Allocating Risk for Privacy and Data Security in ... · PDF fileCommercial Contracts and...
Transcript of Allocating Risk for Privacy and Data Security in ... · PDF fileCommercial Contracts and...
Perkins Coie LLP
Allocating Risk for Privacy and Data Security in Commercial Contracts and Related Insurance Implications
June 23, 2016 Selena J. Linde
George Galt
Aaron Coombs
Presented by:
Perkins Coie LLP | PerkinsCoie.com 2
Presenter: Selena Linde
Selena Linde is a Partner in Perkins Coie's Insurance Recovery Practice and
is a primary author and editor of the Association of Corporate Counsel's
Policyholders Primer on Insurance. Ms. Linde has been honored as one of
twenty-five worldwide recipients of Business Insurance's Women to Watch,
one of eleven National Insurance Stars and one of the top 150 Women
Litigators by Benchmark Plaintiff.
Ms. Linde has recovered more than a billion dollars for her clients and has an
active trial practice representing policyholders in complex insurance
coverage cases throughout the country and an equally active arbitration,
mediation, and counseling practice. Selected representations include:
• Lead Coverage Counsel for a Global 50 Pharmaceutical (D&O Claims related to
Government Investigations and Anti-Trust Suits)
• Lead Coverage Counsel for Hospitality Company (Data/Privacy and Property Claims)
• Lead Coverage Counsel for Residential Capital ( E&O and D&O Claims related to
packaging of mortgage backed securities)
• Lead Counsel NorthWestern Energy (CGL, D&O, Property, and EPL Claims)
• Co-lead Counsel Motors Liquidation Trust (CGL claims related to historical asbestos
and environmental liability for pre-BK General Motors)
Join Ms. Linde's LinkedIn network for updates and articles on insurance
coverage topics. She can be reached directly at (202) 654-6221 or
Perkins Coie LLP | PerkinsCoie.com 3
Presenter: George Galt
George Galt is an Assistant General Counsel at AOL
where he supports the advertising group. In that
capacity, he negotiates agreements regarding data
gathered through websites, applications and business
interactions. Prior to AOL, George was the Associate
General Counsel at The Associated Press managing
the business transactions unit. He provided legal
support for AP’s efforts to gather behavior data
regarding news usage and helped AP to develop a
rights expression language to support automated
content transactions. Prior to AP, George was in
private practice at Drinker, Biddle & Reath. He can
be reached at [email protected].
Perkins Coie LLP | PerkinsCoie.com 4
Presenter: Aaron Coombs
Aaron Coombs is Counsel in Perkins Coie’s Insurance Recovery practice
group. He has helped clients maximize their insurance assets under many
different types of policies—from spacecraft to cyber, property to casualty, and
many others. He routinely counsels clients when purchasing insurance, and
has extensive proficiency in identifying gaps in coverage and negotiating the
terms and conditions for cyber-risk and management liability (D&O)
insurance policies. He also helps clients with additional insured and
contractual indemnification issues.
Aaron has helped clients recover insurance proceeds for product liability
claims, product recalls, government investigations, employment
discrimination, as well as cases involving alleged violations of the Fair Labor
Standards Act, Sherman Antitrust Act, and False Claims Act. Aaron is
currently working on several cyber-risk insurance claims for clients that
experienced malicious hacking attacks, as well as several product recall
claims. He can be reached directly at (202) 654-6246 or
Perkins Coie LLP | PerkinsCoie.com 5
Introduction
Heightened state of data and IT security
How to protect your company
Landscape of contract negotiations on data
and IT security
Avoiding the pitfalls of 3rd parties dictating
your company’s policies: allocation of risk and
contract tips
Perkins Coie LLP | PerkinsCoie.com 6
Heightened State of Data and IT Security
Public Breaches
Regulators
What is Data?
What is PII?
Perkins Coie LLP | PerkinsCoie.com 7
Perkins Coie LLP | PerkinsCoie.com 8
Perkins Coie LLP | PerkinsCoie.com 9
How Do You Protect Your Company?
