David Snead - Nailing Down Security Regulations


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

David Snead - Nailing Down Security Regulations

  1. 1. Source Conference Boston Nailing Down Security Regulations W. David Snead Attorney + Counselor Roadmap • Where is technology going? • U.S. v. E.U. • Case study • Analytical framework • Issue Based • Sectoral Based • Key contract clauses • Proactive • Reactive • Framework questions • National • Generally state implementation based • Narrowly tailored Legislative and Regulatory Targets • Data governance laws are here to stay • Expectation that in some format data breach will be extended • Breach – both benign and malicious to cover not just telecoms • Breach notification • General data breach requirements in some EU Member States already • Mitigation • Accountability and transparency principles • Security policies • Broad scope of definition of personal data • Cloud and jurisdictional challenges • Contracting parties, third parties and vendors • The role of controllers and processorsMIS Training Institute© Page 1
  2. 2. Broad based Broad based Sectoral / Country Specific Sectoral • eprivacy directive • digital signatures • sectoral standards • GLB • data retention • spam • encryption • HIPAA / HITECH • digital signatures • implementation EU • CFAA • encryption directives • ECPA General Security • Nevada • Massachusetts Sol Vidro is a company headquartered in Cologne. It seeks to outsource email, office applications, payroll and Security Breach backbone to two cloud providers in the U.S. and U.K. who must act in a federated manner. States without: • Alabama • Kentucky • Mississippi • New Mexico • South Dakota Security Vendor has provided Sol Vidro with a copy of its current security policy (Policy) as it applies to the services to be performed by Vendor pursuant to • Define “breach” this Agreement. Vendor represents and warrants that this security policy • Determine when a breach happens represents best of breed security procedures in its industry. Vendor shall • Assume there will be data breach laws give Sol Vidro no less than sixty days prior written notices of any changes in • Review any laws that my currently exist the Policy that impact the services provided to Sol Vidro. Should Sol Vidro • Understand who will be responsible for security determine that these changes materially impact the security of the services, Sol Vidro shall have the right to terminate this Agreement. In such a case, • Create enforceable contract terms Vendor shall provide reasonable assistance to Sol Vidro to transition its • Remember post termination issues services to another provider. • Understand that you may not be made wholeMIS Training Institute© Page 2
  3. 3. Data Transfer • How is the data transmitted? • Understand concepts like: controller, processor, Sol Vidro is providing payroll data to Vendor solely for the purpose of transfer and aggregation. processing the data as set out in Exhibit A to this Agreement. Vendor may • Limit uses only provide access to this data to third parties upon written notice and • Require flow down and flow up contract terms receipt of Sol Vidro’s express consent. Sol Vidro’s consent may be withheld. • Evaluate whether “Safe Harbor” is appropriate • Create methods to address data leakage Disposition of data upon termination Upon termination or expiration of this Agreement, Vendor shall delete all data and provide Sol Vidro with written confirmation of this deletion. • Review data retention laws Vendor shall also instruct any entities who have had access to the data to also delete it and provide Vendor with written certification of this deletion. • Specify terms for deletion / transfer The security obligations set out in this Agreement relating to the data shall • Set out obligations for security post termination survive termination or expiration of this Agreement until such time as the data is completely deleted by Vendor and/or Vendor’s suppliers. Vendor shall require this provision, or one similarly protective of Sol Vidro’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services. Vendor shall provide Sol Vidro with no less than ten days prior written Access to data notice of any governmental request for access to the data. For the purposes of this paragraph only, the term “governmental” includes any law • Understand how transmission is outsourced / enforcement or similar entity. Should Vendor be prohibited by law from subcontracted providing this notice, Vendor shall strictly limit any disclosure of the data to that which is required by the law and the written document upon which • Review your obligations to provide access to police disclosure is based. Under no circumstances shall Vendor provide access • Review your provider’s obligations to provide access without a written request of disclosure which cites the law requiring such • Research your laws about third party police access disclosure. Vendor shall require this provision, or one similarly protective of • Set out notification and consent provisions Sol Vidro’s rights in all its contracts with suppliers or other vendors who provide aspects of the Services.MIS Training Institute© Page 3
  4. 4. Do you know where sensitive information resides and how to protect it? Can you lower costs AND improve your security posture by rationalizing your security ? Do you understand termination, survival and deletion issues? Can you control who has access to your information? Do you know how the services will be used How does termination affect you? Have you researched breach notification? Have you researched high risk regulatory areas? W. David Snead Attorney + Counselor david.snead@dsnead.com wdsneadpc / Twitter thewhir.com / BlogMIS Training Institute© Page 4