Trust in the Cloud Legal and Regulatory Framework

Similar documents
EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

The potential legal consequences of a personal data breach

White Paper on Financial Institution Vendor Management

Data Processing Agreement for Oracle Cloud Services

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

HIPAA BUSINESS ASSOCIATE AGREEMENT

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

Cloud Computing: Legal Risks and Best Practices

BUSINESS ASSOCIATE ADDENDUM

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Article 29 Working Party Issues Opinion on Cloud Computing

BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HIPAA BUSINESS ASSOCIATE AGREEMENT

MMA SAMPLE FORM *REVIEW CAREFULLY & ADAPT TO YOUR PRACTICE*

HIPAA BUSINESS ASSOCIATE AGREEMENT

Acquia Comments on EU Recommendations for Data Processing in the Cloud

BUSINESS ASSOCIATE AGREEMENT

Cloud Security Alliance EMEA Congress

Sample Business Associate Agreement Provisions

The Institute of Professional Practice, Inc. Business Associate Agreement

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule)

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:

Managing data security and privacy risk of third-party vendors

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

Model Business Associate Agreement

SaaS. Business Associate Agreement

CATHOLIC SOCIAL SERVICES BUSINESS ASSOCIATE AGREEMENT

Health Partners HIPAA Business Associate Agreement

Credit Union Liability with Third-Party Processors

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

HIPAA Business Associate Agreement

Cloud Computing Contracts. October 11, 2012

The Manitoba Child Care Association PRIVACY POLICY

Managing your data processors: legal requirements and practical solutions

BUSINESS ASSOCIATE AGREEMENT

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

Subject: Safety and Soundness Standards for Information

BUSINESS ASSOCIATE AGREEMENT ( BAA )

HIPAA BUSINESS ASSOCIATE AGREEMENT

Exhibit 2. Business Associate Addendum

BUSINESS ASSOCIATE AGREEMENT

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

M E M O R A N D U M. Definitions

BUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;

BUSINESS ASSOCIATE AGREEMENT

Appendix : Business Associate Agreement

Business Associate and Data Use Agreement

Louisiana State University System

Business Associate Agreement

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

Business Associate Agreement

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT. Recitals

The HR Skinny: Effectively managing international employee data flows

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT

Please print the attached document, sign and return to or contact Erica Van Treese, Account Manager, Provider Relations &

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

HIPAA Business Associate Addendum

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement (BAA) Guidance

Sample Business Associate Agreement (4. Other Bus. Assoc., Version )

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Risk Management of Outsourced Technology Services. November 28, 2000

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

BUSINESS ASSOCIATE AGREEMENT

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

WellDyneRxWEST Customer (TPA, Broker, Consultant, Group Health Plan, and other).

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE AGREEMENT

BAC to the Basics: Business Associate Contracts Made Easy

FirstCarolinaCare Insurance Company Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

Procedure for Managing a Privacy Breach

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS

BUSINESS ASSOCIATE AGREEMENT

Isaac Willett April 5, 2011

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY

Privacy Policy Last Modified: April 3,

BUSINESS ASSOCIATE AGREEMENT

Data Sharing Agreements: Principles for Electronic Medical Records/Electronic Health Records

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Transcription:

Trust in the Cloud Legal and Regulatory Framework Cloud Security Alliance San Francisco, CA February 26, 2014 Francoise Gilbert, JD, CIPP Managing Director IT Law Group 2014 IT Law Group All Rights Reserved

The House of Cards The cloud ecosystem is very fragile. It is a huge house of cards where layers sit on top of other layers. If one layer fails, the house of cards is likely to collapse

The cloud is based on dependencies. An organization depends on many others to operate. The glue that can help keep the Cloud House of Cards from collapsing is made of: - Transparency - Accountability - Trust

General Principles An organization Is responsible for data under its control, including data that have been transferred to third parties for processing Should implement policies and practices to protect data in its custody, including: Implementing procedures to protect the privacy and security of personal information Training staff on the organization s policies and practices Developing information to explain the organizations policies and procedures Should use contractual or other means to provide comparable levels of protection while the data are being processed by a third party

