Your SlideShare is downloading. ×
Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Webinar Slides: Outsourcing Services to a Third Party – Privacy Impacts and SOC Reporting

487

Published on

Join MHM for a rebroadcast of this presentation on Aug. 20. More information at http://www.mhm-pc.com. …

Join MHM for a rebroadcast of this presentation on Aug. 20. More information at http://www.mhm-pc.com.

Taking advantage of opportunities to outsource services and functions to third party providers can create legal, compliance, due diligence and audit oversight challenges in an environment where privacy laws can vary by jurisdiction and be interpreted unpredictably. Even the most conscientious company can make a false step as it captures, uses, transfers, and discloses personal information with third party service providers.

The extent of privacy laws, regulations and related compliance, security, control and breach reporting responsibilities can be daunting for any company. These challenges are further compounded when a company uses third party service providers. Because it is often impractical and not cost effective to perform their own onsite due diligence and oversight auditing, companies frequently seek assurance reporting from their third party service providers about their controls and privacy compliance as part of their due diligence and oversight.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
487
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. EXECUTIVE EDUCATION SERIES:Outsourcing Services to a Third Party –Privacy Impacts and SOC ReportingPresented by: Shareholder John Robichaud andGuest Presenter Cynthia Larose of Mintz LevinMay 2, 2013
  • 2. Co-presented by2#MHMwebinar ‹#› To view this webinar in full screen mode, click on viewoptions in the upper right hand corner. Click the Support tab for technical assistance. If you have a question during the presentation, please usethe Q&A feature at the bottom of your screen.Before We Get Started…
  • 3. Co-presented by3#MHMwebinar ‹#› This webinar is eligiblefor CPE credit. To receivecredit, you will need toanswer periodic pollingquestions throughout thewebinar. External participants willreceive their CPEcertificate via emailimmediately following thewebinar.CPE Credit
  • 4. Co-presented by4#MHMwebinarJohn Robichaud, CPAShareholder617.761.0546 | jrobichaud@cbiztofias.comLocated in our Boston office, John specializes in service organization control(SOC) reporting, specialized agreed upon procedures, privacy, risk assessmentsand enterprise risk management, internal controls and project management. Heworks with a wide variety clients — many from service organizations, nonprofits,financial services and technology industries.‹#›Today’s PresentersCynthia Larose, CIPPMintz Levin617.348.1732 | CJLarose@mintz.comCynthia is a Member of Mintz Levin’s Corporate & Securities Section, Chair ofthe Privacy & Security practice, and a Certified Information Privacy Professional(CIPP/US). Cynthia represents companies in information, communications, andtechnology, including e-commerce and other electronic transactions. Shecounsels clients through all stages of the “corporate lifecycle,” from start-upsthrough mid- and later-stage financings to IPO, and has broad experience intechnology and business law, including online contracting issues, licensing,domain name issues, software development, and complex outsourcingtransactions.
  • 5. Co-presented by5#MHMwebinar Full-service, multi-disciplinary law firm 450 attorneys and senior professionals Offices across the country, and in the UK: Liaison office in Israel International network of contacts Government relations, public policy and real estate project developmentconsulting affiliate – ML StrategiesAbout Mintz Levin Boston New York Washington, DC Stamford Los Angeles San Diego San Francisco London
  • 6. Co-presented by6#MHMwebinar Antitrust & Federal Regulation Bankruptcy, Restructuring &Commercial Law Communications Consumer Product Safety Corporate & Securities Corporate Compliance &Investigations Employment, Labor & Benefits Environmental Law Government Law & Contracts Health Law Immigration Intellectual Property International Litigation Privacy & Security Private Client Private Equity Project Development & Finance Public Finance Real Estate Tax White Collar Criminal DefenseA Full-Service Firm
  • 7. Co-presented by7#MHMwebinar Construction Education Energy & Clean Technology Financial Services Health Care Insurance Internet & E-commerce Life Sciences Manufacturing Nonprofits Professional Services Real Estate Retail & Consumer Products Sports, Arts & Entertainment Technology, Communications &Media Transportation, Shipping &LogisticsRepresentative Industries We Serve
  • 8. Co-presented by8#MHMwebinar ‹#›Today’s Agenda123456Outsourcing OverviewLandscape and impact of privacy laws and regulationsPrivacy compliance challenges and common pitfallsEmergency privacy legal and regulatory complianceissuesNavigating reporting from third party service providersAICPA Service Organization Control Reports7 Trust Services
