Data Privacy, Security, and Risk Management in the Cloud

• Diana S. Hare, Associate General Counsel and Chief Privacy Counsel, Drexel University

• David W. Opderbeck, Counsel, Gibbons P.C.

• Robin Rosenberg, Associate General Counsel, Sallie Mae

Moderated by Scott J. Etish, Director, Gibbons P.C.

http://delvacca.acc.com

What is “The Cloud?”

“[A] model for enabling convenient, on-demand network

access to a shared pool of configurable computing

resources (e.g., networks, servers, storage, applications,

and services) that can be rapidly provisioned and released

with minimal management effort or cloud provider

interaction.” – NIST Cloud Security Guidelines

Why Look to the Cloud?

Staff Specializ ation Platform Robustn ess Resourc e Availabili ty / Scalabilit y Backup and Recover y Mobile Endpoint s Data Concentr ation

Risk in the Cloud: Control Points

Application Platform Architecture Virtualized Infrastructure Hardware Facility Cloud Provide r Cloud Consume r Sa aS Sa aS Pa aS Pa a S Iaa S Iaa S

Legal Risks

Data Ownersh ip and Accessib ility Increased Complexit y and Attack Surface E-discover y Obligatio ns Identity and Access Manage ment Availabili ty, Outages and Recover y Incident Respons e

Best Practices for Mitigating Cloud

Risks

Contract ual Obligatio ns Due Diligenc e Insuranc e

Due Diligence Checklist

 During the due diligence process, data security, privacy, and compliance are key issues.

 Need comprehensive due diligence

 First Step determine what type of information (data elements) will be at issue. Get accurate information from business owners as to

knowing what type of information is sensitive.

 Consider preparing a data map showing flow of sensitive information and all that happens when contractors are brought in.

 Critical to understand data elements.

 After gaining in-depth understanding of company’s information, then

Due Diligence Checklist



Need to ask key questions of potential vendors regarding

data security and privacy during preapproval process.

Location of data – Where will data be stored? Where will it move?

Offshore? If so, will foreign laws apply? EU?

Data Protection – What protection does the vendor have? How

will info be protected? Controls for detection? Physical security? Other safety measures? Encryption?

Insurance Coverage – What insurance does the vendor have?

Disaster Recovery Plan – Is there a plan in place? How would

Due Diligence Checklist

What can happen if you don’t do these things? Do your

research, laws are ever changing.

Understand relevant standards and regulations – Depends on

industry

Ongoing Vendor Risk Management – Responsibilities do not

Contractual Obligations Checklist

 Limitation of liability – Tends to be the last issue resolved during

negotiation of contract. Uncapped? Vendors tend to be more hesitant to agree to uncapped liability.

 Responsible Party - What is vendor responsible for following a data

breach? Just the breach? What happens if vendor did not do anything wrong? Who bears the responsibility?

 Indemnification – Requirements of vendors to indemnify client for

breach of security and confidentiality obligations.

 Preapproval of Subcontractors – Requirement in contract that

Contractual Obligations Checklist

Security provisions – include list of security requirements in exhibit

to contract. This exhibit allows client to outline specific tasks and obligations, including requirements such as encryption.

Security audit/right to request additional information – Include

provision in contract allowing for client to request additional information regarding security

Notification of security incidents – Include provision outlining

vendor’s responsibility with respect to notifying client of any security incidents in addition to steps vendor will take to resolve the issue.

Statutory obligations – Contract may need to include specific

 Interplay between confidentiality and security provisions – May

have uncapped liability for breach of confidentiality but vendor

pushes back for breach of security. Distinction to be made between the two?

 Insurance provision – Include provision in the contract requiring

vendor to carry insurance, as well as the type of coverage and amount of coverage required.

 SOC Reports – Consider including provision requiring vendor to

provide SOC or audit reports on an annual basis. Provides way to monitor vendor via third party auditor

 Termination – Contract will need to address what happens at the

end of the relationship. How does the client get access to the data? What requirements will be asked of the vendor?

 Confidentiality – Similar to termination, address issues with respect

to confidentiality at the end of the relationship. What if vendor wants to maintain records?

The Changing Cyber Risk Insurance

Market

• Coverage Under CGL Policies

• Personal and Advertising Injury Liability

• Exclusions for “Electronic Data”

• Zurich American Ins. Co. v. Sony Corp., No. 651982/2011 (N.Y.

Sup. Ct.)

• New ISO Endorsements and Exclusions

• Other Traditional Coverage

• Property

• D&O

Insurance Checklist



Make sure you require vendor to have insurance to

address potential data breach



Make sure to include the requirement of the vendor to

carry insurance in the contract



Collaborate with risk colleagues to determine appropriate

value of insurance for vendor to carry



In addition to requiring vendor to carry insurance,

consider whether carrying additional insurance separate

from insurance required to be carried by vendor is

Insurance: So Many Options



What type of insurance is appropriate?



First-party or third-party?



Third-party coverage includes: litigation and regulatory;

regulatory response; notification costs; crisis

management; credit monitoring; media liability; and

privacy liability.



First-party coverage includes: theft and fraud; forensic

investigation; business interruption; extortion; and

computer data loss and restoration.

Insurance Miscellaneous Issues

• Understand existing coverage – Need to determine whether it

protects from cyber risks;

• Retroactive coverage – Many breaches go undetected for long

periods of time, and therefore, make sure that cyber insurance covers potential ongoing breach;

• Acts and omissions by third parties – Since most companies

outsource numerous responsibilities with respect to handling

electronic information, make sure that cyber insurance covers acts and omissions of third parties;

• Date restoration costs – Consider coverage to account for the need

to restore data costs;

• Interplay between cyber insurance and indemnity – Need to

Questions?