THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

T

HE

B

EST

P

RACTICES

FOR

D

ATA

S

ECURITY

AND

P

RIVACY

IN

V

ENDOR

/

Y

OU

C

AN

’

T

O

UTSOURCE

C

OMPLIANCE

!

 Various statutes and regulations govern the privacy and security of personally identifiable information (“PII”)

 Complex patchwork of federal and state laws, industry sector laws and regulations, and international laws

 When companies use third party vendors to collect, process, or provide other data management services, the company is responsible to ensure the vendors maintain security practices in accordance with applicable laws and regulations governing the company’s PII

 Before engaging a vendor, be sure it can comply on your behalf

 Take adequate internal precautions to prevent unauthorized access

 This presentation is just a brief overview of applicable laws, security precautions, and other considerations, there are many more!

W

HAT

IS

HIPAA & HITECH?

 HIPAA is the Health Insurance Portability and Accountability Act specifies laws for the protection and use of Personal (or Protected) Health Information (PHI) in medical records.

 HITECH is the Health Information Technology for Economic and Clinical Health Act applicable to Electronic Medical Records.  Requires 3 things:

 Integrity of information – the medical record must be accurate

 Confidentiality – The medical record should only be seen by those with a need to

know and all uses of that data should be knowable by the individual.

 Availability – The medical record must be available, in essence, no reasonably

W

HAT

IS

A

B

USINESS

A

SSOCIATE

?

 A BA is a service provider to a Covered Entity that requires access the Protected Health Information of their customers to provide services under a Business Associate Agreement.

 BA’s, their contractors and covered entities must comply with the technical, administrative and safeguard requirements and disclosure limitations in the Privacy Rule and as set out in the Business

Associate Agreement with its clients.

 Examples of BAs:

 Bill processing company that sends medical invoices & processes payments

 Cloud providers that host and perform managed services for covered entities (new definition under the Omnibus Rules)

 Outsourced call centers

G

RAHAM

-L

EACH

-B

LILEY

A

CT

 Applies to any “Financial Institution” - defined as any U.S. Company that is “significantly engaged” in financial activities. It regulates the way that a financial institution manages “nonpublic personal information” and consumer financial information.

 Requires Financial Institutions to enter into contracts with third party vendor or service provider that has access to the NPI or consumer financial information.

 Implemented by numerous regulatory bodies:  FTC

 SEC

V

ENDOR

M

ANAGEMENT

: C

OMPLYING

WITH

THE

S

AFEGUARDS

R

ULE

 The Safeguards Rule requires companies to develop a Written Information Security Plan (WISP) that describes their program to protect customer information.

 As part of its plan, each company must take various measures including:

 selecting service providers that can maintain appropriate safeguards

 make sure your contract requires them to maintain safeguards

 oversee their handling of customer information

 The plan must be appropriate to:

 the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles

PCI DSS – P

AYMENT

C

ARD

I

NDUSTRY

D

ATA

S

ECURITY

S

TANDARDS



This is an industry standard applicable to organizations that

hold, process or exchange credit card information

 Defines controls to ensure that consumer data is not exposed to identity fraud and theft

 Not itself a law, but incorporated into various state laws



Using a third party to process, store or transmit credit card

information does not remove a merchant’s obligation to

comply with PCI for these functions

 Merchants required to maintain a written agreements with services providers acknowledging that the service providers are responsible for the security of cardholder data the

M

ASSACHUSETTS

I

NFORMATION

S

ECURITY

L

AW



Applies to any entity that

receives, stores, maintains,

processes, or has access to certain

PII of a MA resident

(even if company is not in MA)

 Triggers: SSN, drivers license, credit/debit or financial account



Organizations have a legal responsibility to ensure the

following regarding service providers with access to PII:

 Select and retain providers capable of maintaining appropriate security measures for PII

 Contractually require service providers to maintain safeguards

V

ARIOUS

S

TATE

L

AWS

 Many states have information security laws with specific requirements even for entities located elsewhere if the entity interacts with certain PII from residents of the state.

 Nevada requires encryption of PII transmitted outside company's secure system – both in transit and when stored on a device

 California requires reasonable security measures appropriate to the nature of information

 Numerous other state laws, information security, data destruction, breach notification, and other requirements.

F

EDERAL

T

RADE

C

OMMISSION



FTC has authority to enforce against “unfair and deceptive trade

practices”

 Has brought more than 50 enforcement actions related to security

breaches (misrepresenting security is deceptive, inadequate security is unfair)

 Often focused on companies not maintaining privacy/security promises to consumers, whether themselves or their vendors

 FTC holds companies responsible for their vendor’s failures if the company did not take reasonable measures, etc.