  • 9. OUTSOURCING OVERVIEWOpportunities, Reasons, Benefits and Challenges
  • 10. Co-presented by10#MHMwebinar ‹#› Continually growing wide range of opportunities fororganizations to outsource, including: Payroll Human resources and benefits administration Accounting Printing distribution Warehousing and fulfillment Call center and customer support Data center and application hosting Software as a Service Platform as a Service Infrastructure as a ServiceOutsourcing Overview - Opportunities
  • 11. Co-presented by11#MHMwebinar ‹#› Many reasons and benefits, including: Pressure to reduce costs Leverage experts specialized in the outsourced serviceoffering Potential availability of more sophisticated resources Availability of a virtual workforce Meet short-term demands or needs Lack of resources to support a business process or functionOutsourcing Overview – Reasons and Benefits
  • 12. Co-presented by12#MHMwebinar ‹#›Outsourcing Overview – ChallengesDue Diligence Compliance Oversight
  • 13. LANDSCAPE ANDIMPACT OF PRIVACY LAWS ANDREGULATIONS
  • 14. Co-presented by14#MHMwebinarPrivacy Laws and Regulations Compelled disclosure to the government: Electronic Communications Privacy Act (ECPA) 1986 Protests electronic communications while in transit and while held instorage from disclosure Different levels of protection based on outdated distinctions on storagesuch as "electronic storage" or storage by a "remote computing service" orhow old the data is Stored Communications Act (SCA) USA Patriot Act Enacted in 2001, amended in 2005 Allows FBI access to certain business records with a court order National Security Letters can also obtain records Warrants and Subpoenas
  • 15. Co-presented by15#MHMwebinarPrivacy Laws and Regulations Data security issues and data breach notification: Certain Federal Laws and Regulations impose industry-specific data securityor breach notification obligations Educational Institutions- Family Educational Rights and Privacy Act (FERPA) Financial Institutions- Gramm-Leach-Bliley ACT (GLBA) Prevent disclosure of non publicpersonal information Health Care- Health InsurancePortability and Accountability Act (HIPAA)and (HITECH)
  • 16. Co-presented by16#MHMwebinarPrivacy Laws and Regulations Payment Card Industry (PCI) Prevent disclosure of online credit card and account information FTC Breach Disclosure Requirement Section 5 of the FTC Act Data Security Standard (DSS) Clinical Laboratory Improvement Amendments (CLIA) Applies to health care organizations NYSE Rule 340
  • 17. Co-presented by17#MHMwebinarPrivacy Laws and Regulations Continued FDIC Meet regulatory requirements around core vendors Publicly traded companies- Sarbanes Oxley (SOX) Generally, an entity cannot contract away its obligation to comply with theseindustry-specific regimes State Laws and Regulations Avoid requirements to disclose data comprised at a vendor Depending on where your organization does business Examples: MA, CA, TX, and MI have their own privacy and security laws
  • 18. PRIVACY COMPLIANCECHALLENGES AND COMMONPITFALLS
  • 19. Co-presented by19#MHMwebinarAssuming Third Party Vendors Are CoveringCompliance IssuesUnder many privacy laws,there exists no formalcompliance violation if acompany fails to monitor theactivities of its vendors."Voluntary" obligation tomonitor creates risks for thecompany, committing tofollow through if oversight isnot effective.Case study: A medicaltranscriptionist in Pakistanthreatened to post patientnames and information on theInternet unless given betterpay. The story receivedglobal coverage resulting inserious reputational damageto the hospital.Why Monitor? Why Not?
  • 20. Co-presented by20#MHMwebinarCommon Pitfalls and Repercussions Lack of Standard ProcessCase study: A Ponemon Institute study revealed a difference in view betweencloud providers and users about who is primarily responsible for security inthe cloud. 69% of third party vendors saw their users as responsible for theirown security. Only 35% of these users saw themselves as responsible.This confusion about who is responsible for data security leads users tocomplacent behavior. Failure to manage vendors Companies spend millions on their own internal compliance challenges butprovide all the same info to vendors. Vendors could give low priority to safeguarding this information.
  • 21. Co-presented by21#MHMwebinarCommon Pitfalls and Repercussions Volume of vendors Simply keeping track of all privacy information spurs a concern forerror/breaches. Larger vendors dealing with substantial volume of personal date faceshigher risks than other vendors with more manageable information. Mitigation Issues How will a company interact if a vendor breaches privacy? Vendors should be contractually committed to take all reasonable action dictatedby the company.
