THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

Transcription

1 THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein

2 YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern the privacy and security of personally identifiable information ( PII ) Complex patchwork of federal and state laws, industry sector laws and regulations, and international laws When companies use third party vendors to collect, process, or provide other data management services, the company is responsible to ensure the vendors maintain security practices in accordance with applicable laws and regulations governing the company s PII Before engaging a vendor, be sure it can comply on your behalf Take adequate internal precautions to prevent unauthorized access This presentation is just a brief overview of applicable laws, security precautions, and other considerations, there are many more!

3 WHAT IS HIPAA & HITECH? HIPAA is the Health Insurance Portability and Accountability Act specifies laws for the protection and use of Personal (or Protected) Health Information (PHI) in medical records. HITECH is the Health Information Technology for Economic and Clinical Health Act applicable to Electronic Medical Records. Requires 3 things: Integrity of information the medical record must be accurate Confidentiality The medical record should only be seen by those with a need to know and all uses of that data should be knowable by the individual. Availability The medical record must be available, in essence, no reasonably avoidable downtime.

4 WHAT IS A BUSINESS ASSOCIATE? A BA is a service provider to a Covered Entity that requires access the Protected Health Information of their customers to provide services under a Business Associate Agreement. BA s, their contractors and covered entities must comply with the technical, administrative and safeguard requirements and disclosure limitations in the Privacy Rule and as set out in the Business Associate Agreement with its clients. Examples of BAs: Bill processing company that sends medical invoices & processes payments Cloud providers that host and perform managed services for covered entities (new definition under the Omnibus Rules) Outsourced call centers

5 GRAHAM-LEACH-BLILEY ACT Applies to any Financial Institution - defined as any U.S. Company that is significantly engaged in financial activities. It regulates the way that a financial institution manages nonpublic personal information and consumer financial information. Requires Financial Institutions to enter into contracts with third party vendor or service provider that has access to the NPI or consumer financial information. Implemented by numerous regulatory bodies: FTC SEC CFPB OCC

6 VENDOR MANAGEMENT: COMPLYING WITH THE SAFEGUARDS RULE The Safeguards Rule requires companies to develop a Written Information Security Plan (WISP) that describes their program to protect customer information. As part of its plan, each company must take various measures including: selecting service providers that can maintain appropriate safeguards make sure your contract requires them to maintain safeguards oversee their handling of customer information The plan must be appropriate to: the company s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles

7 PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS This is an industry standard applicable to organizations that hold, process or exchange credit card information Defines controls to ensure that consumer data is not exposed to identity fraud and theft Not itself a law, but incorporated into various state laws Using a third party to process, store or transmit credit card information does not remove a merchant s obligation to comply with PCI for these functions Merchants required to maintain a written agreements with services providers acknowledging that the service providers are responsible for the security of cardholder data the service providers possess

8 MASSACHUSETTS INFORMATION SECURITY LAW Applies to any entity that receives, stores, maintains, processes, or has access to certain PII of a MA resident (even if company is not in MA) Triggers: SSN, drivers license, credit/debit or financial account Organizations have a legal responsibility to ensure the following regarding service providers with access to PII: Select and retain providers capable of maintaining appropriate security measures for PII Contractually require service providers to maintain safeguards Requires updates for contracts created before March 2010

9 VARIOUS STATE LAWS Many states have information security laws with specific requirements even for entities located elsewhere if the entity interacts with certain PII from residents of the state. Nevada requires encryption of PII transmitted outside company's secure system both in transit and when stored on a device California requires reasonable security measures appropriate to the nature of information Numerous other state laws, information security, data destruction, breach notification, and other requirements.

10 FEDERAL TRADE COMMISSION FTC has authority to enforce against unfair and deceptive trade practices Has brought more than 50 enforcement actions related to security breaches (misrepresenting security is deceptive, inadequate security is unfair) Often focused on companies not maintaining privacy/security promises to consumers, whether themselves or their vendors FTC holds companies responsible for their vendor s failures if the company did not take reasonable measures, etc.

