Allocating Risk for Privacy and Data Security in ... · PDF fileCommercial Contracts and...

Perkins Coie LLP

Allocating Risk for Privacy and Data Security in Commercial Contracts and Related Insurance Implications

June 23, 2016 Selena J. Linde

George Galt

Aaron Coombs

Presented by:

Perkins Coie LLP | PerkinsCoie.com 2

Presenter: Selena Linde

Selena Linde is a Partner in Perkins Coie's Insurance Recovery Practice and

is a primary author and editor of the Association of Corporate Counsel's

Policyholders Primer on Insurance. Ms. Linde has been honored as one of

twenty-five worldwide recipients of Business Insurance's Women to Watch,

one of eleven National Insurance Stars and one of the top 150 Women

Litigators by Benchmark Plaintiff.

Ms. Linde has recovered more than a billion dollars for her clients and has an

active trial practice representing policyholders in complex insurance

coverage cases throughout the country and an equally active arbitration,

mediation, and counseling practice. Selected representations include:

• Lead Coverage Counsel for a Global 50 Pharmaceutical (D&O Claims related to

Government Investigations and Anti-Trust Suits)

• Lead Coverage Counsel for Hospitality Company (Data/Privacy and Property Claims)

• Lead Coverage Counsel for Residential Capital ( E&O and D&O Claims related to

packaging of mortgage backed securities)

• Lead Counsel NorthWestern Energy (CGL, D&O, Property, and EPL Claims)

• Co-lead Counsel Motors Liquidation Trust (CGL claims related to historical asbestos

and environmental liability for pre-BK General Motors)

Join Ms. Linde's LinkedIn network for updates and articles on insurance

coverage topics. She can be reached directly at (202) 654-6221 or

[email protected].

mailto:[email protected]


Presenter: George Galt

George Galt is an Assistant General Counsel at AOL

where he supports the advertising group. In that

capacity, he negotiates agreements regarding data

gathered through websites, applications and business

interactions. Prior to AOL, George was the Associate

General Counsel at The Associated Press managing

the business transactions unit. He provided legal

support for AP’s efforts to gather behavior data

regarding news usage and helped AP to develop a

rights expression language to support automated

content transactions. Prior to AP, George was in

private practice at Drinker, Biddle & Reath. He can

be reached at [email protected].







Presenter: Aaron Coombs

Aaron Coombs is Counsel in Perkins Coie’s Insurance Recovery practice

group. He has helped clients maximize their insurance assets under many

different types of policies—from spacecraft to cyber, property to casualty, and

many others. He routinely counsels clients when purchasing insurance, and

has extensive proficiency in identifying gaps in coverage and negotiating the

terms and conditions for cyber-risk and management liability (D&O)

insurance policies. He also helps clients with additional insured and

contractual indemnification issues.

Aaron has helped clients recover insurance proceeds for product liability

claims, product recalls, government investigations, employment

discrimination, as well as cases involving alleged violations of the Fair Labor

Standards Act, Sherman Antitrust Act, and False Claims Act. Aaron is

currently working on several cyber-risk insurance claims for clients that

experienced malicious hacking attacks, as well as several product recall

claims. He can be reached directly at (202) 654-6246 or

[email protected]



Introduction

Heightened state of data and IT security

How to protect your company

Landscape of contract negotiations on data

and IT security

Avoiding the pitfalls of 3rd parties dictating

your company’s policies: allocation of risk and

contract tips


Heightened State of Data and IT Security

Public Breaches

Regulators

What is Data?

What is PII?


How Do You Protect Your Company?

Breach response plan

Insurance

• application requirements

• problematic exclusions


Contract Negotiations on Data & IT Security

Broadened clauses of indemnification

Third party standards

Security audits

Reps and warranties


Allocation of Risk and Contract Tips

Your own insurance policies

Your contracts


Cyber Risk/Privacy Policies

Coverage Grants Vary Greatly

"First-Party" Coverage:

• Losses due to destroyed or damaged data; data restoration

• Business Interruption

• Extortion demands

"Third-Party" Coverage

• Privacy Liability

• Unauthorized disclosure of confidential information

• Costs to investigate breaches, satisfy notification obligations,

defend against regulatory proceedings


Network Security Liability: Third-party liability resulting from a failure of your network security to protect against destruction, deletion or corruption of a third-party electronic data, denial of service attacks against internet sites or computers; or transmission of viruses to third-party computers and systems.