  • 22. Co-presented by22#MHMwebinarCommon Pitfalls and Repercussions New HIPAA Omnibus Rule If you handle protected healthinformation, you have HIPAAliability HIPAA breaches generate severenegative publicity not to mentionfines and civil penalties – alsopossible class actions. Many lawsuits have been filedagainst healthcare providers thatbreach PHI that can seekdamages in the millions. Total breach costs have grownevery year since 2006.
  • 23. Co-presented by23#MHMwebinarFailure to do Third Party Due DiligenceWhat if the vendor goes out of business?Does the third party have a disasterrecovery plan?What is the vendor’s identity theftprotection plan?
  • 24. EMERGING PRIVACY LEGAL ANDREGULATORY COMPLIANCEISSUES
  • 25. Co-presented by25#MHMwebinarCloud If a company stores information on the cloud,they face the threat of FTC enforcement iftheir representations to consumers aboutwhere/how information is stored and secureddoes not match their actual practices Who owns data on the cloud? Can a cloud provider use the data for its ownpurposes? Under what circumstances can the customerobtain a copy of information stored in thecloud? What happens when service to the cloud isinterrupted?
  • 26. Co-presented by26#MHMwebinarCloud CONTRACT! Almost all issues can be dealt with contractually Where data is stored What security standards the cloud provider adheres to• Segregated data• Does the cloud conform to industry standards?• Do outside auditors confirm its security practices? Who is liable for a data breach Regulatory compliance and indemnification responsibilities Ownership/control of information and cloud maintenance
  • 27. Co-presented by27#MHMwebinarOff Shore Vendors Problems associated with digital technology Internet file sharing networks make it much easier to tradesecrets, proprietary products, plans and schematics Much of theft takes place outside of the United States Vendors may be "offshore" Creates perception that U.S. privacy rules do not apply toother countries (See Pakistani case study) Companies must evaluate how best to enforce contractualobligations KNOW YOUR VENDOR
  • 28. Co-presented by28#MHMwebinarVendor Assessment “Ignorance is not a valid defense” Regulators and executive manage expect you to understand,manage, and reduce risk. Perform a cost/benefit analysis when choosing a provider. Ask: What is the reputational risk to your company ifsomething goes wrong? How sensitive is this stored data?Average costper record:$198Averageincident:$6.3 million
  • 29. Co-presented by29#MHMwebinarLooking Ahead Use of third-party vendors for business functions has become astandard business practice, but security still varies greatly. Organizations must be extremely vigilant in assessing risks totheir data even if they reside at a vendor location. Ask: "Once we share our information assets with third-partyvendors, will we still be in compliance?" MUST vet your vendors and carefully monitor theirsecurity/privacy control environments over extended period oftime.
  • 30. NAVIGATING REPORTING FROMTHIRD PARTY SERVICEPROVIDERSDue Diligence and Oversight Compliance Challenges, andRelying on Reporting from Service Providers
  • 31. Co-presented by31#MHMwebinar ‹#› Performing due diligence and compliance oversight atthird party service providers can be a challenge orimpractical because of: Limited management and resource bandwidth Cost Timing Contractual restrictions Organizations often end up needing to rely onreporting provided by the third party service provider.Reporting from Third Party Service Providers
  • 32. Co-presented by32#MHMwebinar ‹#› Internally prepared reports and self assessments Certifications Seals Externally prepared reports and assessments againstan alphabet soup of standards, including: PCI DSS ISO FISMA NIST HIPPA AICPA Service Organization Control (SOC) ReportsReporting from Third Party Service Providers
  • 33. AICPA SERVICE ORGANIZATIONCONTROLS REPORTSSOC 1 -3 Reports
  • 34. Co-presented by34#MHMwebinar ‹#› SOC1 versus SOC2 versus SOC3 andOption for Web Site Seal Type 1 point in time versus type 2operating period examinations and reports Trust Services Security, Availability, ProcessingIntegrity, Confidentiality and Privacy Principles andCriteriaAICPA SOC Reports
  • 35. Co-presented by35#MHMwebinar ‹#› SOC1 – Report on Controls at a Service Organization Relevantto User Entities’ Internal Controls Over Financial Reporting -replacement of SAS 70 and performed under SSAE 16 SOC2 – Report on Controls at a Service Organization Relevantto Security, Availability, Processing Integrity, Confidentiality orPrivacy in accordance with AT Section 101 and Trust ServicesPrinciples, Criteria and Illustrated Controls in TSP section100(long form report) SOC3 – Report on Controls at a Service Organization Relevantto Security, Availability, Processing Integrity, Confidentiality orPrivacy in accordance with AT Section 101 and Trust ServicesPrinciples, Criteria and Illustrated Controls in TSP section 100(short form report with web site seal option)SOC 1 – 3 Reports
