Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tackling Data Related Challenges in Contracts

Published byAshlyn Simpson Modified over 6 years ago

Similar presentations

Presentation on theme: "Tackling Data Related Challenges in Contracts"— Presentation transcript:

1 Tackling Data Related Challenges in Contracts
Monday, April 3, 2017

2 Kim Bykov Julia Le Jennifer K. Mailander Hilary Wandall
Vice President, Managing Senior Counsel Julia Le Corporate Counsel Jennifer K. Mailander Associate General Counsel Director Compliance and Privacy Hilary Wandall General Counsel and Chief Data Governance Officer Kim – substantive materials due 2/24 Pull articles

3 Topic Overview It’s all about the Data
Using contract terms to protect sensitive data Supplier security controls Addressing third party risk Strategies for surmounting data-related deal-breakers Special contract provisions for key data issues Managing changing regulatory requirements

4 Poll Question #1: Are you responsible for or do you contribute to: 1) contract review 2) due diligence review 3) both 4) neither

5 It’s all about the Data…
What types of data will be shared? Personal Data (EU) / Personally Identifiable Information (US) Protected Health Information (US) Cardholder Data Other sensitive data types What is the region of data? Who owns the data? Whether you’re looking to mitigate data protection risk through any of the methodologies we’re here to discuss today – contract provisions, vendor risk assessments, insurance – its all about the data, and how the data flows. To leverage each of these strategies effectively, you need to understand the data – what it is – and how the data flows. Comment from Kim Bykov: This slide is intended to summarize key question about implicated data and data flows, which will drive contract terms, assessments, insurance and other risk mitigation function

6 And, how the Data will be processed
Where will data be stored? Who has the obligation to secure the environment? Who has access to the data? What’s the data flow? Will data be transferred? Pursuant to what legal mechanisms? Operational mechanisms? Who has the obligation to secure the environment? For cloud offerings, what is the nature of the deployment model (public, private, hybrid cloud) and service model (SaaS, IaaS, PaaS)? What happens to the data when the contract ends? Whether you’re looking to mitigate data protection risk through any of the methodologies we’re here to discuss today – contract provisions, vendor risk assessments, insurance – its all about the data, and how the data flows. To leverage each of these strategies effectively, you need to understand the data – what it is – and how the data flows. Comment from Kim Bykov: This slide is intended to summarize key question about implicated data and data flows, which will drive contract terms, assessments, insurance and other risk mitigation function

7 Using Contract Terms to Protect Sensitive Data
Confidentiality provisions Disclosing party must identify what data is confidential Data classification Not a well resolved area Distinguish between security provisions re: accessing data from the customer’s site versus the vendor’s site Many contracts have specific security controls and we’d be fine accepting the terms if we were accessing the customer’s data

8 Using Contract Terms to Protect Sensitive Data
Confidentiality provisions (cont.) Are there multiple confidentiality provisions? Non-Disclosure Agreement Proposal Security provisions Sometimes you have to sign addendums to protect certain types of data, e.g., health-related data Privacy provisions Standard of care Distinguish between security provisions re: accessing data from the customer’s site versus the vendor’s site Many contracts have specific security controls and we’d be fine accepting the terms if we were accessing the customer’s data

9 Using Contract Terms to Protect Sensitive Data
Security requirements and breach notification Know your legal, regulatory, contractual and operational requirements Audit rights/requirements Distinguish between security provisions re: accessing data from the customer’s site versus the service supplier’s site Incident versus breach notification Require BCP/DR for critical suppliers

10 Using Contract Terms to Protect Sensitive Data
Indemnification Limitations of liability and exceptions e.g., carve outs for breaches of confidentiality and data breaches Third party/supplier access provisions Flow down terms Additional operational requirements Audit rights/requirements

11 Supplier Security Controls
Supplier assessment forms Some are security Some are security and privacy Some are everything that’s relevant to the data Standardization would be very valuable here It’s helpful where organizations have integrated all data and related controls into a single assessment Let’s add a handout on the different types of assessments that are available. Vendor Security Controls, and negotiating corresponding security-related contractual provisions, internally and with key stakeholders Standardization would be very valuable here - An area in need of further improvement. - Very long forms

12 Supplier Security Controls (cont.)
Privilege and data stored in the cloud Do you want to control how data is being accessed and how client is using the data? Appropriate contract provisions and maintenance - Plays into proper access controls and ability to support privilege. Clients are beginning to ask for this increasingly and it highlights importance of security controls Is this an audit function – to see who accessed data? The audit trail becomes important Vendor risk assessment and required controls should match key contract provisions in resulting agreement.

