How to Prevent IT Agreements from Causing Data Security Breaches William A. Tanenbaum Head, IP & Technology Transactions Group

2

Role of IT in Data Security Breaches • 2013 Trustwave Global Security Report on 450 database breaches found that:

– 63% due to third-party IT providers

– IT providers’ practices caused security deficiencies easily exploited by hackers

• Provider’s subcontractors are a common cause of breaches

• Risks are increasing because the following lead to increased avenues for security attacks:

– Cloud (which is not longer a disruptive technology)

– Complex and evolving IT infrastructures with BYOD, mobile, etc.

– Multi-vendor IT environment

– Hidden sub-contracting and sub-outsourcing

– Connected devices and Internet of Things

3

Consequences of Security Breaches • Immediate IT remediation costs

• Costs of revising IT infrastructure

• Costs of payments to beneficiaries

• Notification requirements under state law

• Proceedings by State Attorneys General

• Defending class action suits as private remedy for data security failures

• Reputation harm

• Reduced economic returns

4

Common Causes of IT Security Problems • Cost of IT emphasized over potential cost of security failure

• Providers are inappropriately forced, by price evaluations, to offer reduced security

• Security protection is “baked in” to IT vendor’s product and service costs

• IT staff does not have early role in procurement/outsourcing process

• Lack of validation of providers’ RFP security responses

• Provider security team does has not counterpart on customer team

• Summary: Evaluation of proposed provider focus on costs and operational SLAs > security

5

What do to with Existing Contracts

• Conduct review of provisions (including SLAs) in existing IT and outsourcing agreements -- gap analysis

• Audit business practices against contractual requirements

• Audit old contract provisions against updated security policies

• Identify potential deficiencies

• Remediate through renegotiation (using liability as leverage)

• Determine and implement what is needed from beneficiary side

6

What do to with New Contracts (Overview)

• Include up-to-date provisions in new agreements

• Provisions that you should audit/review are the same that should be in agreements going forward

7

Addressing Security Protection through Better Contracts • Determine appropriate data security standards based on policies, regulatory

environment and obligations to beneficiaries and others

• Determine appropriate objective security standards

• Determine how to embody security compliance in IT/outsourcing agreements

• Improve RFP and RFP evaluation process (and use leverage of RFP)

– (and use an NDA)

• Use down-select process to drill down into provider’s security capabilities

• Add specific security exhibit to contract

8

Contractual Provision Checklist • What will providers be required to do?

– Enact data security program

• Safeguards, procedures, controls for data, especially PII/customer data

– Comply with existing future regulatory requirements

• Design in future requirements

– Comply with current ISO/IEC and other relevant standards

• PCI/DISS requirements; PCI certification

– Comply with customer policies

• RFP establish and responses commit to adherence

• Customer to establish proper criteria

9

Contractual Provisions (2)• Comply with customer access, use, security tiers, etc.

• Control and approve subcontractors

– “hidden” outsourcing by providers for peak data loads

• Appropriate encryption levels

• Cybersecurity-specific SLAs, SOWs, etc.

• SLA credits should not be exclusive remedies

• “Declared Direct Damages” to prevent unrecoverable consequential damages, including data restoration

• Combine DR with Force Majeure

• Restrict remote data access

• Control authorized access

10

Contractual Provisions (3) • Allow security audits and ethical hacking

• Data Manager as well as Project Manager?

• Do or will you have a Chief Data Officer?

11

New Approach to Security Attacks• Current approach: have contractual security obligations and provide

penalties for failures

• However, penalties (called service credits) are generally capped

• Further, service credits may be only remedy

• Why this may not solve problem

• Solution: difference approach

– Model on bank/FBI cooperation against persistent attacks

– Switch from fighting over contract obligations to supplementing with cooperation to gather information and use lessons learned to improve security

Risk to plan is greater than contract litigation

Questions and Answers

William A. TanenbaumHead, IP & Technology Transactions Group “Lawyer of the Year” in IT in NY in 2013wtanenbaum@kayescholer.com 212-836-7661

12

William A Tanenbaum, Partner, Kaye Scholer

13

Bill Tanenbaum is the Head of the law firm Kaye Scholer’s multidisciplinary, multi-office IP & Technology Transactions Group, which is ranked in the First Tier at the National Level by US News & World Report/Best Lawyers. Bill was named “Lawyer of the Year 2013” in IT in NY by Best Lawyers in America. He is ranked in Band One in Technology & Outsourcing in NY by Chambers, America’s Leading Lawyers for Business, which found that he “built one of New York City’s most outstanding transactional IT practices.” IP Law Experts Guide named Bill as “The Recommended IT Lawyer in New York.” (Only a single attorney is designated in each state.) He is past President of the International Technology Law Association and currently a VP of the Society for Information Management (NY), a CIO industry association where he serves as the only lawyer on the Board. Clients and peer attorneys say he is “one of the best IP attorneys I have worked with” (LMG CleanTech Guide); “smart, practical, tactical and highly strategic,” “an effective negotiator” (Chambers); “intellectual yet pragmatic” and “among the foremost IT licensing experts and a leading authority on related issues such as data security, privacy and social media” (World’s 250 Leading Patent and Technology Lawyers). His practice areas include outsourcing, IT, offensive and defensive IP strategies, vendor management, data security and data flows, IT and IP aspects of corporate transactions, technology agreements and licensing, Big Data in procurement and supply chain management, and sustainability. He graduated from Brown University (Phi Beta Kappa) and Cornell Law School.

14

Copyright ©2014 by Kaye Scholer LLP, 425 Park Avenue, New York, NY 10022-3598. All rights reserved. This publication is intended as a general guide only. It does not contain a general legal analysis or constitute an opinion of Kaye Scholer LLP or any member of the firm on the legal issues described. It is recommended that readers not rely on this general guide but that professional advice be sought in connection with individual matters. Attorney Advertising: Prior results do not guarantee future outcomes.

Offices Worldwide

15