F

AMILY

E

DUCATIONAL

R

IGHTS

AND

P

RIVACY

A

CT

(FERPA)

 Applies to educational institutions that receive any federal funding

 Prohibits disclosure of students’ education records (broadly defined) without written parent or eligible student consent

 Includes education records maintained by a third party on behalf of the school

 Allowing a service provider to access, process, or store

education records with PII may be deemed a disclosure, so the service provider must comply with FERPA

S

ARBANES

-O

XLEY

 Establishes a set of requirements for financial systems, to deter fraud and increase corporate accountability

 Dictates which records must be stored, for how long,

 Third parties must comply and must be overseen

 Data owner is required to know the location of data in the cloud/elsewhere and to maintain control over it

R

ED

F

LAGS

R

ULE

 Requires financial institutions and creditors that hold any

"covered account" to develop and implement an Identity Theft Prevention Program

 Must monitor the activities of service providers that conduct activities that are specifically covered by the rule or that are considered to be at risk for identity theft

 Vendors must apply similar standards the company would if it were performing the tasks itself

 Implement procedures to detect red flags, reporting policies and certain prevention measures

 FTC holds companies responsible for compliance by vendors

D

IFFERENT

L

EGAL

A

PPROACHES



Some laws/agencies require companies to generally pass on

their obligations to vendors that accesses or receive

regulated personal information (GLBA, HIPAA, FERPA, and

FTC Act enforcements)



Some say companies have to monitor the vendors and what

that involves (Massachusetts/CFPB)



Some say you have to monitor the vendors appropriately,

but generally leave it up to you to decide what that

B

EST

P

RACTICES

D

URING

E

ACH

S

TAGE

OF

THE

V

ENDOR

R

ELATIONSHIP

E

VALUATE

THE

V

ENDOR

:

1. D

UE

D

ILIGENCE

 General Due Diligence: before digging into security requirements, evaluate the vendor’s general suitability as a trusted business

partner:

 Reputation – get appropriate references from former or current clients

 Similar clients to your business/depth of experience

 Financial Condition

 Insurance

 Type of coverage and limitations (cyber liability if applicable)

 Employee training and awareness

 Vendor incident response plan, business continuity and disaster/recovery plan.

2. I

NFORMATION

S

ECURITY

D

UE

D

ILIGENCE



Perform a thorough analysis of the vendor’s security

capabilities. Remember that you may be trusting your entire

business reputation to this vendor and if it suffers a security

breach with your PII, you will suffer



Create a vendor questionnaire so the vendor can provide

details on the following (and copies of

plans/policies/procedures where appropriate)

V

ENDOR

QUESTIONNAIRE

 Do you have a written information security program (include a copy)

 Evaluate based on legal requirements depending on type data

 Do you have ongoing compliance training programs for individuals who would handle data

 Do you require employee background checks

 What is your data governance structure and process

 How do you identify, analyze and evaluate risks and options for handling risks

 What controls do you have in place for risks

V

ENDOR

QUESTIONNAIRE

(C

ONTINUED

)

 Describe the scope and boundaries of your information security management system (security policies, etc.)

 How do you monitor firewalls

 Do you have a data classification policy?

 Do you have a data retention/destruction policy?

 What type of encryption to you use (at different stages in data lifecycle)

 How is data shared with customers and business partners? Do you email everything?

V

ENDOR

QUESTIONNAIRE

(C

ONTINUED

)

 What physical controls do you have in place to prevent theft of data?

 Are external audits performed on a regular basis?

 What third party certifications do you have (include audits, etc.)

 There are MANY more questions to ask (tailored depending on nature of services, type of data, applicable laws/regs, etc.)

 To address the current lack of standards in cloud services, the Cloud Security Alliance recently proposed the ”Trusted Cloud Initiative” with the goal of developing industry-recommended infrastructure and security configurations and practices.

E

VALUATE

THE

V

ENDOR

:

3. T

HIRD

P

ARTY

S

TANDARDS



Vendors can show credibility via audits using accepted third

party standards



SSAE 16



NIST

SSAE 16 S

TANDARDS



SSAE 16 Attestation Replaces SAS 70 “certification”



Attestation is a written statement by key executives

that contains essential clauses describing the system

and a statement on the suitability of the design and

operating effectiveness of various controls

SOC 1 & 2 S

TANDARDS

 SOC 1 focus is on the internal controls for a service provider over financial reporting

SOC 2 is most relevant for IT portion of GLBA Safeguards Rule that requires IT system controls and HIPAA Security Rule

compliance

 Focuses on information technology security controls,

availability, processing integrity, confidentiality and privacy principles.