13 Supplier Security Controls (cont.)
Your IT team can be your best friend They know security regulations really well Buyer IT and business can often be at odds Prioritize your suppliers by risk It depends on the goods/services being provided Are they critical to your organization? Vendor risk assessment and required controls should match key contract provisions in resulting agreement.

14 Does your organization have a third party risk assessment process?
Poll Question #2: Does your organization have a third party risk assessment process? 1) Yes 2) No 3) Don't know

15 Addressing Third Party Risk
Determine your risk tolerance – key factors to consider: What kind of data are needed for the activity? Are they sensitive or confidential? How valuable is the data to the company? What risks do the data and/or the associated activity create for the organization, for customers, for business partners or the individuals to whom the data relate? At a time when vendors do not accept unlimited liability for data-related risks, how do organizations determine what data-related terms and risk levels are commercially acceptable, and what risk they can shift to suppliers or mitigate through other channels such as cyber-insurance

16 Addressing Third Party Risk (cont.)
Determine your risk tolerance – key factors to consider: What types of suppliers or other third parties (e.g., a business alliance partner, MA&D partners are needed for or otherwise support effective implementation the activity? Does use of a supplier or other third party increase the risks identified above? If so, how?) At a time when vendors do not accept unlimited liability for data-related risks, how do organizations determine what data-related terms and risk levels are commercially acceptable, and what risk they can shift to suppliers or mitigate through other channels such as cyber-insurance

17 Addressing Third Party Risk (cont.)
Third party risk management mitigation Cross-border data transfer management Demonstration of privacy, security and other internal controls in the pre-contractual supplier assessment process Periodic audit or other oversight and monitoring of contractual obligations, risks and controls At a time when vendors do not accept unlimited liability for data-related risks, how do organizations determine what data-related terms and risk levels are commercially acceptable, and what risk they can shift to suppliers or mitigate through other channels such as cyber-insurance

18 Addressing Third Party Risk (cont.)
Expectations of suppliers to carry cyber insurance Scope of coverage Limits on coverage (generally $300M) Average payout of $733K; payout average of 83%, but trending down At a time when vendors do not accept unlimited liability for data-related risks, how do organizations determine what data-related terms and risk levels are commercially acceptable, and what risk they can shift to suppliers or mitigate through other channels such as cyber-insurance

19 Does your organization
Poll Question #3: Does your organization 1) Have cyber insurance? 2) Require suppliers to have cyber insurance? 3) Both 4) Neither 5) Don’t know

20 Strategies for Surmounting Data-Related Deal-Breakers
Know your Counterparty Data compliance requirements arise from multiple sources: Industry-specific regulations or standards Common law or statutory defenses to future claims requiring confidentiality (i.e., trade secrets claims) Customers’ internal data compliance policies

21 Strategies for Surmounting Data-Related Deal-Breakers (cont.)
Build your Team Identify and engage internal SMEs up-front Privacy IT compliance / cybersecurity Insurance

22 Strategies for Surmounting Data-Related Deal-Breakers (cont.)
Build Collateral Create collateral that leverages expertise from internal stakeholders efficiently to avoid losing time at the bargaining table On the buyers’ side, craft a checklist tailored to your business that captures key legal and operational data requirements On the sellers’ side, create a customer-facing summary document of standard and available data protection controls

23 Special Contract Provisions
for Key Data Issues Compliance should be the responsibility of both parties. Agree on specific compliance data privacy standards/regulations that are applicable and include mutual obligations. Security compliance can reference “industry standard” or be specific, e.g. ISO Supplier may have security documentation. How to approach contract provisions on key data issues such as data privacy compliance, audit rights, requirements to report cloud use, data ownership, and the ability to mine, use, and track data

24 Special Contract Provisions for Key Data Issues (cont.)
Audit rights should be limited to compliance with the agreement. Should have a trigger event, e.g. underpayment/overpayment, security breach, etc. Reporting should be in a dashboard and related to services. All customers get access to the same reporting information. How to approach contract provisions on key data issues such as data privacy compliance, audit rights, requirements to report cloud use, data ownership, and the ability to mine, use, and track data

25 Special Contract Provisions for Key Data Issues (cont.)
Distinguish between pre-existing data and data that will be generated as a result of the agreement. Avoid specifying who owns new data. It’s more important to address what each party can do with the data.