Privacy Liability: Liability to a third-party as a result of your failure to properly handle, manage, store or otherwise control personally identifiable information, corporate information identified as confidential and protected under a nondisclosure agreement and unintentional violation of privacy regulations.

Crisis Management & Identity Theft Response Fund: Expenses to comply with privacy regulations, such as communication to and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm for the purpose of protecting/restoring your reputation as a result of the actual or alleged violation of privacy regulations.

Cyber Extortion: Ransom or investigative expenses associated a threat directed at you to release, divulge, disseminate, destroy, steal, or use the confidential information taken from the insured, introduce malicious code into the your computer system; corrupt, damage, or destroy your computer system, or restrict or hinder access to your computer system.

Network Business Interruption: Reimbursement of your own loss of income and/or extra expense resulting from an interruption or suspension of its systems due to a failure of network security to prevent a security breach.

Data Asset Protection: Recovery of your costs and expenses incurred to restore, recreate, or regain access to any software or electronic data from back-ups or from originals or to gather, assemble and recreate such software or electronic data from other sources to the level or condition in which it existed immediately prior to its alteration, corruption, destruction, deletion, or damage.

Available Coverage Components


Negotiate Insurance Policy Language

Coverage Grants Vary Greatly

• No standard form language

• Customize and do not buy off the shelf policies

Ensure your policy covers cyber losses not resulting from “theft”

Review proposed policy language with a critical eye

• Who is the insured?

• How are defense costs treated?

• Who chooses defense counsel and breach response firms?

• What is the retroactive date?

• Are you comfortable with the proposed sublimits?


Negotiate Insurance Policy Language

Be Wary of Certain Exclusions

• Terrorism and war

• Regulatory actions

• Breach of contract (PCI-DSS?)

• Fines and penalties

• Third-party vendor

• Insured vs. insured

• Misappropriation of intellectual property

Eliminate Duplicate Coverages


Do Your Traditional Policies Cover Cyber/Privacy Risks?

Many Facets of a Data Breach: Multiple

Policies May Respond

Errors & Omissions (E&O)/Professional

Liability

Directors and Officers (D&O)

Fidelity

Commercial General Liability

New ISO CGL data breach exclusions

Property

Other Policies/Indemnification Agreements


Model Contract Provisions: Privacy, Data Security, and Insurance

Framework to address privacy and data

security and insurance in the context of an

agreement between Company and a service

provider or vendor

Vendor/service provider will have access to

Company information, information related to

Company information or other confidential

information of Company



NOTE: sample provisions must be tailored

and supplemented to fit particular facts and

circumstances

If Company will also be hosting vendor data

you may not be willing or able to make mutual

many of the provisions we will discuss,

because hosting or storing information on

behalf of other companies is not Company's

business.



Confidentiality Provisions

Security of Personal Information Provisions

Establishing Contractual Insurance Provisions




• Definition

• Marking

• Survival

• Return or Destruction

• Boilerplate Confidentiality Carve Outs

• Ownership and Use



Definition of Confidentiality

• Must capture all sensitive data

• Also protect information that a party should

reasonably understand to be of a confidential

nature

Marking

• Tangible medium

• Specify handling procedures

• Oral Information



Survival

• Must survive termination of the Agreement

(non-negotiable)

Ownership and Use

• Limit to purpose for which it was provided

• Specify recipient does not own



Return or Destruction

• Company should elect at time of termination or

request

• Consider confidential information will be

transmitted, and where copies may be retained

(i.e. email / corporate server backups, etc.)

• Certificate of destruction



BE CAREFUL of Boilerplate Carve-Outs

• Typically carve out certain information

• Publicly available through no fault of

Vendor/Service Provider

• Disclosed via breach or other wrongful act—

provisions still apply to the use of the

information


Security of Personal Information Provisions

• Company Information

• Representations, Warranties and Covenants.