  • 36. Co-presented by36#MHMwebinar ‹#› Internal control over financial reporting Scope includes: Classes of transactions Procedures for processing andreporting transactions Accounting records of the system Handling significant events, andconditions other than transactions Report preparation for users Other aspects relevant to processing,and reporting user transactionsSOC 1
  • 37. Co-presented by37#MHMwebinar ‹#› Covers transaction processing controls, and supportinginformation technology controls relevant to the financialtransaction processing and reporting services Based on control objectives that are defined by the serviceprovider and can vary depending on the type of service provided Restricted report – intended solely for the information and use ofthe service provider, their user entities (customers) and the userentities’ auditor in planning their audit of the user entitySOC1 - Continued
  • 38. Co-presented by38#MHMwebinar ‹#› Operational controls Scope includes Infrastructure Procedures People Data Covers any one or combination of the Trust ServicesSecurity, Availability, Processing Integrity, Confidentialityand Privacy Principles and CriteriaSOC2
  • 39. Co-presented by39#MHMwebinar ‹#› Intended to meet the needs of a broad range of users thatneed information and assurance about controls at a serviceprovider that affect the security, availability, processingintegrity, confidentiality and privacy Restricted report with a broader range of intended users,including: Existing users Prospective users Regulators Business partners Endorsed by the Cloud Security AllianceSOC2 - Continued
  • 40. Co-presented by40#MHMwebinar ‹#› Covers same individual and combined Trust ServicesPrinciples and Criteria as SOC2 Does not include detail description of the design of controlsand tests of controls performed by the service auditor Provides a service auditor’s opinion on whether the serviceprovider maintains effective controls over its systems Unrestricted report intended for users that don’t require amore thorough report Web site seal option if no carved out subservice providersand an unqualified opinionSOC3
  • 41. Co-presented by41#MHMwebinar ‹#› Type 1 is a point in time examination and report opining onthe suitability of design of controls and description with notest of operating effectiveness of controls. Type 2 is an examination and report opining on the suitablyof design of controls and description, and operatingeffectiveness of controls with reported tests and resultscovering a period of time, which is: Six months or greater for a SOC1 Two months or greater for a SOC2 and SOC3 Based on the usability of coverage period for the intendedrecipients of the reportType 1 versus Type 2
  • 42. TRUST SERVICESSecurity, Availability, Processing Integrity, Confidentiality andPrivacy Principles and Criteria(Framework for SOC2 and SOC3 Reporting)
  • 43. Co-presented by43#MHMwebinar ‹#›Security, Availability, ProcessingIntegrity, Confidentiality andPrivacy Principles and Criteriaaddress risks and controls of ITenabled systems and privacyprograms with illustratedbenchmark control best practices.Trust Services Principles and Criteria
  • 44. Co-presented by44#MHMwebinar ‹#› Policies – The service provider has defined and documentits policies particular to each principle, which addressmanagement’s intent, objectives, requirements,responsibilities and standards. Communication – The service provider has communicatedits defined policies to responsible parties and users of thesystem. Procedures – The service provider has placed proceduresinto operation to achieve its principles in accordance withits defined policies. Monitoring – The service provider monitors the system andtakes action to maintain compliance with its definedpolicies.Trust Services Principles and Criteria Continued
  • 45. Co-presented by45#MHMwebinar ‹#› Security – The system is protected against unauthorizedaccess (both physical and logical). Availability – The system is available for operation and useas committed and agreed. Processing Integrity – System processing is complete,accurate timely and authorized. Confidentiality – Information designated as confidential isprotected as committed or agreed. Privacy – Personal information is collected, used, retained,disclosed and destroyed in conformity with thecommitments in the entity’s privacy notice and with thecriteria set forth in the AICPA’s and CICA’ GenerallyAccepted Privacy Principles.Trust Services Principles and Criteria Continued
  • 46. Co-presented by46#MHMwebinar ‹#› Most commonly requested area of coverage Security criteria is also included in the other principlesbecause security controls are inherent critical parts ofeffective availability, processing integrity, confidentialityand privacy controls Applicable to all outsourced environments, particularlywhen enterprise users require assurance regarding theservice provider’s security controls for any system, andnonfinancial or financial serviceSecurity