Breach response plan
Insurance
• application requirements
• problematic exclusions
Perkins Coie LLP | PerkinsCoie.com 10
Contract Negotiations on Data & IT Security
Broadened clauses of indemnification
Third party standards
Security audits
Reps and warranties
Perkins Coie LLP | PerkinsCoie.com 11
Allocation of Risk and Contract Tips
Your own insurance policies
Your contracts
Perkins Coie LLP | PerkinsCoie.com 12
Cyber Risk/Privacy Policies
Coverage Grants Vary Greatly
"First-Party" Coverage:
• Losses due to destroyed or damaged data; data restoration
• Business Interruption
• Extortion demands
"Third-Party" Coverage
• Privacy Liability
• Unauthorized disclosure of confidential information
• Costs to investigate breaches, satisfy notification obligations,
defend against regulatory proceedings
Perkins Coie LLP | PerkinsCoie.com 13
Network Security Liability: Third-party liability resulting from a failure of your network security to protect against destruction, deletion or corruption of a third-party electronic data, denial of service attacks against internet sites or computers; or transmission of viruses to third-party computers and systems.
Privacy Liability: Liability to a third-party as a result of your failure to properly handle, manage, store or otherwise control personally identifiable information, corporate information identified as confidential and protected under a nondisclosure agreement and unintentional violation of privacy regulations.
Crisis Management & Identity Theft Response Fund: Expenses to comply with privacy regulations, such as communication to and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm for the purpose of protecting/restoring your reputation as a result of the actual or alleged violation of privacy regulations.
Cyber Extortion: Ransom or investigative expenses associated a threat directed at you to release, divulge, disseminate, destroy, steal, or use the confidential information taken from the insured, introduce malicious code into the your computer system; corrupt, damage, or destroy your computer system, or restrict or hinder access to your computer system.
Network Business Interruption: Reimbursement of your own loss of income and/or extra expense resulting from an interruption or suspension of its systems due to a failure of network security to prevent a security breach.
Data Asset Protection: Recovery of your costs and expenses incurred to restore, recreate, or regain access to any software or electronic data from back-ups or from originals or to gather, assemble and recreate such software or electronic data from other sources to the level or condition in which it existed immediately prior to its alteration, corruption, destruction, deletion, or damage.
Available Coverage Components
Perkins Coie LLP | PerkinsCoie.com 14
Negotiate Insurance Policy Language
Coverage Grants Vary Greatly
• No standard form language
• Customize and do not buy off the shelf policies
Ensure your policy covers cyber losses not resulting from “theft”
Review proposed policy language with a critical eye
• Who is the insured?
• How are defense costs treated?
• Who chooses defense counsel and breach response firms?
• What is the retroactive date?
• Are you comfortable with the proposed sublimits?
Perkins Coie LLP | PerkinsCoie.com 15
Negotiate Insurance Policy Language
Be Wary of Certain Exclusions
• Terrorism and war
• Regulatory actions
• Breach of contract (PCI-DSS?)
• Fines and penalties
• Third-party vendor
• Insured vs. insured
• Misappropriation of intellectual property
Eliminate Duplicate Coverages
Perkins Coie LLP | PerkinsCoie.com 16
Do Your Traditional Policies Cover Cyber/Privacy Risks?
Many Facets of a Data Breach: Multiple
Policies May Respond
Errors & Omissions (E&O)/Professional
Liability
Directors and Officers (D&O)
Fidelity
Commercial General Liability
New ISO CGL data breach exclusions
Property
Other Policies/Indemnification Agreements
Perkins Coie LLP | PerkinsCoie.com 17
Model Contract Provisions: Privacy, Data Security, and Insurance
Framework to address privacy and data
security and insurance in the context of an
agreement between Company and a service
provider or vendor
Vendor/service provider will have access to
Company information, information related to
Company information or other confidential
information of Company
Perkins Coie LLP | PerkinsCoie.com 18
Model Contract Provisions: Privacy, Data Security, and Insurance
NOTE: sample provisions must be tailored
and supplemented to fit particular facts and
circumstances
If Company will also be hosting vendor data
you may not be willing or able to make mutual
many of the provisions we will discuss,
because hosting or storing information on
behalf of other companies is not Company's
business.
