Post on 20-Jan-2016
THE CLOUDRisks and Benefits from the
Business, Legal and Technology Perspective
September 11, 2013
KEVIN M. LEVY, ESQ. (klevy@gunster.com)
GUNSTER YOAKLEY & STEWART, P.A.
Benefits Identify and Evaluate RiskMitigate Risk:
▪ Policies and Procedures▪ Due Diligence▪ Contracting:▪ Negotiation▪ Monitoring
▪ Breach Preparation and Response
ROAD MAP
DATA Control:
▪ Where is the data?▪ What jurisdictional law(s) control(s)?
Privacy, Security and Segregation Integrity Ownership Breach Destruction Back-up / Recovery:
▪ Whose responsibility?
NETWORK Access:
▪ Internet down or facility offline▪ Law enforcement investigation (i.e., Megaupload)
Continuity Redundancy and Back-up Security
REGULATORY COMPLIANCE Financial Institutions:
▪ Gramm-Leach-Bliley Act (GLBA)▪ Privacy Act and Regulation P▪ Fair Credit Reporting Act (FCRA)▪ Fair and Accurate Credit Transactions Act (FACTA)▪ Bank Secrecy Act▪ State Laws-FL St. Section 655.059
Healthcare (applies to Business Associates):▪ HIPAA▪ HiTECH Act
State Laws:▪ Massachusetts – MA 201 CMR 17.00▪ California – various
OTHER RISKS: Audits Bankruptcy Litigation:▪ e-discovery
Loss of leverage Non-Negotiable Contracts Tax Implications
Policies and Procedures:▪ Clear and Up-To-Date ▪ Contingency Plan(s)
Thorough Due Diligence
Detailed Contract▪ Address “hidden” issues
Insurance:▪ Request specific plan for storage and transmission
of electronic data and information security (“Cyber Policy”)
Breach Preparation and Response
Research, adopt (adapt) and develop applicable policies and procedures
Appoint team and train: IT, accounting, business, legal and PR
PRACTICE, PRACTICE, PRACTICE
Review and Update: Learn from circumstances Periodic audits
Contingency Plans: Business Continuity Plan (BCP) Disaster Recovery “Exit Strategy”
KYV / KYP - Research and get to know your vendors (service providers)
Require applicable SSAE 16 SOC report
Gather internal/external team of knowledgeable professionals to conduct internal discussions to assess vulnerabilities, risks and needs (IT, accounting, business and legal)
Confirm qualifications
Ask questions of vendor until clearly understand
Run performance and security tests
Evaluate privacy and confidentiality concerns
Negotiate and Document “clear”: Terms and Conditions Notice and transition periods Scope of services Service levels (SLAs) Flexibility to add services and service levels Requirement of service provider to provide annual audit Requirement of service provider to provide additional / updated audit if services
added to engagement Confidentiality Privacy and Security Encryption Data breach notification protocol Limitation on use of subcontractors Clear and complete force majeure clauses Representations and Warranties Indemnification Insurance requirements Termination provisions Remedy for breach
Monitor: Relationship with service providers Audits Services provided Service levels
Amendments: When applicable, timely add clear
description of additional services and service levels
Security Breach Notification protocols:▪ 46 of 50 states▪ Fl. St. Section 817.5681
Breach notification process:▪ Gather Team▪ Investigate▪ Evaluate▪ Decide▪ Proceed▪ Provide notice and/or document files▪ Report to regulators as applicable
Failure to comply can lead to: Marketing issues and loss or market share
Regulatory issues:▪ Warning notices and sanctions▪ SEC data breach disclosure requirements
Professional liability claims
Added compliance costs
Reduced shareholder value
“DO NOT BE PENNY-WISE AND POUND FOOLISH.”
How to avoid a breach or failure to comply?
Implement, enhance and maintain a meaningful Vendor Management Program
Get knowledgeable counsel involved early
Kevin M. Levy, Esq. klevy@gunster.com
GUNSTER – FLORIDA’S LAW FIRM FOR BUSINESS
Banking & Financial Services
Business Litigation
Corporate
Environmental & Land Use
Immigration
International
Labor & Employment
Leisure & Resorts
Real Estate
Private Wealth Services
Probate, Trust & Guardianship Litigation
Securities
Tax
Technology & Entrepreneurial Companies
GUNSTER.COM | (305) 376-6094FORT LAUDERDALE | JACKSONVILLE | MIAMI | OCEAN REEF | PALM BEACH | STUART | TALLAHASSEE | TAMPA | VERO BEACH | WEST PALM BEACH
4109726.1