26 Special Contract Provisions for Key Data Issues (cont.)
An advertising campaign, each party will be collecting performance data. You can restrict what one party can do with data collected by other party. You can also restrict the types of data each party can collect, e.g. no PII can be collected. FOR EXAMPLE

27 Managing Changing Regulatory Requirements (cont.)
Include broad definitions of applicable law to allow for flexibility if the law changes after execution of agreement. Provisions should address providing notice, getting consent, and data security to avoid necessity for amendments on a regular basis. How to adjust existing contracts to comply with ongoing regulatory changes, e.g., Privacy Shield, GDPR, and evolving US state laws

28 Managing Changing Regulatory Requirements (cont.)
Make the amendment process quick and easy. Use SOWs or have an exhibit with a template for changes. Large suppliers often have their own language and process-heavy procedures that are not transparent, which can present difficulties in negotiating terms. How to adjust existing contracts to comply with ongoing regulatory changes, e.g., Privacy Shield, GDPR, and evolving US state laws

29 Managing Changing Regulatory Requirements (cont.)
If supplier sits on language revisions, try to partner with procurement and privacy function and find someone you know who might know that person, work with the business. FOR EXAMPLE How to adjust existing contracts to comply with ongoing regulatory changes, e.g., Privacy Shield, GDPR, and evolving US state laws

30 Managing Changing Regulatory Requirements (cont.)
Be sure to include your stakeholders beyond those who are required to be notified. Specify contacts who can address contract issues or remediate so you don’t end up sending a request for amendments into the ether. Include a header page with contacts for each party. How to adjust existing contracts to comply with ongoing regulatory changes, e.g., Privacy Shield, GDPR, and evolving US state laws

31 Managing Changing Regulatory Requirements (cont.)
On the other hand, there may be concerns about being too broad or overly inclusive Include language that states the parties will comply with new laws/requirements within a reasonable period of time. Include language that defines when a law/regulation is applicable, e.g. “applicable to the services under the agreement.”

32 Managing Changing Regulatory Requirements (cont.)
US-EU Privacy Shield changes Can still use Model Clauses for controller to controller and controller to processor. Other requirements General Data Protection Regulation (GDPR) Cross Border Privacy Rules (CBPR)

33 Key Takeaways Understand the data covered under a contract and how it will be processed Understand the contract provisions Statement of work Identify confidential data Security requirements and breach notifications Indemnification Limitation of liability Privacy Supplier security provisions

34 Key Takeaways (cont.) Understand and prioritize your third party risk Be prepared by knowing your counterparty, your team and develop supporting materials Be adaptable to the technology landscape when reviewing/drafting contracts Stay informed on the ever-evolving laws/regulations around security and privacy

Download ppt "Tackling Data Related Challenges in Contracts"

Similar presentations

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA 206-628-7769.

Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA
Page 1 Recording of this session via any media type is strictly prohibited. Page 1 M&A Insurance: Forever Changing the Way Businesses are Bought and Sold.

Page 1 Recording of this session via any media type is strictly prohibited. Page 1 M&A Insurance: Forever Changing the Way Businesses are Bought and Sold.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
LAW SEMINARS INTERNATIONAL New Developments in Internet Marketing & Selling November 13 & 14, 2006 San Francisco, California Moderator : Maureen A. Young.

LAW SEMINARS INTERNATIONAL New Developments in Internet Marketing & Selling November 13 & 14, 2006 San Francisco, California Moderator : Maureen A. Young.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.
Dino Tsibouris (614) 360-3133 Vendor Contracts: What You Need and What You May Be Missing.

Dino Tsibouris (614) Vendor Contracts: What You Need and What You May Be Missing.
Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,

Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.

Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.
Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.
Dino Tsibouris (614) 360-3133 Updates on Cloud, Contracting, Privacy, Security, and International Privacy Issues Mehmet Munur (614)

Dino Tsibouris (614) Updates on Cloud, Contracting, Privacy, Security, and International Privacy Issues Mehmet Munur (614)
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

Similar presentations

Ads by Google