforceable contract terms Remember post termination issues Understand that you may not be made whole

Creating contracts that work

Contract provisions
Breach: benign and malicious. Breach: parties, third parties, subcontractors, vendors Breach laws: national, provincial. Responsibility for security: parties, third parties, subcontractors vendors Post termination issues: data belongs to customer, breach liability extends post termination.

Security policy: made part of contract. Revisions subject to customer review. Flow down to subcontractors and vendors

Creating contracts that work

Jurisdiction over the contract

Whose law governs Jurisdiction over the data Where the dispute is heard Change in judicial presumptions

Jurisdiction over the data Data protection directive Export control laws

Creating contracts that work Choice of law This Agreement shall be governed by the laws of the District of Columbia, without reference to its choice of law provisions. Jurisdiction and venue shall be proper before the U.S. District Court for the District of Columbia locatedof in Washington, D.C. The parties Split choice law if you agree not to contest notice from, or the jurisdiction of, this court. have differing regulatory Notwithstanding the preceding sentences, the parties agree that all issues regarding the processing, transfer, protection and privacy of obligations. any information transferred from X or any End User to Vendor shall be governed by the laws of the United Kingdom. All disputes between the parties, and between a party and an End User regarding Vendors access to this data shall be heard before the appropriate court located in London, United Kingdom

Creating contracts that work

Termination Create and implement deletion policies

Flow down contract terms to vendors

Do not assume security ends upon termination

Create and implement deletion policies

Creating contracts that work

Upon termination or expiration of this Agreement, Vendor shall delete all data and provide X with written confirmation of this deletion. Vendor shall also instruct any entities who have had access to the data to also delete it When and provide Vendor with written certification of agreement this deletion. The security obligations set out in this Agreement terminates, rights relating to the data shall survive your termination or expiration of this Agreement until such time as the data is completely deleted by terminate. Vendor and/or Vendors suppliers. Vendor shall require this provision, or one similarly protective of Xs rights in all its contracts with suppliers or other vendors who provide aspects of the Services.

Creating contracts that work

Addressing uncertain regulations

Limited collection of sensitive data Security measures appropriate to data Disposed of / Deleted Disclosure events considered

Toolkit

Determine how services will be used Evaluate cloud structure Understand data collection, processing and transfer Security breach notification High risk regulatory areas Disposition of data on termination

Thanks for coming!

W. David Snead
Attorney + Counselor Washington, D.C. Tactical Legal Advice for Internet Business
E: T: Blog: david.snead@dsnead.com @wdsneadpc thewhir.com/blogs