Perkins Coie LLP | PerkinsCoie.com 19
Model Contract Provisions: Privacy, Data Security, and Insurance
Confidentiality Provisions
Security of Personal Information Provisions
Establishing Contractual Insurance Provisions
Perkins Coie LLP | PerkinsCoie.com 20
Confidentiality Provisions
Confidentiality Provisions
• Definition
• Marking
• Survival
• Return or Destruction
• Boilerplate Confidentiality Carve Outs
• Ownership and Use
Perkins Coie LLP | PerkinsCoie.com 21
Confidentiality Provisions
Definition of Confidentiality
• Must capture all sensitive data
• Also protect information that a party should
reasonably understand to be of a confidential
nature
Marking
• Tangible medium
• Specify handling procedures
• Oral Information
Perkins Coie LLP | PerkinsCoie.com 22
Confidentiality Provisions
Survival
• Must survive termination of the Agreement
(non-negotiable)
Ownership and Use
• Limit to purpose for which it was provided
• Specify recipient does not own
Perkins Coie LLP | PerkinsCoie.com 23
Confidentiality Provisions
Return or Destruction
• Company should elect at time of termination or
request
• Consider confidential information will be
transmitted, and where copies may be retained
(i.e. email / corporate server backups, etc.)
• Certificate of destruction
Perkins Coie LLP | PerkinsCoie.com 24
Confidentiality Provisions
BE CAREFUL of Boilerplate Carve-Outs
• Typically carve out certain information
• Publicly available through no fault of
Vendor/Service Provider
• Disclosed via breach or other wrongful act—
provisions still apply to the use of the
information
Perkins Coie LLP | PerkinsCoie.com 25
Security of Personal Information Provisions
• Company Information
• Representations, Warranties and Covenants.
• Audit rights
• Remedies for breach
• Security Breach Notification
• Subcontractors and Flow-Down Provisions
• Location of Data/Employee Issues
• Disaster Recovery
Perkins Coie LLP | PerkinsCoie.com 26
Company Information
Company exclusively owns all Company Information. "Company Information" is any
information about persons or entities that Vendor obtains in any manner from any
source under this Agreement, which concerns prospective and existing customers or
employees of (1) Company, (2) Company's affinity marketing partners, (3) Company’s
contracting parties and (4) Company’s suppliers. Company Information includes,
without limitation, names, addresses, telephone numbers, e-mail addresses, social
security numbers, credit card numbers, call-detail information, purchase information,
product and service usage information, frequent flier information, account information,
credit information, demographic information and any other personally identifiable
information. Company Information is the Confidential Information of Company under
the Agreement. Vendor (a) may collect, store, access, use, process, maintain and
disclose Company Information only to fulfill its performance obligations under the
Agreement and for no other purpose, and (b) shall, without limiting any other
obligations applicable to Company Information hereunder, treat all Company
Information as Confidential Information of Company. For this Agreement, the acts or
omissions of Vendor and anyone with which it is associated (e.g., employees of
Vendor and its subsidiaries and affiliates, and Vendor's agents and approved
contractors and subcontractors, and their respective employees) are Vendor’s acts or
omissions.
Perkins Coie LLP | PerkinsCoie.com 27
Representations, Warranties and Covenants
Compliance with Applicable Laws
Vendor hereby represents and warrants that it is and will remain in compliance with all applicable domestic laws, including without limitation any national, regional and local laws, and all applicable international laws ("Applicable Laws") and that it will not cause Company to be in material violation of any Applicable Laws.
Vendor represents and warrants that Vendor is not and has not been a party to any current, pending, threatened or resolved enforcement action of any government agency, or any consent decree or settlement with any governmental agency or private person or entity regarding any Security Breach (defined below) or otherwise regarding data privacy or information security.
