Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)

M O N I Q U E A LT H E I M
M A N A G I N G C O N S U LT A N T
G L O B A L P R I VA C Y A N D S E C U R I T Y
I B M S E C U R I T Y S E R V I C E S
S A R V E S H M A H A J A N
AT T O R N E Y
W I G G I N A N D D A N A
Practising Law Institute (PLI)
Sixteenth Annual Institute
on Privacy and Data Security Law
New York City
June 8-9, 2015

AGENDA
Topic
1. Introduction
Key Cybersecurity and Privacy Considerations in Deals
2. Cybersecurity and Privacy Provisions
in IT Services and Outsourcing Contracts
3. Special Considerations for Cloud Services Agreements
4. Privacy and Security Issues in M&A
5. Q&A

KEY CYBERSECURITY AND PRIVACY
CONSIDERATIONS IN DEALS

• Corporate Transaction, services contract,
outsourcing, cloud-based arrangement, etc.
• Impact on and risks for data
Type of Transaction
• Intellectual Property
• Personally Identifiable Information
Data Being Transferred
• Is any of the data subject to regulation?
• Is the transfer itself regulated?
Legal Obligations
4

• Policies
• Contractual Commitments
Other Obligations
• How will the data be protected?
• How has the data been protected?
Data Privacy
and Security
• How does the transfer of the data impact liability for
either party?
• How is liability allocated?
Liability
5

CYBERSECURITY AND PRIVACY
PROVISIONS IN IT SERVICES AND
OUTSOURCING CONTRACTS

IT SERVICES AND OUTSOURCING AGREEMENTS
STANDARD PROVISIONS
• Applicable Law
• Respective roles of the Parties
Legal Compliance
• Business Information
• Intellectual Property
• Personally Identifiable Information
Confidentiality
• Categories and scope of PII covered by the Agreement
• Permitted use of PII
• Location and transfer of PII
Privacy Requirements
• Industry standards (e.g., ISO 270001)
• Contractually defined security protocols
• Background checks for personnel
Security Requirements
7

STANDARD PROVISIONS
• Customer Audit Rights
• Independent Third-Party Audits
Information Security and
Privacy Audits
• Procedures
• Notification Requirements
Responding to
Data Breach Incidents
• Cap on Service Provider’s liability and exclusions
• Indemnities for data subject claims, government
claims, other costs (e.g., notification, credit-
monitoring)
Liability and Indemnities
• Cross-Border Transfers
• Subcontracting
Data Transfers
8

DISCUSSION OF SAMPLE PROVISIONS
Compliance with Privacy Laws
Service Provider shall comply with all applicable Privacy Laws.
9

Compliance with Privacy Laws
“Privacy Laws” means: (1) laws regarding data protection and privacy, including any
amendments thereto and regulations promulgated thereunder by any country, state, or other
jurisdiction: (a) where Customer is incorporated, formed, domiciled, or conducting business;
(b) where the proprietor or subject of any of the PII resides, or enters, submits, processes, or
transmits PII; (c) where any of the PII is received, collected, hosted, stored, handled,
processed, or transmitted by any entity pursuant to the terms of this Agreement; or (d) where
Customer is for any other reason legally responsible for the protection of the PII, such laws
including, without limitation, (i) the European Data Protection Directive (95/46/EC) and the
Privacy and Electronic Communications Directive (2002/58/EC), including laws and
regulations that apply to cross-border data transfers; (ii) applicable federal or state laws and
regulations of the United States of America, including the Gramm-Leach-Bliley Act, the Health
Insurance Portability and Accountability Act (HIPAA) of 1996, the Children’s Online Privacy
Protection Act of 1998, laws and regulations of the U.S. Federal Trade Commission, the State
of California and the Commonwealth of Massachusetts; and (iii) the Personal Information
Protection and Electronic Documents Act (“PIPEDA”) in effect in Canada; and (2) any
applicable principles, guidelines and codes issued by a competent data protection authority,
or other competent governmental body or agency, in respect of such laws.
10

Data Privacy Provisions
Service Provider shall not collect, handle, process, disclose, use or store any PII, except for
performance of the Services, strictly in accordance with this Agreement, and only to the
extent permitted or required by the Privacy Laws or other applicable laws.
Customer shall determine the scope, purposes, and manner for which such PII may be
accessed or processed by Service Provider, and Service Provider shall limit its access to or
use of Customer Personal Data to that which is necessary to provide the Services, comply
with applicable laws, or as otherwise directed by Customer;
If Service Provider is in or comes into possession of PII, Service Provider shall identify, in
writing, to Customer the locations at which the PII is collected, handled, processed,
disclosed, used or stored.
Service Provider shall not relocate or transfer PII to locations other than those identified
pursuant to [the SoW] herein, except in compliance with the Privacy Laws and with
Customer’s prior written consent.
11

