OUTSOURCING IT FUNCTIONS IN TIMES OF INCREASED REGULATION AND SECURITY CONCERNS In-House Counsel Conference

Transcription

1 OUTSOURCING IT FUNCTIONS IN TIMES OF INCREASED REGULATION AND SECURITY CONCERNS 2016 In-House Counsel Conference

2 INTRODUCTION

3 Presenters: Barbara Murphy Melby Partner Morgan Lewis P: E: Megan Gatto Senior Counsel Independence Blue Cross P: E: Michael L. Pillion Partner Morgan Lewis P: E:

4 4 Discussion Topics The changing IT landscape Enterprise risk management Central oversight of data/operational exposure liability and practical concerns Compliance update Traditional and industry-specific regulations, and how allocation of responsibility may be negotiated Security controls and compliance Security risks in cloud deals Security breach and allocation of risk Third-party vendor management Environment oversight Wrap-up

5 THE CHANGING LANDSCAPE

6 6 The Changing Landscape Cloud Data Analytics Automation IT Services Internet of Things Mobility Business Unit Procurement

7 7 Kosbit: Top 5 IT Outsourcing Trends for 2016 #1: The Internet of Things refers to machine-to-machine communication, centered on the use of data gathering sensors. According to McKinsey, this will be an industry that is worth $11 trillion in Outsourced IT services will play a vital role in the development of advanced devices that can support IOT. #2: Big Data and Analytics many rely on the services that can be provided by IT outsourcing companies because of costeffectiveness and expertise. The price point of investing in big data analytics is just too high for some enterprises, which is why it is expected that many of them will resort to outsourcing in the coming years to take advantage of big data without being too resource-intensive. #4: Cloud Computing According to Markets and Markets, before the end of 2015, cloud computing is an industry that will be worth as much as $121 billion. Those who do not yet embrace the premise of cloud computing can be lagged behind competition, especially not only because of automation, but it is also cost efficient compared to manual processes. #5: Digital Transformation As many enterprises continue to discover automated, scalable, and affordable solutions, outsourcing becomes less attractive. As a result, the challenge in 2016 is for providers of outsourced IT services to rethink how they can create value and mitigate risks to continue being a viable option.

8 8 Leading to New definitions of IT outsourcing Business solutions enabled by technology -- and using business data Increased business demand for such solutions Keeping up with the competition Enhancing the employee and user experience Speed to adoption

9 9

10 10 Coupled with (or maybe because of) Heightened sensitivity to data breaches and security controls at the highest levels Increased regulatory requirements and guidance Outsourcing (by industry) Data protection

11 11 Risk and Legal Response Stay cool and regain control easier said than done What are the solutions Who are the vendors Who is contracting with the vendors Rethink risks and controls big picture Where are the assets Where is the data What are the business critical services Immediate and long-term risk mitigation

12 12 ENTERPRISE RISK MANAGEMENT; COMPLIANCE UPDATE Presented by Megan Gatto

13 13 ENTERPRISE RISK MANAGEMENT Central oversight of data/operational exposure liability and practical concerns

14 14 Practical concerns Overall reliance on cloud or other vendors for day-to-day operation Evaluating worst-case scenarios for service disruption/data loss Diligence regarding disaster recovery/business continuity plans Contractual remedies effective? Mitigating practical consequences of nonperformance

15 15 Liability exposure Contributing factors: Nature of data Personal information/phi Sensitive business information Other information Volume and age of data Not all old data is obsolete Adherence to record-retention policies Location of data Larger vendors may also be larger targets

16 16 Liability exposure Aggregate liability exposure Data on own systems, processed by own employees Outsourced functions Vendors liable for breach of data security obligations, not any data breach Vendors liability for breach of data security obligations can be difficult, although not impossible, to achieve unlimited liability How to manage? Negotiate as best you can Keep your data breach response plan up to date as vendors are added Cyber insurance Requires attention to detail

17 17 COMPLIANCE UPDATE Traditional and industry-specific regulations, and how allocation of responsibility may be negotiated

18 18 What are Laws in your contract? Traditional definition some combination of laws, rules, orders, and binding restrictions of federal, state, or local governmental authorities What about nongovernmental entities, such as industry associations or issuers of licenses, that nevertheless have some control over the customer? Healthcare example: BCBSA

19 19 Responsibility for Compliance Traditional allocation of responsibility often: Vendor retains full responsibility for compliance with Laws applicable to the services, other than Customer Laws Definition of Customer Laws negotiable, but often includes Laws that are specifically applicable to Customer s industry, as opposed to Vendor s customers generally Monitoring responsibility negotiable as to whether Customer must proactively direct Vendor regarding Customer Laws, or whether Vendor must comply with Customer Laws, subject to Vendor s right to request specific instruction Financial responsibility Vendor will comply with Customer Laws (or Customer s directives), but at Customer s expense

20 20 Variations on Compliance When might a Vendor take responsibility for industryspecific Customer Laws? What if a Vendor refuses to commit to comply with industry-specific Customer Laws?