• Audit rights

• Remedies for breach

• Security Breach Notification

• Subcontractors and Flow-Down Provisions

• Location of Data/Employee Issues

• Disaster Recovery


Company Information

Company exclusively owns all Company Information. "Company Information" is any

information about persons or entities that Vendor obtains in any manner from any

source under this Agreement, which concerns prospective and existing customers or

employees of (1) Company, (2) Company's affinity marketing partners, (3) Company’s

contracting parties and (4) Company’s suppliers. Company Information includes,

without limitation, names, addresses, telephone numbers, e-mail addresses, social

security numbers, credit card numbers, call-detail information, purchase information,

product and service usage information, frequent flier information, account information,

credit information, demographic information and any other personally identifiable

information. Company Information is the Confidential Information of Company under

the Agreement. Vendor (a) may collect, store, access, use, process, maintain and

disclose Company Information only to fulfill its performance obligations under the

Agreement and for no other purpose, and (b) shall, without limiting any other

obligations applicable to Company Information hereunder, treat all Company

Information as Confidential Information of Company. For this Agreement, the acts or

omissions of Vendor and anyone with which it is associated (e.g., employees of

Vendor and its subsidiaries and affiliates, and Vendor's agents and approved

contractors and subcontractors, and their respective employees) are Vendor’s acts or

omissions.


Representations, Warranties and Covenants

Compliance with Applicable Laws

Vendor hereby represents and warrants that it is and will remain in compliance with all applicable domestic laws, including without limitation any national, regional and local laws, and all applicable international laws ("Applicable Laws") and that it will not cause Company to be in material violation of any Applicable Laws.

Vendor represents and warrants that Vendor is not and has not been a party to any current, pending, threatened or resolved enforcement action of any government agency, or any consent decree or settlement with any governmental agency or private person or entity regarding any Security Breach (defined below) or otherwise regarding data privacy or information security.



Compliance with Industry Rules or Guidelines

If Vendor processes, stores, transmits or has access to Company Information that includes payment information (including, without limitation, credit card, debit card, or financial account information), Vendor represents and warrants that it is, and will remain, in compliance with the data security rules of any applicable payment network or organization, including, but not limited to, (1) the Payment Card Industry Data Security Standard for protecting credit and debit cardholder information, as the same may be amended, updated, replaced or augmented, and (2) the NACHA Operating Rules, developed and administered by NACHA—The Electronic Payments Association, for protecting financial account information and the Automated Clearing House network, as they may be amended, updated, replaced or augmented.



Vendor should be required to:

• Use administrative, physical and technical safeguards that prevent any unauthorized collection, use or disclosure of, or access to, Company Information

• Implement and maintain an information security program to protect Company Information

• Can be covenant or representation and warranty

• Strict Liability—Vendor “fully responsible”


Representations, Warranties and Covenants: Security

Vendor is fully responsible for any authorized or unauthorized collection, storage, disclosure

and use of, and access to, Company Information.

Vendor shall implement and maintain administrative, physical and technical safeguards

("Safeguards") that prevent any collection, use or disclosure of, or access to, Company

Information that this Agreement does not expressly authorize, including, without limitation, an

information security program that meets the highest standards of best industry practice to

safeguard Company Information. Such information security program will include, without

limitation, (i) adequate physical security of all premises in which Company Information will be

processed and/or stored; (ii) reasonable precautions taken with respect to the employment of

and access given to Vendor personnel, including background checks and security clearances

that assign specific access privileges to individuals, training employees on the proper use of

Vendor’s computer systems and the importance of personal information security, and restricting

access to records and files containing Company Information to those who need such

information to perform their job duties; and (iii) an appropriate network security program,

including designation of one or more employees to coordinate the security program, monitoring

of systems for unauthorized use of, or access to, personal information, appropriate access and

data integrity controls, testing and auditing of all controls, appropriate corrective action and

incident response plans, and encryption of all records and files containing personal information

that will travel across public networks, be transmitted wirelessly, or be transmitted outside of

the secure system of the business; and (iv) encryption of all Company Information stored on

laptops and other portable devices.



Compliance with Company Policies

• Vendor should comply with your company’s

written privacy and security policies

• Provide policy not less than 30 days prior to

effective date of policies

• Compliance does not relieve Vendor of duties

to protect Company Information or other

Confidential Information



Prior Audits

• Require vendor to represent and warrant that

its network, systems and premises have

undergone annual audits

• Audits did not reveal vulnerabilities!