Perkins Coie LLP | PerkinsCoie.com 28
Representations, Warranties and Covenants
Compliance with Industry Rules or Guidelines
If Vendor processes, stores, transmits or has access to Company Information that includes payment information (including, without limitation, credit card, debit card, or financial account information), Vendor represents and warrants that it is, and will remain, in compliance with the data security rules of any applicable payment network or organization, including, but not limited to, (1) the Payment Card Industry Data Security Standard for protecting credit and debit cardholder information, as the same may be amended, updated, replaced or augmented, and (2) the NACHA Operating Rules, developed and administered by NACHA—The Electronic Payments Association, for protecting financial account information and the Automated Clearing House network, as they may be amended, updated, replaced or augmented.
Perkins Coie LLP | PerkinsCoie.com 29
Representations, Warranties and Covenants
Vendor should be required to:
• Use administrative, physical and technical safeguards that prevent any unauthorized collection, use or disclosure of, or access to, Company Information
• Implement and maintain an information security program to protect Company Information
• Can be covenant or representation and warranty
• Strict Liability—Vendor “fully responsible”
Perkins Coie LLP | PerkinsCoie.com 30
Representations, Warranties and Covenants: Security
Vendor is fully responsible for any authorized or unauthorized collection, storage, disclosure
and use of, and access to, Company Information.
Vendor shall implement and maintain administrative, physical and technical safeguards
("Safeguards") that prevent any collection, use or disclosure of, or access to, Company
Information that this Agreement does not expressly authorize, including, without limitation, an
information security program that meets the highest standards of best industry practice to
safeguard Company Information. Such information security program will include, without
limitation, (i) adequate physical security of all premises in which Company Information will be
processed and/or stored; (ii) reasonable precautions taken with respect to the employment of
and access given to Vendor personnel, including background checks and security clearances
that assign specific access privileges to individuals, training employees on the proper use of
Vendor’s computer systems and the importance of personal information security, and restricting
access to records and files containing Company Information to those who need such
information to perform their job duties; and (iii) an appropriate network security program,
including designation of one or more employees to coordinate the security program, monitoring
of systems for unauthorized use of, or access to, personal information, appropriate access and
data integrity controls, testing and auditing of all controls, appropriate corrective action and
incident response plans, and encryption of all records and files containing personal information
that will travel across public networks, be transmitted wirelessly, or be transmitted outside of
the secure system of the business; and (iv) encryption of all Company Information stored on
laptops and other portable devices.
Perkins Coie LLP | PerkinsCoie.com 31
Representations, Warranties and Covenants
Compliance with Company Policies
• Vendor should comply with your company’s
written privacy and security policies
• Provide policy not less than 30 days prior to
effective date of policies
• Compliance does not relieve Vendor of duties
to protect Company Information or other
Confidential Information
Perkins Coie LLP | PerkinsCoie.com 32
Representations, Warranties and Covenants
Prior Audits
• Require vendor to represent and warrant that
its network, systems and premises have
undergone annual audits
• Audits did not reveal vulnerabilities!
• What if Vendor objects to materiality standard?
• Will vendor agree to use language of audit
standard?
• Provide copies of audits?
• Provide summaries?
Perkins Coie LLP | PerkinsCoie.com 33
Representations, Warranties and Covenants
Disclosure of Prior Breaches
• Require vendor to represent and warrant no
prior security breaches or disclosure
• Prior enforcement actions?
• Non mutual provisions
Perkins Coie LLP | PerkinsCoie.com 34
Representations, Warranties and Covenants
Disclosure of Prior Breaches:
Vendor represents and warrants that the Vendor Systems have (a) not suffered any actual, probable or reasonably suspected breach of any safeguards or of any other actual, probable or reasonably suspected unauthorized access to or acquisition, use, loss, destruction, compromise or disclosure of any information maintained on the Vendor Systems (each, a "Security Breach"); or (b) if the Vendor Systems have suffered one or more Security Breaches, that Vendor has disclosed each Security Breach to Company.