21 21 SECURITY CONTROLS & COMPLIANCE; SECURITY BREACHES AND ALLOCATION OF RISK Presented by Michael L. Pillion

22 22 Security Controls & Compliance; Security Breaches & Allocation of Risk - Outline Security Risks in Cloud Deals Security Controls and Compliance Data Security Requirements Vendor s Data Security Offering Security Standards, Certifications, and Audit DR/BCP Plans Data Delivery and Deletion at Termination Data Security Breaches Vendor s Response Plan Steps to Take After a Breach Allocation of Risk in the Contract

23 23 Security Risks in Cloud Deals Loss of Control Gaps in Policies and Responsibilities Compliance and Legal Risks Data Protection release, loss, and unavailability Data Isolation Failures Handling of Security Incidents detection, reporting, management, and resolution Insecure or Incomplete Data Deletion at Termination Visibility and Audit

24 24 Data Security Requirements Higher level of security for certain data? Legal requirements Requirements of Customer policies Industry-specific requirements Keep at Customer?

25 25 Vendor s Data Security Offering Vendors typically not willing to offer a customized data security approach Customers must conduct gap analysis on Vendor s data security policies vs. Customer s policies, laws, and industry requirements Due diligence and selection of Vendor is more important than the contract Location of servers, both primary and backup Subcontractors/subprocessors What security certifications does Vendor maintain?

26 26 Vendor s Data Security Offering Physical security, commensurate with data sensitivity Logical/system security, to avoid compromise of confidentiality through commingling How data is segregated logical segregation Access by authorized personnel only Regular monitoring of intrusion detection system and reporting Encryption (e.g., for transfers outside firewalls) Use of mobile devices and storage (e.g., laptops, tablets, USB drives, backup tapes), including whether use is permitted Enhanced standards for Personal Information, including PHI Employee privacy and security training

27 27 Security Standards, Certifications & Audit Information Systems Security ISO Series ISO provides requirements for an information security management system ISO provides guidelines for information security standards and practices including the selection, implementation, and management of controls ISO gives guidance on security controls applicable to the provision and use of cloud services ISO establishes control objectives, controls, and guidelines for implementing measures to protect PI for the public cloud environment Audit to and certification to ISO Services Standards

28 28 Security Standards, Certifications & Audit SSAE 16/ISAE 3402 Audit Standards Service Organization Control (SOC) 1 - conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16 audit of internal controls over financial reporting SOC 1, Type I opinion on the suitability of the design of the service organization s controls to achieve the related control objectives, as of a specified date SOC 1, Type II - same as a Type 1 report with the addition of an opinion on the operating effectiveness of the controls to achieve the related control objectives throughout a specified period

29 29 Security Standards, Certifications & Audit AT101 Audit Standards SOC 2 designed for audits of service providers audit of the security, availability, and processing integrity of a service provider s system, the confidentiality of the information that the system processes or maintains, and the privacy of personal information that the service provider collects, uses, retains, discloses, and disposes of. SOC 2, Type I SOC 2, Type II Customer Audits

30 30 Disaster Recovery/Business Continuity Plans Outages and Resulting Data Loss or Inability to Access Is Just as Big a Risk as Security Breach Risks Data Recovery Sites Definition of Outage and Disaster Data Recovery Times and Recovery Point SLAs Downtime Credits Responsibilities of Customer Under Vendor DR/BCP Plan Coordination with Customer s DR/BCP Plan Testing and Reporting

31 31 Data Delivery and Deletion at Termination Delivery of Data to Customer Allocation of Responsibilities Between Customer and Vendor Format of Data No Deletion by Vendor After Only Passage of Time Deletion of Data by Vendor Complete and Secure Compliance with Data Destruction Laws Deletion Certificate

32 32 Data Security Breach Response Plan Addressing, among other things: Notice to Customer Response contain the breach Investigation how, what data, who has it Remediation Notices required by laws/policies/contracts Credit monitoring required by laws/policies/contracts Other requirements under laws/policies/contracts Responsibility for costs, fines under laws/policies/contracts Changes by Vendor Customer consent required? Notice to Customer required? Is Vendor s data security breach response plan consistent with Customer s? (Each must have one!)