In practice: A Recipe for Trust? Comply with applicable laws Abide by the promises that they made in contracts Implement appropriate measures to protect the privacy and security of data in the company s custody Relevant to the type of data to be protected Take into account the state of technology, threats to the data Require the same from contractors, service providers Communicate clearly with constituents (customers, employees, business partners) Clear, detailed, understandable, disclosures Metrics, certification, attestation

Compliance with Applicable Laws

FTC Consent Decrees Recent FTC Actions for lax security practices GMR Transcription Services, Inc. (Jan 31, 2014) Provider of medical transcription service. Foru International Corporation (Jan 7, 2014) Manufacturer of notional supplements GeneLink (Jan 7, 2014) Manufacturer of nutritional supplements Accretive Health, Inc. (Dec. 31, 2013) Medical billing and revenue management service for hospitals TRENDnet, Inc. (Sep. 4, 2013) Telesurveillance service

FTC Consent Decree Requirements Designate employee(s) to coordinate and be accountable for the information security program Identify material internal and external risks to security, confidentiality, integrity of personal data that could result in unauthorized disclosure, misuse, loss, etc. Assess sufficiency of the safeguards in place to control these risks, especially: Information systems Employee training and management Prevention, detection, response to attacks Design, implement reasonable safeguards to control risk Regularly test and monitor effectiveness of the safeguards Develop and use reasonable steps to select and retain service providers capable of maintaining security practices consistent with the order; and require them by contract to establish and implement and maintain, appropriate safeguards Evaluate and adjust the program in light of the results of the testing and monitoring.

HIPAA - Privacy & Security Rules Security Rule 45 CFR 164.300 et seq. 45 requirements, including Administrative Safeguards Physical Safeguards Technical Safeguards Security Breach Disclosure Rule 45 CFR 164.400 et seq. (covered entities) and 16 CFR 318 (PRH and related entities) Notification of individuals Notification of the Secretary (covered entities) or the FTC (PHR) Notification of the Media Privacy Rule 45 CFR 164.500 et seq.

HIPAA - Business Associates 45 CFR 164.308 (b)(1) A covered entity may permit a business associate to create, receive, maintain or transmit ephi on the covered entity's behalf ONLY if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information 45 CFR 164.308 (b)(3) The organization must document the satisfactory assurances through a written contract or other arrangement with the business associate that meet the requirements

European Union Data Controllers EU Data Protection Directive + implementation in the EU Member States national laws Article 17 Security of the Processing: Subsection 1: [Data] controllers must implement appropriate technical and organizational measures to protect personal data against. all unlawful forms of processing Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected Subsection 2: [Data] controller must, where the processing is carried out on its behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures

European Union Data Processors EU Data Protection Directive Article 17 Security of the Processing Subsection 3: The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller, and stipulating, in particular, that: The processor shall act only on instructions from the controller The obligations [to implement appropriate technical and organizational measures to protect personal data] shall also be incumbent on the processor Subsection 4: For the purposes of keeping proof, the parts of the contract or legal act relating to data protection and the requirements relating to the [technical and organizational security measures] shall be in writing or in another equivalent form.

European Union Crossborder Data Transfer Restrictions EU Data Protection Directive + EU Member States national laws Article 25 Crossborder data transfer out of the EU/EEA prohibited unless the third country in question ensures an adequate level of protection Article 26(2) Crossborder data transfer permitted if the controller adduces adequate safeguards with respect to the protection of the privacy of individuals, such safeguards may result from appropriate contractual clauses Implemented in: Standard Contractual Clauses Safe Harbor Program

US/EU Safe Harbor Principles Notice / Choice / Access Principles Security Principle Take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction Onward Transfer Principle: Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it: Ascertains that the third party subscribes to the [EU Safe Harbor] Principles, or is subject to the [1995 EU Data Protection] Directive; or Enters into a written agreement with such third party requiring at least the same level of privacy protection as is required by the relevant Principles.

