Data Privacy, Security, and Risk Management in the Cloud



Similar documents
Vendor Management. Outsourcing Technology Services

Data Privacy & Security: Essential Questions Every Business Must Ask

Understanding the Business Risk

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Information Technology: This Year s Hot Issue - Cloud Computing

Cloud Security and Managing Use Risks

Joe A. Ramirez Catherine Crane

Cyberinsurance: Insuring for Data Breach Risk

Logging In: Auditing Cybersecurity in an Unsecure World

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Cyber Risks Management. Nikos Georgopoulos, MBA, cyrm Cyber Risks Advisor

Cyber Insurance and Your Data Ted Claypoole, Partner, Womble Carlyle and Jack Freund, PhD, InfoSec Mgr, TIAA-CREF

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Cyber and CGL Insurance Coverage for Data Breach Claims

Data Breach and Senior Living Communities May 29, 2015

Cloud Computing and Records Management

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

VENDOR MANAGEMENT. General Overview

Anatomy of a Cloud Computing Data Breach

Privacy and Data Breach Protection Modular application form

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

John Essner, CISO Office of Information Technology State of New Jersey

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Second Annual Conference September 16, 2015 to September 18, 2015 Chicago, IL

Cloud Computing: Legal Risks and Best Practices

Discussion on Network Security & Privacy Liability Exposures and Insurance

TechDefender SM. Tech E&O, Network Security, Privacy, Internet Media, and MPL Insurance Application

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

Contracting for Cloud Computing

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

{Moving to the cloud}

DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE

Technology, Privacy and Cyber Protection Modular application form

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Rogers Insurance Client Presentation

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Every Cloud Has A Silver Lining. Protecting Privilege Data In A Hosted World

FINRA Publishes its 2015 Report on Cybersecurity Practices

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

(a) the kind of data and the harm that could result if any of those things should occur;

LEGAL ISSUES IN CLOUD COMPUTING

Refresher on cloud computing

SECURITY RISK MANAGEMENT

Cloud Computing. Introduction

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

Cybersecurity Risk Transfer

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

How To Protect Your Data In The Cloud

White Paper on Financial Institution Vendor Management

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Cyber and Data Security. Proposal form

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

2011 Morrison & Foerster LLP All Rights Reserved mofo.com. Risk, Governance and Negotiation in the Cloud: Capture Benefits and Reduce Risks

Tools Conference Toronto November 26, 2014 Insurance for NFP s. Presented by Paul Spark HUB International HKMB Limited

Zurich Security And Privacy Protection Policy Application

security in the cloud White Paper Series

Big Data, Big Risk, Big Rewards. Hussein Syed

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

Cloud Computing Contracts Top Issues for Healthcare Providers

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

STATE OF NEW JERSEY Security Controls Assessment Checklist

Managing Cloud Computing Risk

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Auditing Cloud Computing and Outsourced Operations

Cloud Computing. What is Cloud Computing?

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Outsourcing Technology Services A Management Decision

Enterprise PrivaProtector 9.0

Transcription:

Data Privacy, Security, and Risk Management in the Cloud Diana S. Hare, Associate General Counsel and Chief Privacy Counsel, Drexel University David W. Opderbeck, Counsel, Gibbons P.C. Robin Rosenberg, Associate General Counsel, Sallie Mae Moderated by Scott J. Etish, Director, Gibbons P.C. http://delvacca.acc.com

What is The Cloud? [A] model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction. NIST Cloud Security Guidelines Software as a Service; Software License Platform as a Service Infrastru cture as a Service

Why Look to the Cloud? Staff Specializ ation Resourc e Availabili ty / Scalabilit y Mobile Endpoint s Platform Robustn ess Backup and Recover y Data Concentr ation Source: NIST Guidelines on Security and Privacy in Public Cloud Computing

IaaS SaaS PaaS Risk in the Cloud: Control Points Application Platform Architecture Virtualized Infrastructure Cloud Consume r IaaS PaaS SaaS Hardware Cloud Provide r Facility Source: NIST Guidelines on Security and Privacy in Public Cloud Computing

Legal Risks Data Ownersh ip and Accessib ility Increased Complexit y and Attack Surface E- discover y Obligatio ns Identity and Access Manage ment Availabili ty, Outages and Recover y Incident Respons e Source: NIST Guidelines on Security and Privacy in Public Cloud Computing

Best Practices for Mitigating Cloud Risks Due Diligenc e Contract ual Obligatio ns Insuranc e Source: NIST Guidelines on Security and Privacy in Public Cloud Computing

Due Diligence Checklist During the due diligence process, data security, privacy, and compliance are key issues. Need comprehensive due diligence First Step determine what type of information (data elements) will be at issue. Get accurate information from business owners as to knowing what type of information is sensitive. Consider preparing a data map showing flow of sensitive information and all that happens when contractors are brought in. Critical to understand data elements. After gaining in-depth understanding of company s information, then focus on preapproval process with vendors.