33 33 Security Breaches: Remediation Steps Customer s position is that if the breach involves Customer Data under Vendor s control and Vendor was in breach of its data security obligations: Vendor must either undertake or bear Customer s costs of undertaking the remediation steps that are required by law or a regulatory authority, or that are required by the contract or Customer policies (such as notices to affected individuals, credit monitoring, operation of call centers). Vendor is responsible for fines, penalties, etc., imposed on Customer as a result of the breach. The parties may agree upon additional steps that are reasonable in light of the particular breach. A liability cap (discussed later) may apply to Vendor s responsibility for these costs.

34 34 Security Breaches: Remediation Steps What if the breach involves Customer Data under Vendor s control and Vendor was not in breach of its data security obligations? Customer to bear the cost of notifying affected individuals, etc., as described on previous slide? Vendor still must cooperate with the investigation and take corrective actions as described on the previous slide.

35 35 Contractual Allocation of Risk for Data Security Breaches Major Areas of Damages Exposure Investigating Breaches Remediating Systems Restoring or Re-creating Data Data Breach Notifications and Remediation with Respect to the Individual and Regulators Third-Party Claims by the Individual and Regulators indemnity?

36 36 Limitations on Liability Direct Damage Cap Disclaimer of Indirect and Consequential Damages Exceptions to the Limitations on Liability Breach of Confidentiality Obligations May depend on whether clearly separate from Data Security Obligations Breach of Compliance with Laws Obligations

37 37 Limitations on Liability Exceptions to the Limitations on Liability Breach of Data Security Obligations If Vendor Was in Breach of Its Obligations, as Opposed to Strict Liability May Depend on the Type of Data (e.g., is there a lot of PI or PHI?) May Depend on the Encryption or Other Solution Requirements Maybe Differentiate by Type of Damage: Investigating Breaches Remediating Systems Restoring or Re-creating Data Data Breach Notifications and Remediation Requirements with Respect to the Individual and Regulators Breach of Data Security Obligations

38 38 Secondary Cap for Data Security Issues? Separate or On Top Of Basis Direct Damages Cap? Cover Both Direct Claims and Indemnification Claims? Direct Damages Only, or Indirect Damages as Well What About Consequential Damages?

39 39 Agreeing That Certain Damages Are Recoverable as Direct Contract states that Certain Damages will be recoverable within the Direct Damage Cap as if they were Direct Damages Costs of Complying with Data Breach Laws Costs of Data Remediation Indemnified Losses Governmental Fines

40 40 THIRD-PARTY VENDOR MANAGEMENT AND ENVIRONMENT OVERSIGHT

41 41 Vendor Management Good vendor management is critical to maintaining security control and regulatory compliance, and ultimately mitigating risk Traditional vendor management models Preengagement reviews Contract requirements Ongoing governance

42 42

43 43 Vendor Management First what is the scope? Criticality of service System and/or data access Data storage Pre-engagement reviews Financial viability Experience Customer history Industry reputation Insurance Security controls (questionnaire/assessment) Business continuity

44 44 Vendor Management Contract requirements Location of systems and data Remote access Personnel screening and training Use of third parties Compliance with policies Security controls and compliance Data and systems rights Liability Insurance Audit rights Termination rights Business continuity

45 45 Vendor Management Ongoing governance and oversight Regular reviews Reviews of changes Personnel Sites Security

46 46 Applying the traditional model to new solutions Identify the business solutions with data and security impacts Not just IT Still need diligence, contract requirements, and ongoing governance Location and access to systems and data will remain key Maybe different approach on whose policies and controls Consider using industry standards Need to move fast (or potentially lose out on the review)

47 47 Remodel the Contracting Approach Our way or the highway I like it, but it doesn t always work in leveraged solutions Think about what you need and how to reach a similar (acceptable) outcome Policies Compliance Security Control Liability Create a checklist or amendment with key minimum contract requirements To avoid the battle over whose paper

48 48 For example Customer Data means all text, files, data, output, programs, files, information or material (a) of or submitted by or relating to any of the Customer Entities or any of their users, customers, vendors, personnel or third parties and/or (b) generated, obtained, developed, processed or produced by, as a result of or in connection with the services under the Agreement or the use of the services, software or systems by any of the Customer Entities or any of their users, customers, vendors, personnel or third parties that are provided or made available under the Agreement. As between the Parties, Customer retains all intellectual property and other rights in Customer Data. Customer Data will be considered confidential information of Customer. Customer will have access to and the ability to download any Customer Data stored or controlled by Provider or residing in the hosting environment of Provider or any Provider agents at all times in an encrypted format easily accessible by Customer. Customer will have the right to remove or require Provider to remove Customer Data from the systems of Provider or any Provider agents. Provider will not destroy or purge any Customer Data without Customer s consent and the opportunity to have the Customer Data returned to Customer.