Canada PIPEDA Principles for the Protection of Personal Data (see: http://laws-lois.justice.gc.ca/eng/acts/p-8.6/page-19.html#h-25) Principles 7 Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 1 Accountability An organization is responsible for personal information in its possession or control, including information that has been transferred to a third party for processing. The organization must use contractual or other means to provide a comparable level of protection when the information is being processed by a third party

Contractual Process Contract Terms

Are you Contracting with a Third Party? 3-step process: Conduct appropriate due diligence to determine whether the third party uses and will continue to use appropriate security and other measures Enter into a written contract that requires the third party to use these appropriate security measures Monitor compliance with these obligations throughout the life of the contract (or longer as needed), so long as the service provider holds the company s data This applies to ALL layers of the house of cards Ensure that each service provider or third party that will access your data will do the same with its own service providers

Due Diligence? To be performed BEFORE engaging third party How to evaluate a third party s procedures and practices Detailed questionnaire Onsite investigation Interaction with other clients Review third parties certifications, attestations Note: Different types of due diligence depending on the nature of the relationship, bargaining power, etc. Important: Keep track of the nature, scope, extent, responses, results of the due diligence

Consequence? Inadequate due diligence may have missed - Practices that: - Do not meet industry standards - do not meet your own legal obligations - are not adapted to your business model - That the service provider lacks the financial backing and financial stability - That the service provider actually relies itself on other service providers, about whom you know nothing

Contracts In the cloud, a majority of contracts are not negotiated Even those that are negotiated might provide limited promises Non negotiated contracts: Pay-as-you-go model, where terms of contract may change at any time One sided provisions in favor of cloud provider Do not address security breach disclosure obligations Take it or leave it approach Very limited liability; only downtime, if any Negotiated contracts for the lucky ones Better terms Very difficult to negotiate Price increase if you ask for more warranties, more liability Difficult to acquire the trust of others in these conditions

If contract can be negotiated Contractual provisions Service level agreements Damages In case of outage In case of breach of security Amount of damages ; damage limitation Direct Liquidated Indemnification Reports Audit

Monitoring During performance of the contract Monitor the company s or the third party s performance Directly? Indirectly: Periodic reports Attestations Certifications What metrics? Transparency reports

Consequences Without the proper - Due diligence - Contracts - Monitoring You are riding on a road with a very weak foundation

Policies Procedures

Policies and Procedures Develop policies and procedures that meet the legal, contractual, and other requirements to which your company is subject, based on applicable or relevant Regulations Standards Best practices Keep track of the rationale for developing them Monitor their application by your personnel Discipline the infringers Ensure that your service providers, contractors, abide by similar rules and enforce them AND communicate these policies, procedures, practices, success, failures to others to acquire their TRUST

Security Breaches The reputation killer Anticipate Develop an incident response plan Conduct periodic Fire drills Respond to the breach carefully Important effect on reputation, trust Make sure that you comply with all applicable laws, worldwide Evaluate whether you should go beyond what the laws require Importance of the communication, interaction with customers, affected parties

Keep Track Don t let your policies and procedures gather dust Keep track of their application and implementation within the company Develop matrix to measure performance Within the company By third parties, service providers, etc. Look for benchmarks to evaluate your performance or that of your service providers Certifications, e.g. STAR Certification Communicate, communicate, communicate

Conclusion

Takeaways Trust is fragile. Easy to lose Transparency is a close ally of trust. Meaningful disclosures help bring trust In an era where the cloud that your company uses or wishes to use is likely sitting on top of multiple layers of other third party clouds, about which you may know nothing, it is important to: Understand your company's obligations with respect to the data stored or processed in the cloud Conduct appropriate, in depth due diligence Review service providers disclosures Insist on comprehensive information

More Takeaways Keep in mind that it s your data; it s your responsibility You get what you pay for. If using cloud is such a saving from your current operation, there must be a reason. Find out why it is so inexpensive. Be realistic about what you are getting; evaluate whether the service Meets the needs of your own company with respect to the specific categories of data that you will store in the cloud Decide what is the right route to take, and what is needed to fulfill your company s obligations as the custodian of very sensitive, valuable data Do it, and make sure that all your service providers upstream are also doing it to protect your data Insurance assuming that you can purchase some - will not solve all of your problems. Insurance companies may agree to provide coverage only if they have determined that your company has done its homework, uses proper safeguards, is responsible and accountable.

Contact Information Francoise Gilbert, JD, CIPP Managing Director IT Law Group Email: fgilbert@itlawgroup.com Phone: (650) 804-1235 Mail: 555 Bryant Street # 603 Palo Alto, CA 94301 www.itlawgroup.com www.francoisegilbert.com www.globalprivacybook.com @francoisegilbrt

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information