  • 47. Co-presented by47#MHMwebinar ‹#› IT security policy Security awareness and communication Risk assessment Logical access Physical access Security monitoring User authentication Incident management Asset classification and management System development and maintenance Personnel security Configuration management Change management Monitoring and complianceSecurity Continued
  • 48. Co-presented by48#MHMwebinar ‹#› Commonly requested areas of coverage, particularlywhere availability, disaster recovery and businesscontinuity management are provided as critical parts ofthe service providers standard service offering. Most applicable where enterprise users requireassurance regarding processes to achieve systemavailability service level agreements as well as disasterrecovery and business continuity management, whichcannot be covered as part of a SOC1 report.Availability
  • 49. Co-presented by49#MHMwebinar ‹#› Includes security criteria Availability policy Backup and restoration Environmental controls Disaster recovery Business continuitymanagementAvailability Continued
  • 50. Co-presented by50#MHMwebinar ‹#› Potentially applicable for a wide variety of non financial andfinancial services wherever assurance is required as to thecompleteness, accuracy, timeliness and authorization ofsystem processing Includes security criteria System processing integrity policies Completeness, accuracy, timeliness and authorization ofinputs, system processing and outputs Information tracing from source to dispositionProcessing Integrity
  • 51. Co-presented by51#MHMwebinar ‹#› Most applicable where the user requires additionalassurance regarding the service provider’s practices forprotecting sensitive business information Includes security criteria Confidentiality policy Confidentiality of inputs Confidentiality of data processing Confidentiality of outputs Information disclosures including tothird parties Confidentiality of information insystems developmentConfidentiality
  • 52. Co-presented by52#MHMwebinar ‹#› Most applicable where the service provider interacts directlywith end users, and gathers their personnel information Can also be performed when service provider is asecondary or intermediary recipient of personnelinformation but requires more complicated disclosures inregard to span of responsibilities for personnel informationbetween all involved parties Provides a vehicle for demonstrating the effectiveness of aservice provider’s controls for maintaining the privacy ofinformationPrivacy
  • 53. Co-presented by53#MHMwebinar ‹#› Management Notice Choice and consent Collection Use and retention Access Disclosure to third parties Quality Monitoring andenforcementPrivacy Continued
  • 54. Co-presented by54#MHMwebinar ‹#› Provides secure encrypted emailservice 2011–2012 SOC3 on security andconfidentiality 2012–2013 SOC2 on security,confidentiality and privacyZiptr
  • 55. Co-presented by55#MHMwebinar ‹#›Questions?
  • 56. Co-presented by56#MHMwebinar ‹#›If You Enjoyed This Webinar… Join us for these related EES courses: June 27: Accounting and Finance Issues of TechnologyCompanies August 20: Outsourcing Services to a Third Party — PrivacyImpacts and Service Organization Control Reporting Read this related MHM Messenger MHM Messenger 23-12: Evolving Business Practices SpurTransition from SAS 70 to SOC Reports
  • 57. Co-presented by57#MHMwebinarJohn Robichaud, CPAShareholder617.761.0546 | jrobichaud@cbiztofias.comLocated in our Boston office, John specializes in service organization control(SOC) reporting, specialized agreed upon procedures, privacy, risk assessmentsand enterprise risk management, internal controls and project management. Heworks with a wide variety clients — many from service organizations, nonprofits,financial services and technology industries.‹#›Today’s PresentersCynthia Larose, CIPPMintz Levin617.348.1732 | CJLarose@mintz.comCynthia is a Member of Mintz Levin’s Corporate & Securities Section, Chair ofthe Privacy & Security practice, and a Certified Information Privacy Professional(CIPP/US). Cynthia represents companies in information, communications, andtechnology, including e-commerce and other electronic transactions. Shecounsels clients through all stages of the “corporate lifecycle,” from start-upsthrough mid- and later-stage financings to IPO, and has broad experience intechnology and business law, including online contracting issues, licensing,domain name issues, software development, and complex outsourcingtransactions.
  • 58. Co-presented by58#MHMwebinar ‹#›Connect with Mayer Hoffman McCannlinkedin.com/company/mayer-hoffman-mccann-p.c.@mhm_pcyoutube.com/mayerhoffmanmccanngplus.to/mhmpcblog.mhm-pc.comslideshare.net/mhmpcfacebook.com/mhmpc

×