Vendor represents and warrants that Vendor is not and has not been a party to any current, pending, threatened or resolved enforcement action of any government agency, or any consent decree or settlement with any governmental agency or private person or entity regarding any Security Breach or otherwise regarding data or information security.
Perkins Coie LLP | PerkinsCoie.com 35
Representations, Warranties and Covenants
NO overriding disclaimers!
Perkins Coie LLP | PerkinsCoie.com 36
Audit Rights
Is Vendor hosting sensitive or mission critical
data?
• Annual 3rd party audits
• Report audit results
• Promptly correct vulnerabilities
• Right to terminate for breach of this provision?
• Liquidated damages?
Perkins Coie LLP | PerkinsCoie.com 37
Audit Rights
Independent Auditor Costs
Visitation and Inspection Right
Perkins Coie LLP | PerkinsCoie.com 38
Remedies for Breach
• Injunctive Relief
• Liquidated Damages
• Termination
• Indemnification
• Limitation of Liability
Perkins Coie LLP | PerkinsCoie.com 39
Security Breach Notification
• Definition
• Notification
• Point of Contact
• Notice of Third-Party Legal Process
• Expense Responsibilities
Perkins Coie LLP | PerkinsCoie.com 40
Subcontractors and Flow-Down Provisions
• Prior approval
• All data security provisions must flow down
• Necessary to fulfill subcontractor
obligations
• Notification
• Require express consent?
Perkins Coie LLP | PerkinsCoie.com 41
Location of Data/Employee Issues
Domestic or Overseas Storage
• Requirements Applicable to Overseas Storage
and Processing
• EU Safe Harbor EU-US Privacy Shield
• Additional Requirements
• US Citizenship or Permanent Residence
• No Citizenship or Permanent Residence
• Requirement/Prohibition on Access by
Individuals on Export Control Lists
Perkins Coie LLP | PerkinsCoie.com 42
Disaster Recovery
During the term of this Agreement, Vendor shall implement and
maintain a disaster recovery plan that ensures that all Company
Confidential Information in Vendor's possession or control at a
given time is capable of being recovered, and that the integrity of
all such recovered Company Confidential Information is retained,
in the event that Vendor's network, systems or other facilities
experience a Security Breach or any significant interruption or
impairment of operation or any loss, deletion, corruption or
alteration of data ("Disaster Recovery Plan"). Vendor shall, at
minimum, conduct annual internal information security audits of
its Disaster Recovery Plan and certify the results of each such
audit to Company within ten (10) days of completing each such
audit.
Perkins Coie LLP | PerkinsCoie.com 43
Service Level Agreement Issues
Data storage
Encryption
Access logging
Records monthly/on request
Perkins Coie LLP | PerkinsCoie.com 44
Model Insurance Requirements
Establishing Contractual Insurance
Provisions:
• General Recommendations for all Maintenance
of Insurance Provisions
• Types of Insurance Coverage to Consider
Including In Maintenance of Insurance
Provisions
• Minimum Insurance Provision Recommended
Perkins Coie LLP | PerkinsCoie.com 45
Contractual Insurance Provisions
• What kind of work is being done?
• Types of potential losses or accidents?
• Worst case scenario?
• Is entity responsible for the risk the same
entity in the best position to control the
risk?
• Additional insured status?
• Limits?
Perkins Coie LLP | PerkinsCoie.com 46
Contractual Insurance Provisions
• Licensed and approved in states
• Minimum A.M. Best Rating
• Additional Insured status
• Primary and non-contributory
• Notice of cancellation/renewal
• Evidence of Insurance
• Indemnification excess of insurance
Perkins Coie LLP | PerkinsCoie.com 47
Types of Policies to Consider
• Cyber Risk/Privacy Policies
• Errors and Omissions
• Commercial General Liability
• Workers Compensation
Perkins Coie LLP | PerkinsCoie.com 48
Questions?
Selena J. Linde 202-654-6221
Aaron Coombs 202-654-6246