11 FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA) Applies to educational institutions that receive any federal funding Prohibits disclosure of students education records (broadly defined) without written parent or eligible student consent Includes education records maintained by a third party on behalf of the school Allowing a service provider to access, process, or store education records with PII may be deemed a disclosure, so the service provider must comply with FERPA

12 SARBANES-OXLEY Establishes a set of requirements for financial systems, to deter fraud and increase corporate accountability Dictates which records must be stored, for how long, Third parties must comply and must be overseen Data owner is required to know the location of data in the cloud/elsewhere and to maintain control over it

13 RED FLAGS RULE Requires financial institutions and creditors that hold any "covered account" to develop and implement an Identity Theft Prevention Program Must monitor the activities of service providers that conduct activities that are specifically covered by the rule or that are considered to be at risk for identity theft Vendors must apply similar standards the company would if it were performing the tasks itself Implement procedures to detect red flags, reporting policies and certain prevention measures FTC holds companies responsible for compliance by vendors

14 DIFFERENT LEGAL APPROACHES Some laws/agencies require companies to generally pass on their obligations to vendors that accesses or receive regulated personal information (GLBA, HIPAA, FERPA, and FTC Act enforcements) Some say companies have to monitor the vendors and what that involves (Massachusetts/CFPB) Some say you have to monitor the vendors appropriately, but generally leave it up to you to decide what that entails.

15 BEST PRACTICES DURING EACH STAGE OF THE VENDOR RELATIONSHIP (CUSTOMER PERSPECTIVE)

16 EVALUATE THE VENDOR: 1. DUE DILIGENCE General Due Diligence: before digging into security requirements, evaluate the vendor s general suitability as a trusted business partner: Reputation get appropriate references from former or current clients Similar clients to your business/depth of experience Financial Condition Insurance Type of coverage and limitations (cyber liability if applicable) Employee training and awareness Vendor incident response plan, business continuity and disaster/recovery plan.

17 2. INFORMATION SECURITY DUE DILIGENCE Perform a thorough analysis of the vendor s security capabilities. Remember that you may be trusting your entire business reputation to this vendor and if it suffers a security breach with your PII, you will suffer Create a vendor questionnaire so the vendor can provide details on the following (and copies of plans/policies/procedures where appropriate) Perform site visits/audits to see if vendor is complying with its policies and responses

18 VENDOR QUESTIONNAIRE Do you have a written information security program (include a copy) Evaluate based on legal requirements depending on type data Do you have ongoing compliance training programs for individuals who would handle data Do you require employee background checks What is your data governance structure and process How do you identify, analyze and evaluate risks and options for handling risks What controls do you have in place for risks How often do you monitor and review your security program

19 VENDOR QUESTIONNAIRE (CONTINUED) Describe the scope and boundaries of your information security management system (security policies, etc.) How do you monitor firewalls Do you have a data classification policy? Do you have a data retention/destruction policy? What type of encryption to you use (at different stages in data lifecycle) How is data shared with customers and business partners? Do you everything? How do you limit access to your network?

20 VENDOR QUESTIONNAIRE (CONTINUED) What physical controls do you have in place to prevent theft of data? Are external audits performed on a regular basis? What third party certifications do you have (include audits, etc.) There are MANY more questions to ask (tailored depending on nature of services, type of data, applicable laws/regs, etc.) To address the current lack of standards in cloud services, the Cloud Security Alliance recently proposed the Trusted Cloud Initiative with the goal of developing industry-recommended infrastructure and security configurations and practices. Questionnaire to use when selecting cloud service providers

21 EVALUATE THE VENDOR: 3. THIRD PARTY STANDARDS Vendors can show credibility via audits using accepted third party standards SSAE 16 NIST ISO

22 SSAE 16 STANDARDS SSAE 16 Attestation Replaces SAS 70 certification Attestation is a written statement by key executives that contains essential clauses describing the system and a statement on the suitability of the design and operating effectiveness of various controls

23 SOC 1 & 2 STANDARDS SOC 1 focus is on the internal controls for a service provider over financial reporting SOC 2 is most relevant for IT portion of GLBA Safeguards Rule that requires IT system controls and HIPAA Security Rule compliance Focuses on information technology security controls, availability, processing integrity, confidentiality and privacy principles.