49 49 And another Unless Customer provides prior written consent, all services under the Agreement must be performed in, and all Customer Data must be hosted and stored by Provider in and processed and accessed by Provider from, the United States or the jurisdiction indicated on the applicable order from where the services were requested by Customer or from where the data first originated or was submitted by Customer (the Permitted Jurisdiction ).

50 50 Last one Provider acknowledges and agrees that Customer may engage third parties to assist with the administration and execution of Customer s IT program. Accordingly, third party providers (including their personnel and agents), wherever located of any of the Customer Entities ( Third Party Providers ) will have the right to access and use as directed by Customer the services and products provided or made available under the Agreement. For the purposes of users authorized to access and use the services and products under the Agreement, authorized users include any of the Customer Entities and their respective employees, contractors, consultants, agents and Third Party Providers unless otherwise directed by Customer. As Customer s agents, Third Party Providers may as specified by Customer (a) be the main point of contact regarding the support services; (b) administer support services provided by Provider under the Agreement with Provider; and (c) review, audit and provide remittance on invoices relating to the Agreement.

51 51 Alternatives Does it mean that you need: More upfront review? A different approach to liability? Other ways to mitigate risk? Insurance Alternate solutions Termination

52 52 Environment Oversight Piecing it all together

53 53 Environment Oversight Identify Key Internal Organization(s) Security IT Facilities Business Units Asset Management Training Continuous Monitoring Security Controls Assessment and Testing Policies and Procedures Reporting

54 54 Environment Management Asset inventories Data mappings

55 55 CIS Critical Security Controls CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 10: Data Recovery Capability CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises

56 56 Implementing the Critical Security Controls in the Cloud 4 Jon Mark Allen, jm@allensonthe.net The Critical Security Controls are a prioritized, highly focused set of actions that have a community support network to make them implementable, usable, scalable, and compliant with all industry or government security requirements. (Center for Internet Security, 2015, p. 6) These controls assume that an organization has management control over the infrastructure of the environment a condition that is no longer true once cloud resources enter the picture. But those resources can still be protected even with a move to the cloud. The gaps created by this new model can be accounted for by implementing the proper security controls. The security architect must understand how cloud networks are abstracted from traditional hardware and, therefore, how those networks differ in the way they work versus an on-premise data center. (Mogull, 2015, p. 4)

57 57 Good news (continued Implementing the Critical Security Controls in the Cloud 4) Control 1 - Inventory of Authorized and Unauthorized Devices This control is made significantly simpler in a cloud environment. Since customers are charged based on cloud resource utilization, the full list of devices will be shown at any given time (as well as device history) in the AWS console. Even if the OS build didn t include the other management frameworks (e.g. Microsoft s SCCM) that are normally necessary to manage and keep track of assets. Amazon CloudTrail can also be utilized to log those changes to a dedicated S3 storage bucket for review and analysis as needed.

58 58 Final thoughts No control without: good data on the environment good data on the data business acceptance (and adoption) of controls and processes

59 59

60 60 THANK YOU!

61 61 Presenter Profile Barbara Murphy Melby Partner Morgan Lewis P: E: Barbara Melby has been active in the outsourcing and commercial transaction legal market for the last 20 years. As leader of the firm s outsourcing and strategic commercial transactions practice, and one of the leaders of its privacy and cybersecurity practice, she represents clients in such complex transactions as outsourcing, strategic alliances, technology and data-related agreements, and other services transactions. She also advises businesses on privacy and security issues that arise in transactions involving sensitive data and technologies.

62 62 Presenter Profile Michael L. Pillion Partner Morgan Lewis P: E: Michael L. Pillion brings more than 25 years of experience navigating highstakes transactions to his outsourcing, technology, and commercial transactions practice. He has a diverse client base that spans the health insurance, life sciences, energy, financial services, and real estate industries. He counsels clients in structuring, negotiating, realigning, and terminating information technology (IT) outsourcing and business process outsourcing (BPO) transactions, technology transactions including software as a service (SaaS) and cloud deals, complex commercial transactions including joint ventures, and real estate leasing deals.

63 63 Presenter Profile Megan Gatto Senior Counsel Independence Blue Cross P: E: Megan Gatto serves as Senior Counsel in the legal department at Independence Blue Cross. She focuses on commercial agreements such as services and consulting arrangements, outsourcing transactions, technology-related agreements such as licensing, cloud, and as a service solutions, and strategic partnerships.