The details matter: Security laws that demand attention
-
Upload
john-bertoli -
Category
Documents
-
view
214 -
download
0
Transcript of The details matter: Security laws that demand attention
-
7/29/2019 The details matter: Security laws that demand attention
1/28
The details matter: Security laws that demand attentionCloud Security Alliance New York City
W. David Snead Attorney + Counselor Washington, D.C.Tactical Legal Advice for Internet Business
-
7/29/2019 The details matter: Security laws that demand attention
2/28
What is a breach? What is security? Who is covered How are third parties treated? How is risk transferred?
Roadmap
-
7/29/2019 The details matter: Security laws that demand attention
3/28
What is a breach?
Confidentiality
Integrity Access
-
7/29/2019 The details matter: Security laws that demand attention
4/28
Methods of protecting informationAdministrative
TechnicalPhysical
The definition of confidential is crucial
What is security?
-
7/29/2019 The details matter: Security laws that demand attention
5/28
-
7/29/2019 The details matter: Security laws that demand attention
6/28
Sectoral Based Reactive Generally state
based Narrowly tailored
Issue Based Proactive National
implementation
Regulatory climate
-
7/29/2019 The details matter: Security laws that demand attention
7/28
Specific Safeguards Protect against reasonablyanticipated uses
Ensure that workforcecomplies with rule Civil penalties
Actions by state AG HHS investigations
HIPAA
-
7/29/2019 The details matter: Security laws that demand attention
8/28
Security andconfidentiality of customerinformationProtect against anticipatedthreats or hazards tosecurity and integrityProtect againstunauthorized access oruse.
GLB
-
7/29/2019 The details matter: Security laws that demand attention
9/28
Identification /Authentication proceduresDisposal rulesProcedures to ensureaccuracyIntegrity / accuracy of information sent outAttempts to preventimpersonation fraud.
FCRA
-
7/29/2019 The details matter: Security laws that demand attention
10/28
-
7/29/2019 The details matter: Security laws that demand attention
11/28
Unfair or deceptive actsFTC
-
7/29/2019 The details matter: Security laws that demand attention
12/28
Secure webserversDelete personalinformation after useLimit employee access todayProvide trainingScreen third parties
COPPA
-
7/29/2019 The details matter: Security laws that demand attention
13/28
-
7/29/2019 The details matter: Security laws that demand attention
14/28
Massachusetts sets standardFocus on identification numbers
Increasingly includes biometricNo private right of actionNexus requirement
Encryption exemptionNo exemption for deminimus disclosures7 states with no law
-
7/29/2019 The details matter: Security laws that demand attention
15/28
Data governance laws are here to stay
Expectation that in some format data breach will be extended tocover not just telecoms
General data breach requirements in some EU Member Statesalready
Accountability and transparency principles Broad scope of definition of personal data Cloud and jurisdictional challenges The role of controllers and processors
Regulatory climate
-
7/29/2019 The details matter: Security laws that demand attention
16/28
EU Enforcement Priorities
Tempered by: Need for cloud adoption Fundamental right to data protection
Security and privacy rules with uniform standards Transparency Fairness User control Certainty Proportionality
-
7/29/2019 The details matter: Security laws that demand attention
17/28
-
7/29/2019 The details matter: Security laws that demand attention
18/28
Break down your cloud transaction.
Understand what security means to you.
Define breach.
Decide what kind of snowflake you are.
Creating contracts that work
-
7/29/2019 The details matter: Security laws that demand attention
19/28
What will happen to the data on termination?
Where will the data be physically located?
Should jurisdiction be split?
How will data be collected, processed, transferred?
Creating contracts that work
-
7/29/2019 The details matter: Security laws that demand attention
20/28
Security
Define breach
Determine when a breach happens Assume there will be data breach laws Review any laws that my currently exist Understand who will be responsible for security Create enforceable contract terms Remember post termination issues Understand that you may not be made whole
Creating contracts that work
-
7/29/2019 The details matter: Security laws that demand attention
21/28
Breach: benign and malicious.
Breach: parties, third parties, subcontractors, vendors
Breach laws: national, provincial.
Responsibility for security: parties, third parties, subcontractors vendors
Post termination issues: data belongs to customer, breach liabilityextends post termination.
Security policy: made part of contract. Revisions subject to customerreview. Flow down to subcontractors and vendors
Contract provisions
Creating contracts that work
-
7/29/2019 The details matter: Security laws that demand attention
22/28
Jurisdiction over the contract
Whose law governs
Where the dispute is heard
Change in judicial presumptions
Jurisdiction over the data
Data protection directive
Export control laws
Jurisdiction over the data
Creating contracts that work
-
7/29/2019 The details matter: Security laws that demand attention
23/28
Choice of law This Agreement shall be governed by the laws of the District of Columbia, without reference to its choice of law provisions.Jurisdiction and venue shall be proper before the U.S. District Courtfor the District of Columbia located in Washington, D.C. The parties
agree not to contest notice from, or the jurisdiction of, this court.Notwithstanding the preceding sentences, the parties agree that allissues regarding the processing, transfer, protection and privacy of any information transferred from X or any End User to Vendor shallbe governed by the laws of the United Kingdom. All disputesbetween the parties, and between a party and an End Userregarding Vendors access to this data shall be heard before theappropriate court located in London, United Kingdom
Split choice of law if youhave differing regulatory
obligations.
Creating contracts that work
-
7/29/2019 The details matter: Security laws that demand attention
24/28
Termination
Create and implement deletion policies
Flow down contract terms to vendors Do not assume security ends upon termination
Create and implement deletion policies
Creating contracts that work
-
7/29/2019 The details matter: Security laws that demand attention
25/28
Upon termination or expiration of this Agreement, Vendor shall deleteall data and provide X with written confirmation of this deletion.Vendor shall also instruct any entities who have had access to thedata to also delete it and provide Vendor with written certification of
this deletion. The security obligations set out in this Agreementrelating to the data shall survive termination or expiration of this
Agreement until such time as the data is completely deleted byVendor and/or Vendors suppliers. Vendor shall require this provision,or one similarly protective of Xs rights in all its contracts with
suppliers or other vendors who provide aspects of the Services.
When agreementterminates, your rights
terminate.
Creating contracts that work
-
7/29/2019 The details matter: Security laws that demand attention
26/28
Addressing uncertain regulations
Limited collection of sensitive data
Security measures appropriate to dataDisposed of / DeletedDisclosure events considered
Creating contracts that work
-
7/29/2019 The details matter: Security laws that demand attention
27/28
Determine how services will be used
Evaluate cloud structure
Understand data collection, processing and transfer
Security breach notification
High risk regulatory areas
Disposition of data on termination
Toolkit
-
7/29/2019 The details matter: Security laws that demand attention
28/28
Thanks for coming!
W. David SneadAttorney + Counselor Washington, D.C.Tactical Legal Advice for Internet Business
E: [email protected]: @wdsneadpcBlog: thewhir.com/blogs