Due Diligence Checklist Need to ask key questions of potential vendors regarding data security and privacy during preapproval process. Location of data Where will data be stored? Where will it move? Offshore? If so, will foreign laws apply? EU? Data Protection What protection does the vendor have? How will info be protected? Controls for detection? Physical security? Other safety measures? Encryption? Insurance Coverage What insurance does the vendor have? Disaster Recovery Plan Is there a plan in place? How would plan apply to information at issue? What if vendor goes out of business?

Due Diligence Checklist What can happen if you don t do these things? Do your research, laws are ever changing. Understand relevant standards and regulations Depends on industry Ongoing Vendor Risk Management Responsibilities do not end when contract signed. Carefully monitor security and privacy control throughout contract

Contractual Obligations Checklist Limitation of liability Tends to be the last issue resolved during negotiation of contract. Uncapped? Vendors tend to be more hesitant to agree to uncapped liability. Responsible Party - What is vendor responsible for following a data breach? Just the breach? What happens if vendor did not do anything wrong? Who bears the responsibility? Indemnification Requirements of vendors to indemnify client for breach of security and confidentiality obligations. Preapproval of Subcontractors Requirement in contract that client must approve any subcontractors vendor may attempt to utilize.

Contractual Obligations Checklist Security provisions include list of security requirements in exhibit to contract. This exhibit allows client to outline specific tasks and obligations, including requirements such as encryption. Security audit/right to request additional information Include provision in contract allowing for client to request additional information regarding security Notification of security incidents Include provision outlining vendor s responsibility with respect to notifying client of any security incidents in addition to steps vendor will take to resolve the issue. Statutory obligations Contract may need to include specific provisions based upon relevant statutory obligations (i.e., GLBA, HIPAA, PCI), depending upon industry.

Contractual Obligations Checklist Interplay between confidentiality and security provisions May have uncapped liability for breach of confidentiality but vendor pushes back for breach of security. Distinction to be made between the two? Insurance provision Include provision in the contract requiring vendor to carry insurance, as well as the type of coverage and amount of coverage required. SOC Reports Consider including provision requiring vendor to provide SOC or audit reports on an annual basis. Provides way to monitor vendor via third party auditor Termination Contract will need to address what happens at the end of the relationship. How does the client get access to the data? What requirements will be asked of the vendor? Confidentiality Similar to termination, address issues with respect to confidentiality at the end of the relationship. What if vendor wants to maintain records?

The Changing Cyber Risk Insurance Market Coverage Under CGL Policies Personal and Advertising Injury Liability Exclusions for Electronic Data Zurich American Ins. Co. v. Sony Corp., No. 651982/2011 (N.Y. Sup. Ct.) New ISO Endorsements and Exclusions Other Traditional Coverage Property D&O E&O

Insurance Checklist Make sure you require vendor to have insurance to address potential data breach Make sure to include the requirement of the vendor to carry insurance in the contract Collaborate with risk colleagues to determine appropriate value of insurance for vendor to carry In addition to requiring vendor to carry insurance, consider whether carrying additional insurance separate from insurance required to be carried by vendor is needed.

Insurance: So Many Options What type of insurance is appropriate? First-party or third-party? Third-party coverage includes: litigation and regulatory; regulatory response; notification costs; crisis management; credit monitoring; media liability; and privacy liability. First-party coverage includes: theft and fraud; forensic investigation; business interruption; extortion; and computer data loss and restoration. What type of insurance is right for your company?

Insurance Miscellaneous Issues Understand existing coverage Need to determine whether it protects from cyber risks; Retroactive coverage Many breaches go undetected for long periods of time, and therefore, make sure that cyber insurance covers potential ongoing breach; Acts and omissions by third parties Since most companies outsource numerous responsibilities with respect to handling electronic information, make sure that cyber insurance covers acts and omissions of third parties; Date restoration costs Consider coverage to account for the need to restore data costs; Interplay between cyber insurance and indemnity Need to understand relationship between cyber insurance with indemnity agreements. Make sure that payment by a third party under an indemnity agreement satisfied retention requirement.

Questions? Thank you

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information