SOC 3 S

TANDARDS

SOC 3 Trust Services and Criteria for online businesses:



Security



Availability



Processing Integrity



Confidentiality

NIST – U.S. S

TANDARDS

FOR

I

NFORMATION

T

ECHNOLOGY



National Institute of Standards in Technology



Emphasis on state-of-the-art management, operational,

and technical security controls

I

NTERNATIONAL

S

TANDARDS

 ISO Standards – International voluntary standards for business process, information security management (ISO 27001)

 Certain internationally accredited entities can audit or certify that an organization meets specified ISO standards.

 An ISO 27001 certification – specifies requirements for the

establishment, implementation, monitoring, review, maintenance and improvement of system to manage an organization’s

C

ONSIDERATIONS

B

EFORE

THE

R

ELATIONSHIP

B

EGINS



Determine appropriate level of vendor access:

In addition to evaluating the vendor’s general security

capabilities, consider the specific needs in this situation, how

the vendor’s access to PII and systems can be limited to protect

your company’s confidential information.



Basic concepts:



Ensure the vendor has no greater access than

necessary



Compartmentalize data,



Limit access to people who need it

C

ONSIDERATIONS

B

EFORE

THE

R

ELATIONSHIP

B

EGINS

(

CONTINUED

)

 Is access ongoing, only once, or intermittent

 E.g. is this a one time software installation project which does not require the continued access to PII or an outsourcing

arrangement where vendor will have ongoing access to the PII?

 Are there technical controls that can alleviate the need for certain access?

 Can access be limited to specified individuals or departments?

 Determine when are various types of encryption/security requirements applicable?

 Encryption in transit vs. at rest

C

ONSIDERATIONS

B

EFORE

THE

R

ELATIONSHIP

B

EGINS

(

CONTINUED

)

Limit Access/Segregate Systems



Ensure systems are segregated



Consider all systems connected into the main

network/internet, even if not data-specific systems (e.g.

video monitoring, HVAC, others)



While retailers build defenses around their payment

systems, they may not invest as heavily in protecting the

systems used by building management



Ensure measures can be implemented to limit access to

systems once a vendor is inside the company’s perimeter



Many networks guard against intrusion but expect trust

once inside the walls

C

ONSIDERATIONS

B

EFORE

THE

R

ELATIONSHIP

B

EGINS

(

CONTINUED

)



Document all data and systems potentially implicated by

the relationship



Notify department managers and collaborate re: planned

implementation



Determine point of contact for all aspects of the

relationship



Ensure your company’s own WISP and procedures allow for

use of the vendor and contain appropriate

guidance/security measures



Perform risk assessment based on use of the vendor and

the project

C

ONSIDERATIONS

B

EFORE

THE

R

ELATIONSHIP

B

EGINS

(

CONTINUED

)



Evaluate optimal point of transfer



Transfer between the procuring organization and the

vendor is a potential vulnerable spot



Design and implement secure methods of transfer and

access



Determine appropriate data retention and destruction

schedule



Include required means of disposal (consider

state/industry laws)

I

NTERNATIONAL

C

ONSIDERATIONS



Other factors must be evaluated if the vendor is in

another country or if data will be transferred or

stored there

 May be more difficult for customer (and data subject if

applicable) to gain immediate access (required by some laws)

 May provide international jurisdiction if data is in other countries

 Difficult to investigate or litigate against foreign offenders

 May add compliance hurdles to the extent data is transferred from a foreign country

R

EADY

TO

P

ROCEED

:

N

EGOTIATING

V

ENDOR

C

ONTRACTS



Key considerations:



Contractually shift responsibility when you trust an outside

entity with data



However remember the legal obligation is your own –

you can’t outsource compliance obligations



Evaluate whether to include specific/detailed requirements

or merely require compliance with applicable

laws/regulations

N

EGOTIATING

V

ENDOR

C

ONTRACTS

:



Clearly define all types of data to be accessed,

collected, processed, etc.



If trying to limit what vendor can access, consider making

the definition narrow and based on specific time periods



Ownership and license of data



Distinguish between different types of data if applicable

(e.g. PII and aggregate de-identified data)



Do rights change after transfer or processing of certain

data?