24 SOC 3 STANDARDS SOC 3 Trust Services and Criteria for online businesses: Security Availability Processing Integrity Confidentiality Privacy

25 NIST U.S. STANDARDS FOR INFORMATION TECHNOLOGY National Institute of Standards in Technology Emphasis on state-of-the-art management, operational, and technical security controls Used in government contracting

26 INTERNATIONAL STANDARDS ISO Standards International voluntary standards for business process, information security management (ISO 27001) Certain internationally accredited entities can audit or certify that an organization meets specified ISO standards. An ISO certification specifies requirements for the establishment, implementation, monitoring, review, maintenance and improvement of system to manage an organization s information security risks.

27 CONSIDERATIONS BEFORE THE RELATIONSHIP BEGINS Determine appropriate level of vendor access: In addition to evaluating the vendor s general security capabilities, consider the specific needs in this situation, how the vendor s access to PII and systems can be limited to protect your company s confidential information. Basic concepts: Ensure the vendor has no greater access than necessary Compartmentalize data, Limit access to people who need it

28 CONSIDERATIONS BEFORE THE RELATIONSHIP BEGINS (CONTINUED) Is access ongoing, only once, or intermittent E.g. is this a one time software installation project which does not require the continued access to PII or an outsourcing arrangement where vendor will have ongoing access to the PII? Are there technical controls that can alleviate the need for certain access? Can access be limited to specified individuals or departments? Determine when are various types of encryption/security requirements applicable? Encryption in transit vs. at rest

29 CONSIDERATIONS BEFORE THE RELATIONSHIP BEGINS (CONTINUED) Limit Access/Segregate Systems Ensure systems are segregated Consider all systems connected into the main network/internet, even if not data-specific systems (e.g. video monitoring, HVAC, others) While retailers build defenses around their payment systems, they may not invest as heavily in protecting the systems used by building management Ensure measures can be implemented to limit access to systems once a vendor is inside the company s perimeter Many networks guard against intrusion but expect trust once inside the walls

30 CONSIDERATIONS BEFORE THE RELATIONSHIP BEGINS (CONTINUED) Document all data and systems potentially implicated by the relationship Notify department managers and collaborate re: planned implementation Determine point of contact for all aspects of the relationship Ensure your company s own WISP and procedures allow for use of the vendor and contain appropriate guidance/security measures Perform risk assessment based on use of the vendor and the project

31 CONSIDERATIONS BEFORE THE RELATIONSHIP BEGINS (CONTINUED) Evaluate optimal point of transfer Transfer between the procuring organization and the vendor is a potential vulnerable spot Design and implement secure methods of transfer and access Determine appropriate data retention and destruction schedule Include required means of disposal (consider state/industry laws)

32 INTERNATIONAL CONSIDERATIONS Other factors must be evaluated if the vendor is in another country or if data will be transferred or stored there May be more difficult for customer (and data subject if applicable) to gain immediate access (required by some laws) May provide international jurisdiction if data is in other countries Difficult to investigate or litigate against foreign offenders May add compliance hurdles to the extent data is transferred from a foreign country

33 READY TO PROCEED: NEGOTIATING VENDOR CONTRACTS Key considerations: Contractually shift responsibility when you trust an outside entity with data However remember the legal obligation is your own you can t outsource compliance obligations Evaluate whether to include specific/detailed requirements or merely require compliance with applicable laws/regulations

34 NEGOTIATING VENDOR CONTRACTS: Clearly define all types of data to be accessed, collected, processed, etc. If trying to limit what vendor can access, consider making the definition narrow and based on specific time periods Ownership and license of data Distinguish between different types of data if applicable (e.g. PII and aggregate de-identified data) Do rights change after transfer or processing of certain data? License grant/reservation of rights if applicable

35 NEGOTIATING VENDOR CONTRACTS Restrictions on vendor access and use of PII Specify use parameters Only in the performance of this agreement List permitted means of access, how data will be exported to processor, etc. (or as instructed by customer) Encryption/security requirements applicable during this process if different than remainder of contract Timing limitations

