Cybersecurity & Data Privacy Attorney Shawn Tuma delivered the presentation Legal Issues Associated with Third-Party Risk at the ISACA CSX 2017 North America conference in Washington, DC.

1. Shawn E. Tuma, Cybersecurity & Data Privacy Attorney
Partner, Scheef & Stone, LLP
Legal Issues Associated with
Third-Party Risk

2. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Get Social!
@shawnetuma
#CSXNA

3. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Why a Lawyer?

4. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Why a Lawyer?
“Cybersecurity is no longer just an IT
issue—it is an overall business risk issue.”

5. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Why a Lawyer?
“Security and IT protect companies’ data;
Legal protects companies from their data.”

6. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Legal Foundations for Third-Party Risk

7. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Lesson: Evaluate and audit third-parties’ security.
• In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14,
2014).
• FTC’s Order requires business to follow 3 steps when working
with third-party service providers:
• Investigate before hiring data service providers
• Obligate data service providers to adhere to the appropriate
level of data security protections
• Verify that the data service providers are complying with
obligations (contracts)
Legal Foundations

8. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Lesson: Know your contractual obligations.
• Addendum to business contracts
• Common names: Data Security & Privacy Agreement; Data
Privacy; Cybersecurity; Privacy; Information Security
• Common features:
• Defines subject “Data” being protected in categories
• Describes acceptable and prohibited uses for Data
• Describes standards for protecting Data
• Describes obligations and responsibility for breach of Data
• Requires binding third-parties to similar provisions
Legal Foundations

9. New York Department of Financial Services Cybersecurity (NYDFS)
Requirements for Financial Services Companies + [fill in]
• All NY “financial institutions” + third party service providers.
• Third party service providers – examine, obligate, audit.
• Establish Cybersecurity Program (w/ specifics):
• Logging, Data Classification, IDS, IPS;
• Pen Testing, Vulnerability Assessments, Risk Assessment; and
• Encryption, Access Controls.
• Adopt Cybersecurity Policies.
• Designate qualified CISO to be responsible.
• Adequate cybersecurity personnel and intelligence.
• Personnel Policies & Procedures, Training, Written IRP.
• Chairman or Senior Officer Certify Compliance.

10. Third Party
Service Provider
Security Policy
Section 500.11
“Each Covered Entity shall implement written policies and
procedures designed to ensure the security of Information
Systems and Nonpublic Information that are accessible to,
or held by, Third Party Service Providers.”
• P&P should be based on CE’s Risk Assessment and
address the following, as applicable:
• The identification and risk assessment of TPSPs;
• Minimum CP required by TPSP to do business with CE;
• Due diligence process used to evaluate the adequacy of CP
by such TPSP;
• Periodic assessment of such TPSP based on risk they
present and continued adequacy of their CP.
• P&P shall include relevant guidelines for due diligence
and/or contractual protections relating to TPSP and
applicable guidelines addressing:
• TPSP’s P&P for access controls and MFA to IS / NPI
• TPSP’s P&P for use of encryption in transit and at rest;
• Notice to be provided to CE for Cybersecurity Event; and
• Reps and warranties addressing TPSP’s cybersecurity P&P
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

11. EU – General Data Protection Regulation (GDPR)
• Goal: Protect all EU citizens from privacy and data breaches.
• When: May 25, 2018.
• Reach: Applies to all companies (controllers and processors):
• Processing data of EU residents (regardless of where processing),
• In the EU (regardless of where processing), or
• Offering goods or services to EU citizens or monitoring behavior in EU.
• Penalties: up to 4% global turnover or €20 Million (whichever is greater).
• Remedies: data subjects have judicial remedies, right to damages.
• Data subject rights:
• Breach notification – 72 hrs to DPA; “without undue delay” to data subjects.
• Right to access – provide confirmation of processing and electronic copy (free).
• Data erasure – right to be forgotten, erase, cease dissemination or processing.
• Data portability – receive previously provided data in common elect. format.
• Privacy by design – include data protection from the onset of designing systems.

12. Third Party
Processing and
Risk Under the
GDPR
• Controller, individually or with other controllers (jointly
and severally), is responsible to the data subjects. Art. 26
• Processor only process on controller’s instructions. Art. 29
• Using a risk assessment, the controller must implement
appropriate technical and organizational safeguards (incl.
P&P) to ensure personal data is processed lawfully.
Reassessment and maturation is required. Art. 24(1)
• Controller shall use only processors providing sufficient
guarantees to implement appropriate technical and
organizational measures to satisfy GDPR. Art. 28
• Processor must have controller’s written authorization to
engage another sub-processor;
• Processor must have binding contract with controller
specifying particulars of processing;
• Processor must be bound to confidentiality;
• Processor must demonstrate compliance and agree to
audits and inspections;
• Nth processors liable to upstream processor, which is liable
to the controller, which is ultimately liable.
• Non-regulated controllers and processors can
contractually agree to be bound. Art. 42
EUROPEAN UNION
GENERAL DATA PROTECTION REGS.

13. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
Example Scenarios

14. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
• Private security firm’s job applicants’ personal data (including
identification of those with Top Secret security clearances) is
exposed on an unsecured Amazon server.
• Firm says it wasn’t its fault, it was fault of its third-party vendor
that processed new job applications that left the data exposed.
– Former CIA, NSA, Secret Service
– Names, home addresses, telephone numbers, email addresses
– Applicant transported nuclear activation codes
– Applicant was “warden advisor” at Abu Ghraib black site
• Who do you think is responsible?
• Do you think a better contract would have helped?
• What would have helped prevent this?
Example Scenarios – “It’s Not Our Fault!”

15. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
• MegaCorp is a global leader in biotechnology and one of the
world’s wealthiest companies. MegaCorp developed new highly
confidential and proprietary bio-authentication technology that
could solve the world’s cybersecurity problem by setting access
rights to data based on users’ unique DNA.
• MegaCorp recognizes the cyber threat and has state-of-the-art
cybersecurity for its network, having a larger cybersecurity
budget than the revenue of many biotech companies.
• For testing to prove the technology works, MegaCorp turns to
the 4 best biotech research facilities, known for the quality and
integrity of their research, not their profitability.
• MegaCorp’s contracts with the facilities requires they maintain
security and confidentiality of its intellectual property (IP).
Example Scenarios – “We Can’t Afford It”

16. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
• During testing for MegaCorp, Research1 discovers an intrusion
in its network. Due to budget limitations, its “IT guy” calls his
buddy to do “forensics” and discover Research1’s network was
being used to mine Bitcoin. They block the hacker and
conclude “no problem.”
• Two weeks later Research1 gets hit with ransomware and a
demand for $100,000 paid in Bitcoin. IT guy was able to restore
the network from backups so he sent a taunting email to the
hacker, just for fun. He also ignored that lawyer who warns of
possible persistent attack and said it may be a legal breach.
• One week later the hacker emails Research1’s Board of
Directors saying they have MegaCorp’s data, demand $1million
which it can’t afford to pay.
Example Scenarios – “We Can’t Afford It”

17. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
• Larger enterprises have a better appreciation of cyber risk and
spend more resources on it. SMBs are not there … yet … still
thinking, “we can’t afford it,” is justifiable.
• Does the harm to MegaCorp’s IP change depending on
whether taken from it or Research1?
• MegaCorp would crush Research1 in a lawsuit … so what?
• MegaCorp would have gladly paid the $1million ransom to try
and protect its IP, even with no guarantee.
• What contractual terms would have helped MegaCorp?
• What practical discussions would have helped MegaCorp?
• What risk transfer devices would have helped?
• What technology would have helped?
Example Scenarios – “We Can’t Afford It”

18. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
✓ Focus on the objective: protecting your data/network
✓ Staff Appropriately
✓ Understand facts of relationship/transaction
✓ Understand risks by thinking worst case scenario from outset
✓ Minimalize risks: do not risk it if you do not have to
✓ Discuss objective, facts, risks, protection with those responsible
✓ Assess third-party’s sophistication and commitment
✓ Agree upon appropriate protections
✓ Investigate ability to comply
✓ Obligate compliance, notification (to you), responsibility
✓ Include in incident response planning
✓ Cyber Insurance: transfer risk where possible
Checklist: Process for Managing Third-Party Risk

19. Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.
• Board of Directors &GeneralCounsel, Cyber Future Foundation
• Board of Directors, NorthTexasCyber Forensics Lab
• Policy Council, NationalTechnology Security Coalition
• CybersecurityTask Force, IntelligentTransportation Society of America
• Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016)
• SuperLawyersTop 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-16 (IP Litigation)
• Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)
• Council, Computer &Technology Section, State Bar ofTexas
• Privacy and Data Security Committee of the State Bar ofTexas
• College of the State Bar ofTexas
• Board of Directors,Collin County Bench Bar Foundation
• Past Chair, Civil Litigation & Appellate Section,Collin County Bar Association
• Information SecurityCommittee of the Section on Science &TechnologyCommittee of the
American Bar Association
• NorthTexasCrime Commission, CybercrimeCommittee
• Infragard (FBI)
• InternationalAssociation of Privacy Professionals (IAPP)
The End – Thank You!
Shawn Tuma
Cybersecurity Partner
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com