Security Obligations
Service Provider shall implement and maintain appropriate data security measures to ensure
that Customer Data is protected against loss, damage, destruction or any form of
unauthorized or unlawful collection, handling, processing, disclosure, usage and/or storage in
accordance with (1) the highest industry standards, (2) the security requirements set forth in
[Schedule X], and (3) Privacy Laws. Service Provider shall further maintain and comply with,
a comprehensive written information security program with respect to the collection, handling,
processing, disclosure, use and storage of Customer Data, consistent with the Privacy Laws,
that includes administrative, technical and physical safeguards to protect the security,
integrity, and confidentiality of Customer Data.
12

Data Breach Incidents
In the event of any actual or potential unauthorized or unlawful access to Customer Data or
unauthorized or unlawful access to Service Provider Systems that are use to receive, access,
store, process, transmit, or otherwise use Customer Data (“Data Breach Incident”), Service
Provider shall immediately notify Customer of the Data Breach Incident. Service Provider
shall expediently investigate the Data Breach Incident, provide Customer a report on its
investigation of the Data Breach Incident. Service Provider shall take all appropriate
measures to mitigate the effects on Customer Data of any such Data Breach Incident. The
parties shall cooperate to resolve any data privacy or security issues involving PII, and to
make any required notifications to individuals affected by the Data Breach Incident. Service
Provider shall be responsible for all costs related to its investigation of the Data Breach
Incident and providing any required notifications to individuals affected by the Data Breach
Incident.
Notwithstanding anything to the contrary in this Agreement, Service Provider’s responsibility
and liability for all costs related to its investigation of Data Breach Incidents and providing
legally required notification to all individuals affected by Data Breach Incidents will not be
subject to any limitation of liability to which the parties have, or in the future may agree or
refer in this Agreement.
13

Indemnification
Service Provider shall defend, indemnify and hold harmless Customer and its affiliates and
their respective officers, directors, employees, agents, contractors, customers, successors,
and assigns from and against any and all losses arising out of relating to Service Provider’s
breach of its obligations with respect to Customer Data, Service Provider’s violation of
Privacy Laws, or any Data Breach Incident involving Customer Data in Service Provider’s
possession or control.
Notwithstanding anything to the contrary in this Agreement, Service Provider’s
indemnification obligations under this Section will not be subject to any limitation of liability to
which the parties have, or in the future may agree or refer in this Agreement.
14

SPECIAL CONSIDERATIONS FOR
CLOUD SERVICE AGREEMENTS

SPECIAL CONSIDERATIONS FOR
CLOUD SERVICES AGREEMENTS
• Public, Private, Hybrid, Managed Clouds
• IaaS, Paas, Saas
Type of Cloud Service?
• U.S: HIPAA/HITECH, G.LB. Mass. Security Laws
• FFIEC Statement on Cloud Computing; NIST Cloud
Computing Guidelines; PCI DSS Cloud Computing
Guidelines
• EU Data Protection Framework; Art. 29 WP Cloud Opinion
Location and Sector of
Client’s Business May
Restrict Choices
• Russia’s “Localization Law”
• Proposed EU Regulation
Location of Client’s
Market May Restrict
Choices
• U.S.: Patriot Act
• Microsoft Case: extraterritorial reach of U.S. Law
Location of Cloud
Service Provider’s Data
Centers
16

PRIVACY AND SECURITY ISSUES IN M&A

TWO KEY CONCERNS
• Data Breach Incidents
• Violations of Law
Allocation of
Pre-Closing Liability
• Contractual or policy restrictions
• Legal compliance obligations
• Practical limitations
Restrictions on
Use and Integration
of Information
18

DUE DILIGENCE CHECKLIST
Privacy Policies
Security Policies and Practices
Incident Response Protocols
Privacy and Security Officers
Training
1
2
3
4
5
19

DUE DILIGENCE CHECKLIST
Audits Reports
Certifications
Background Checks
Prior Incidents
Cross-Border Transfers
6
7
8
9
10
20

Monique Altheim, Esq., CIPP/US, CIPP/E
Managing Consultant, Global Privacy and Security
IBM Security Services
New York
+1.347.628.1479
malthei@ibm.com
Sarvesh Mahajan
Attorney
Wiggin and Dana, LLP
New York
+1.212-551-2626
smahajan@wiggin.com
Thanks for listening!
Any questions…

Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)

Similar to Security and Privacy in Deals (altheim & mahajan)(6-3 -2015) (20)

More from AltheimPrivacy

More from AltheimPrivacy (9)

Recently uploaded

Recently uploaded (20)

Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)