36 NEGOTIATING VENDOR CONTRACTS Information Security Requirements Typically in an addendum Specific IT measures to comply with acceptable industry practices: encryption of data (in transit, at rest, web-facing applications) firewalls network security mobile security access controls/authentication segregation of vendor s data/systems vendor application of latest security patches Employee background checks/training Limit physical access to facilities Other requirements based on applicable laws Data centers: location requirements needed if processing PII or ephi to comply with data import/export regulations and local laws

37 NEGOTIATING VENDOR CONTRACTS Audit and Monitoring Rights Third party audit of vendor s IT security practices, inspection of data centers confirm vendor's infrastructure and security practices via an onsite inspection at least at least once per year specify what this should cover customer selects the auditor Note: be sure you want this, if no corrective actions taken, may be deemed negligent HIPAA requires if HCP is aware of ongoing conduct by a BA that violates HIPAA, the HCP must intervene Audit data collected/accessed, other aspects of contract performance Consider monitoring software

38 NEGOTIATING VENDOR CONTRACTS Security Breach Notification and Disclosures Immediately notify customer of all suspected breaches (specify details) Procedures vendor must follow in the event of a breach Investigation details (timing, approved by customer, vendor pays) What vendor has done/will do to mitigate potential damage, prevent future breaches Notification to consumer Require compliance with various state/industry breach notification laws Customer approves (or controls) all public communications Vendor pays costs for notification program, credit monitoring, etc.

39 NEGOTIATING VENDOR CONTRACTS Compliance With Laws Require the vendor to comply with all applicable information security and privacy laws and regulations Include an additional list if vendor may not be aware of some for your industry Confidentiality Obligations Data, results of processing, other relevant business information Require notification to customer of any subpoenas/other requests by government or third parties for data Access limitations legitimate business need to know Survival of obligation of confidentiality post termination Require the vendor to return, or destroy, all data in the vendor s possession or control Compliance with applicable data destruction laws

40 NEGOTIATING VENDOR CONTRACTS Personnel and Subcontractors Right to approve key people on the project Right to prohibit/approve use of any subcontractors Background check, training, monitoring, other restrictions Contractual requirements for subcontractors

41 NEGOTIATING VENDOR CONTRACTS Service Level Agreements Uptime guarantees Error response and remediation timing Support contacts, timing, escalation procedures Based on how critical Notification before suspension of services Maintenance windows late night/early morning Penalties for noncompliance credits, termination rights Reporting daily, monthly, only when downtime or errors occur? Monetary credits for failure to meet standards Emergency resource allocation: preferential treatment and allocation of vendor s resources for customer (or no less favorable than others) if a disaster or emergency occurs

42 NEGOTIATING VENDOR CONTRACTS Risk Allocation Provisions Limitation liability Indemnification by vendor Additional indemnification re: all costs related to security breach

43 NEGOTIATING VENDOR CONTRACTS Termination Issues Include threshold for SLA violations or certain breaches for which no cure is allowed Post termination obligations transition assistance data transfer (customer designates format)

44 NEGOTIATING VENDOR CONTRACTS Insurance Requirements Cyber insurance covering both data loss and data breach response General commercial liability, other as applicable Additional insured

45 REPRESENTING THE VENDOR Don t accept greater access than you need for the project In contract negotiations, remove sections not necessary if you don t have PII/ePHI, etc. If customer refuses, add if applicable or if vendor receives PII in performance of this agreement etc. Keep track of the requirements of different customers Designate team members responsible Audit your own practices to ensure compliance with customer requirements Consider industry certifications to easy compliance with customer requests Maintain industry best practices for IT security/uptime as applicable Be prepared to meet reporting obligations/error response times in the event of outages (per SLA)

46 IMPROVING EXISTING VENDOR RELATIONSHIPS Create an inventory of all vendors, partners, others What service are they providing What information can they access Ask current vendors the questions you would now ask a potential new vendor (assess their security measures, etc.) Determine if existing vendors should be audited or if you can obtain copies of annual audits already being done Make sure your company has its own privacy/security policies, procedures, training, risk assessments, remediation measures, communication plans, and monitoring applicable to vendors Collaborate with your company s business unit managers to understand what type of vendor services are required at each stage of the information life cycle

47 THANK YOU! PLEASE CONTACT US WITH QUESTIONS: Deborah Shinbein, CIPP/US Kari Kelly