• Diana S. Hare, Associate General Counsel and Chief Privacy Counsel, Drexel University
• David W. Opderbeck, Counsel, Gibbons P.C.
• Robin Rosenberg, Associate General Counsel, Sallie Mae
Moderated by Scott J. Etish, Director, Gibbons P.C.
http://delvacca.acc.com
What is “The Cloud?”
“[A] model for enabling convenient, on-demand network
access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications,
and services) that can be rapidly provisioned and released
with minimal management effort or cloud provider
interaction.” – NIST Cloud Security Guidelines
Why Look to the Cloud?
Staff Specializ ation Platform Robustn ess Resourc e Availabili ty / Scalabilit y Backup and Recover y Mobile Endpoint s Data Concentr ationRisk in the Cloud: Control Points
Application Platform Architecture Virtualized Infrastructure Hardware Facility Cloud Provide r Cloud Consume r Sa aS Sa aS Pa aS Pa a S Iaa S Iaa SLegal Risks
Data Ownersh ip and Accessib ility Increased Complexit y and Attack Surface E-discover y Obligatio ns Identity and Access Manage ment Availabili ty, Outages and Recover y Incident Respons eBest Practices for Mitigating Cloud
Risks
Contract ual Obligatio ns Due Diligenc e Insuranc eDue Diligence Checklist
During the due diligence process, data security, privacy, and compliance are key issues.
Need comprehensive due diligence
First Step determine what type of information (data elements) will be at issue. Get accurate information from business owners as to
knowing what type of information is sensitive.
Consider preparing a data map showing flow of sensitive information and all that happens when contractors are brought in.
Critical to understand data elements.
After gaining in-depth understanding of company’s information, then
Due Diligence Checklist
Need to ask key questions of potential vendors regarding
data security and privacy during preapproval process.
Location of data – Where will data be stored? Where will it move?
Offshore? If so, will foreign laws apply? EU?
Data Protection – What protection does the vendor have? How
will info be protected? Controls for detection? Physical security? Other safety measures? Encryption?
Insurance Coverage – What insurance does the vendor have?
Disaster Recovery Plan – Is there a plan in place? How would
Due Diligence Checklist
What can happen if you don’t do these things? Do your
research, laws are ever changing.
Understand relevant standards and regulations – Depends on
industry
Ongoing Vendor Risk Management – Responsibilities do not
Contractual Obligations Checklist
Limitation of liability – Tends to be the last issue resolved during
negotiation of contract. Uncapped? Vendors tend to be more hesitant to agree to uncapped liability.
Responsible Party - What is vendor responsible for following a data
breach? Just the breach? What happens if vendor did not do anything wrong? Who bears the responsibility?
Indemnification – Requirements of vendors to indemnify client for
breach of security and confidentiality obligations.
Preapproval of Subcontractors – Requirement in contract that
Contractual Obligations Checklist
Security provisions – include list of security requirements in exhibit
to contract. This exhibit allows client to outline specific tasks and obligations, including requirements such as encryption.
Security audit/right to request additional information – Include
provision in contract allowing for client to request additional information regarding security
Notification of security incidents – Include provision outlining
vendor’s responsibility with respect to notifying client of any security incidents in addition to steps vendor will take to resolve the issue.
Statutory obligations – Contract may need to include specific
Interplay between confidentiality and security provisions – May
have uncapped liability for breach of confidentiality but vendor
pushes back for breach of security. Distinction to be made between the two?
Insurance provision – Include provision in the contract requiring
vendor to carry insurance, as well as the type of coverage and amount of coverage required.
SOC Reports – Consider including provision requiring vendor to
provide SOC or audit reports on an annual basis. Provides way to monitor vendor via third party auditor
Termination – Contract will need to address what happens at the
end of the relationship. How does the client get access to the data? What requirements will be asked of the vendor?
Confidentiality – Similar to termination, address issues with respect
to confidentiality at the end of the relationship. What if vendor wants to maintain records?
The Changing Cyber Risk Insurance
Market
• Coverage Under CGL Policies
• Personal and Advertising Injury Liability
• Exclusions for “Electronic Data”
• Zurich American Ins. Co. v. Sony Corp., No. 651982/2011 (N.Y.
Sup. Ct.)
• New ISO Endorsements and Exclusions
• Other Traditional Coverage
• Property
• D&O
Insurance Checklist
Make sure you require vendor to have insurance to
address potential data breach
Make sure to include the requirement of the vendor to
carry insurance in the contract
Collaborate with risk colleagues to determine appropriate
value of insurance for vendor to carry
In addition to requiring vendor to carry insurance,
consider whether carrying additional insurance separate
from insurance required to be carried by vendor is
Insurance: So Many Options
What type of insurance is appropriate?
First-party or third-party?
Third-party coverage includes: litigation and regulatory;
regulatory response; notification costs; crisis
management; credit monitoring; media liability; and
privacy liability.
First-party coverage includes: theft and fraud; forensic
investigation; business interruption; extortion; and
computer data loss and restoration.
Insurance Miscellaneous Issues
• Understand existing coverage – Need to determine whether it
protects from cyber risks;
• Retroactive coverage – Many breaches go undetected for long
periods of time, and therefore, make sure that cyber insurance covers potential ongoing breach;
• Acts and omissions by third parties – Since most companies
outsource numerous responsibilities with respect to handling
electronic information, make sure that cyber insurance covers acts and omissions of third parties;
• Date restoration costs – Consider coverage to account for the need
to restore data costs;
• Interplay between cyber insurance and indemnity – Need to