• What if Vendor objects to materiality standard?

• Will vendor agree to use language of audit

standard?

• Provide copies of audits?

• Provide summaries?



Disclosure of Prior Breaches

• Require vendor to represent and warrant no

prior security breaches or disclosure

• Prior enforcement actions?

• Non mutual provisions



Disclosure of Prior Breaches:

Vendor represents and warrants that the Vendor Systems have (a) not suffered any actual, probable or reasonably suspected breach of any safeguards or of any other actual, probable or reasonably suspected unauthorized access to or acquisition, use, loss, destruction, compromise or disclosure of any information maintained on the Vendor Systems (each, a "Security Breach"); or (b) if the Vendor Systems have suffered one or more Security Breaches, that Vendor has disclosed each Security Breach to Company.

Vendor represents and warrants that Vendor is not and has not been a party to any current, pending, threatened or resolved enforcement action of any government agency, or any consent decree or settlement with any governmental agency or private person or entity regarding any Security Breach or otherwise regarding data or information security.



NO overriding disclaimers!


Audit Rights

Is Vendor hosting sensitive or mission critical

data?

• Annual 3rd party audits

• Report audit results

• Promptly correct vulnerabilities

• Right to terminate for breach of this provision?

• Liquidated damages?


Audit Rights

Independent Auditor Costs

Visitation and Inspection Right


Remedies for Breach

• Injunctive Relief

• Liquidated Damages

• Termination

• Indemnification

• Limitation of Liability


Security Breach Notification

• Definition

• Notification

• Point of Contact

• Notice of Third-Party Legal Process

• Expense Responsibilities


Subcontractors and Flow-Down Provisions

• Prior approval

• All data security provisions must flow down

• Necessary to fulfill subcontractor

obligations

• Notification

• Require express consent?


Location of Data/Employee Issues

Domestic or Overseas Storage

• Requirements Applicable to Overseas Storage

and Processing

• EU Safe Harbor EU-US Privacy Shield

• Additional Requirements

• US Citizenship or Permanent Residence

• No Citizenship or Permanent Residence

• Requirement/Prohibition on Access by

Individuals on Export Control Lists


Disaster Recovery

During the term of this Agreement, Vendor shall implement and

maintain a disaster recovery plan that ensures that all Company

Confidential Information in Vendor's possession or control at a

given time is capable of being recovered, and that the integrity of

all such recovered Company Confidential Information is retained,

in the event that Vendor's network, systems or other facilities

experience a Security Breach or any significant interruption or

impairment of operation or any loss, deletion, corruption or

alteration of data ("Disaster Recovery Plan"). Vendor shall, at

minimum, conduct annual internal information security audits of

its Disaster Recovery Plan and certify the results of each such

audit to Company within ten (10) days of completing each such

audit.


Service Level Agreement Issues

Data storage

Encryption

Access logging

Records monthly/on request


Model Insurance Requirements

Establishing Contractual Insurance

Provisions:

• General Recommendations for all Maintenance

of Insurance Provisions

• Types of Insurance Coverage to Consider

Including In Maintenance of Insurance

Provisions

• Minimum Insurance Provision Recommended


Contractual Insurance Provisions

• What kind of work is being done?

• Types of potential losses or accidents?

• Worst case scenario?

• Is entity responsible for the risk the same

entity in the best position to control the

risk?

• Additional insured status?

• Limits?


Contractual Insurance Provisions

• Licensed and approved in states

• Minimum A.M. Best Rating

• Additional Insured status

• Primary and non-contributory

• Notice of cancellation/renewal

• Evidence of Insurance

• Indemnification excess of insurance


Types of Policies to Consider

• Cyber Risk/Privacy Policies

• Errors and Omissions

• Commercial General Liability

• Workers Compensation


Questions?

Selena J. Linde 202-654-6221

Aaron Coombs 202-654-6246

Allocating Risk for Privacy and Data Security in ... · PDF fileCommercial Contracts and...

Documents

Transcript of Allocating Risk for Privacy and Data Security in ... · PDF fileCommercial Contracts and...