7/29/2019 The details matter: Security laws that demand attention

1/28

The details matter: Security laws that demand attentionCloud Security Alliance New York City

W. David Snead Attorney + Counselor Washington, D.C.Tactical Legal Advice for Internet Business

7/29/2019 The details matter: Security laws that demand attention

2/28

What is a breach? What is security? Who is covered How are third parties treated? How is risk transferred?

Roadmap

7/29/2019 The details matter: Security laws that demand attention

3/28

What is a breach?

Confidentiality

Integrity Access

7/29/2019 The details matter: Security laws that demand attention

4/28

Methods of protecting informationAdministrative

TechnicalPhysical

The definition of confidential is crucial

What is security?

7/29/2019 The details matter: Security laws that demand attention

5/28

7/29/2019 The details matter: Security laws that demand attention

6/28

Sectoral Based Reactive Generally state

based Narrowly tailored

Issue Based Proactive National

implementation

Regulatory climate

7/29/2019 The details matter: Security laws that demand attention

7/28

Specific Safeguards Protect against reasonablyanticipated uses

Ensure that workforcecomplies with rule Civil penalties

Actions by state AG HHS investigations

HIPAA

7/29/2019 The details matter: Security laws that demand attention

8/28

Security andconfidentiality of customerinformationProtect against anticipatedthreats or hazards tosecurity and integrityProtect againstunauthorized access oruse.

GLB

7/29/2019 The details matter: Security laws that demand attention

9/28

Identification /Authentication proceduresDisposal rulesProcedures to ensureaccuracyIntegrity / accuracy of information sent outAttempts to preventimpersonation fraud.

FCRA

7/29/2019 The details matter: Security laws that demand attention

10/28

7/29/2019 The details matter: Security laws that demand attention

11/28

Unfair or deceptive actsFTC

7/29/2019 The details matter: Security laws that demand attention

12/28

Secure webserversDelete personalinformation after useLimit employee access todayProvide trainingScreen third parties

COPPA

7/29/2019 The details matter: Security laws that demand attention

13/28

7/29/2019 The details matter: Security laws that demand attention

14/28

Massachusetts sets standardFocus on identification numbers

Increasingly includes biometricNo private right of actionNexus requirement

Encryption exemptionNo exemption for deminimus disclosures7 states with no law

7/29/2019 The details matter: Security laws that demand attention

15/28

Data governance laws are here to stay

Expectation that in some format data breach will be extended tocover not just telecoms

General data breach requirements in some EU Member Statesalready

Accountability and transparency principles Broad scope of definition of personal data Cloud and jurisdictional challenges The role of controllers and processors

Regulatory climate

7/29/2019 The details matter: Security laws that demand attention

16/28

EU Enforcement Priorities

Tempered by: Need for cloud adoption Fundamental right to data protection

Security and privacy rules with uniform standards Transparency Fairness User control Certainty Proportionality

7/29/2019 The details matter: Security laws that demand attention

17/28

7/29/2019 The details matter: Security laws that demand attention

18/28

Break down your cloud transaction.

Understand what security means to you.

Define breach.

Decide what kind of snowflake you are.

Creating contracts that work

7/29/2019 The details matter: Security laws that demand attention

19/28

What will happen to the data on termination?

Where will the data be physically located?

Should jurisdiction be split?

How will data be collected, processed, transferred?

Creating contracts that work

7/29/2019 The details matter: Security laws that demand attention

20/28

Security

Define breach

Determine when a breach happens Assume there will be data breach laws Review any laws that my currently exist Understand who will be responsible for security Create enforceable contract terms Remember post termination issues Understand that you may not be made whole

Creating contracts that work

7/29/2019 The details matter: Security laws that demand attention

21/28

Breach: benign and malicious.

Breach: parties, third parties, subcontractors, vendors

Breach laws: national, provincial.

Responsibility for security: parties, third parties, subcontractors vendors

Post termination issues: data belongs to customer, breach liabilityextends post termination.

Security policy: made part of contract. Revisions subject to customerreview. Flow down to subcontractors and vendors

Contract provisions

Creating contracts that work

7/29/2019 The details matter: Security laws that demand attention

22/28

Jurisdiction over the contract

Whose law governs

Where the dispute is heard

Change in judicial presumptions

Jurisdiction over the data

Data protection directive

Export control laws

Jurisdiction over the data

Creating contracts that work

7/29/2019 The details matter: Security laws that demand attention

23/28

Choice of law This Agreement shall be governed by the laws of the District of Columbia, without reference to its choice of law provisions.Jurisdiction and venue shall be proper before the U.S. District Courtfor the District of Columbia located in Washington, D.C. The parties

agree not to contest notice from, or the jurisdiction of, this court.Notwithstanding the preceding sentences, the parties agree that allissues regarding the processing, transfer, protection and privacy of any information transferred from X or any End User to Vendor shallbe governed by the laws of the United Kingdom. All disputesbetween the parties, and between a party and an End Userregarding Vendors access to this data shall be heard before theappropriate court located in London, United Kingdom

Split choice of law if youhave differing regulatory

obligations.

Creating contracts that work

7/29/2019 The details matter: Security laws that demand attention

24/28

Termination

Create and implement deletion policies

Flow down contract terms to vendors Do not assume security ends upon termination

Create and implement deletion policies

Creating contracts that work

7/29/2019 The details matter: Security laws that demand attention

25/28

Upon termination or expiration of this Agreement, Vendor shall deleteall data and provide X with written confirmation of this deletion.Vendor shall also instruct any entities who have had access to thedata to also delete it and provide Vendor with written certification of

this deletion. The security obligations set out in this Agreementrelating to the data shall survive termination or expiration of this

Agreement until such time as the data is completely deleted byVendor and/or Vendors suppliers. Vendor shall require this provision,or one similarly protective of Xs rights in all its contracts with

suppliers or other vendors who provide aspects of the Services.

When agreementterminates, your rights

terminate.

Creating contracts that work

7/29/2019 The details matter: Security laws that demand attention

26/28

Addressing uncertain regulations

Limited collection of sensitive data

Security measures appropriate to dataDisposed of / DeletedDisclosure events considered

Creating contracts that work

7/29/2019 The details matter: Security laws that demand attention

27/28

Determine how services will be used

Evaluate cloud structure

Understand data collection, processing and transfer

Security breach notification

High risk regulatory areas

Disposition of data on termination

Toolkit

7/29/2019 The details matter: Security laws that demand attention

28/28

Thanks for coming!

W. David SneadAttorney + Counselor Washington, D.C.Tactical Legal Advice for Internet Business

E: david.snead@dsnead.comT: @wdsneadpcBlog: thewhir.com/blogs