License grant/reservation of rights if applicable

N

EGOTIATING

V

ENDOR

C

ONTRACTS

Restrictions on vendor access and use of PII



Specify use parameters



Only in the performance of this agreement



List permitted means of access, how data will be

exported to processor, etc. (or as instructed by

customer)



Encryption/security requirements applicable during

this process if different than remainder of contract



Timing limitations

N

EGOTIATING

V

ENDOR

C

ONTRACTS

Information Security Requirements

 Typically in an addendum

 Specific IT measures to comply with acceptable industry practices:

 encryption of data (in transit, at rest, web-facing applications)

 firewalls

 network security

 mobile security

 access controls/authentication

 segregation of vendor’s data/systems

 vendor application of latest security patches

 Employee background checks/training

 Limit physical access to facilities

 Other requirements based on applicable laws

 Data centers: location requirements needed if processing PII or ePHI to comply with data import/export regulations and local laws

N

EGOTIATING

V

ENDOR

C

ONTRACTS

Audit and Monitoring Rights

 Third party audit of vendor’s IT security practices, inspection of data centers – confirm vendor's infrastructure and security practices via an onsite inspection

 at least at least once per year

 specify what this should cover

 customer selects the auditor

 Note: be sure you want this, if no corrective actions taken, may be deemed negligent

 HIPAA requires if HCP is aware of ongoing conduct by a BA that violates HIPAA, the HCP must intervene

 Audit data collected/accessed, other aspects of contract performance

 Consider monitoring software

N

EGOTIATING

V

ENDOR

C

ONTRACTS

Security Breach Notification and Disclosures

 Immediately notify customer of all suspected breaches (specify details)

 Procedures vendor must follow in the event of a breach

 Investigation details (timing, approved by customer, vendor pays)

 What vendor has done/will do to mitigate potential damage, prevent future breaches

 Notification to consumer

 Require compliance with various state/industry breach notification laws

 Customer approves (or controls) all public communications

 Vendor pays costs for notification program, credit monitoring, etc.

N

EGOTIATING

V

ENDOR

C

ONTRACTS

Compliance With Laws

 Require the vendor to comply with all applicable information security and privacy laws and regulations

 Include an additional list if vendor may not be aware of some for your industry

Confidentiality Obligations

 Data, results of processing, other relevant business information

 Require notification to customer of any subpoenas/other requests by government or third parties for data

 Access limitations “legitimate business need to know”

 Survival of obligation of confidentiality post termination

 Require the vendor to return, or destroy, all data in the vendor’s possession or control

N

EGOTIATING

V

ENDOR

C

ONTRACTS

Personnel and Subcontractors



Right to approve key people on the project



Right to prohibit/approve use of any subcontractors



Background check, training, monitoring, other restrictions



Contractual requirements for subcontractors

N

EGOTIATING

V

ENDOR

C

ONTRACTS

Service Level Agreements

 Uptime guarantees

 Error response and remediation timing

 Support contacts, timing, escalation procedures

 Based on how critical

 Notification before suspension of services

 Maintenance windows – late night/early morning

 Penalties for noncompliance – credits, termination rights

 Reporting – daily, monthly, only when downtime or errors occur?

 Monetary credits for failure to meet standards

 Emergency resource allocation: preferential treatment and

allocation of vendor’s resources for customer (or no less favorable than others) if a disaster or emergency occurs

N

EGOTIATING

V

ENDOR

C

ONTRACTS

Risk Allocation Provisions



Limitation liability



Indemnification by vendor



Additional indemnification re: all costs related to

security breach

N

EGOTIATING

V

ENDOR

C

ONTRACTS

Termination Issues



Include threshold for SLA violations or certain

breaches for which no cure is allowed



Post termination obligations



transition assistance



data transfer (customer designates format)

N

EGOTIATING

V

ENDOR

C

ONTRACTS

Insurance Requirements

 Cyber insurance covering both data loss and data breach

response

 General commercial liability, other as applicable

 Additional insured

R

EPRESENTING

THE

V

ENDOR

 Don’t accept greater access than you need for the project

 In contract negotiations, remove sections not necessary if you don’t have PII/ePHI, etc.

 If customer refuses, add “if applicable…” or “if vendor receives PII in performance of this agreement… “ etc.

 Keep track of the requirements of different customers

 Designate team members responsible

 Audit your own practices to ensure compliance with customer requirements

 Consider industry certifications to easy compliance with customer requests

 Maintain industry best practices for IT security/uptime as applicable

 Be prepared to meet reporting obligations/error response times in the event of outages (per SLA)

I

MPROVING

E

XISTING

V

ENDOR

R

ELATIONSHIPS

 Create an inventory of all vendors, partners, others

 What service are they providing

 What information can they access

 Ask current vendors the questions you would now ask a potential new vendor (assess their security measures, etc.)

 Determine if existing vendors should be audited or if you can obtain copies of annual audits already being done

 Make sure your company has its own privacy/security policies, procedures, training, risk assessments, remediation measures, communication plans, and monitoring applicable to vendors

 Collaborate with your company’s business unit managers to

understand what type of vendor services are required at each stage of the information life cycle

T

HANK

Y

OU

!

P

LEASE

CONTACT

US

WITH

QUESTIONS

:

Deborah Shinbein, CIPP/US

[email protected]

303-997-1325

Kari Kelly

[email protected]

303-898-2120