Data Security and Privacy by Contract: Hacking Us All Into Business Associates, SMU Science &...
-
Upload
shawn-tuma -
Category
Law
-
view
461 -
download
0
Transcript of Data Security and Privacy by Contract: Hacking Us All Into Business Associates, SMU Science &...
Data Security and Privacy by ContractHacking Us All Into Business
Associates
Shawn E. TumaScheef & Stone, LLP
@shawnetumaCybersecurity Symposium
October 23, 2015
breach impacting 110 million customers$262 million in expenses for 2013 and 2014offer “free” identity theft and credit monitoring to all affected customersNet earnings down 34.28%Earnings per share down 44.60%Non-cash losses up 487.71%US sales down 6.60%Lawsuits, possible enforcement actions, who knows?
4
Have you ever heard of …
www.solidcounsel.com
Ancient Cybersecurity Wisdom “In all fighting the
direct method may be used for joining battle, but indirect methods will be needed to secure victory.”
“You can be sure of succeeding in your attacks if you attack places which are not defended.”
Regulatory Response
www.solidcounsel.com
Regulatory Response – SECJanuary 2014: SEC indicates companies need P&P for:1. Prevention, detection, and
response to cyber attacks and data breaches,
2. IT training focused on security, and
3. Vendor access to company systems and vendor due diligence.
www.solidcounsel.com
Regulatory Response – SECApril 15, 2014 – Office of Compliance Inspections and Examinations (OCIE) Cybersecurity Initiative Examine 50 registered broker-
dealers and registered investment advisors.
7 page sample cybersecurity doc request. Many 3rd parties
www.solidcounsel.com
Regulatory Response – SEC “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” S.E.C. v. R.T. Jones Capital Equities Management, Consent Order (Sept. 22, 2015).
R.T. Jones violated this “safeguards rule 100,000 records (no reports of harm) $75,000 penalty
www.solidcounsel.com
Regulatory Response – FTC FTC’s Order requires business to follow 3 steps when contracting with 3rd party service providers. In re GMR Transcription Svcs, Inc., 2014 WL 4252393 (Aug. 14, 2014):
1. Investigate before hiring data service providers.
2. Obligate their data service providers to adhere to the appropriate level of data security protections.
3. Verify that the data service providers are complying with obligations (contracts).
www.solidcounsel.com
Regulatory & AdministrativeThe FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the Federal Trade Commission Act and companies have fair notice that their specific cybersecurity practices could fall short of that provision. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. Aug. 24, 2015).
The Contract
www.solidcounsel.com
Addendum to Business ContractsMany names, similar features:
Defines “Data” being protected in categories.
Describes acceptable and prohibited uses.
Describes standards for protecting. Describes requirements for
returning/deleting. Describes obligations if a breach. Allocates responsibility if a breach. Requires binding third parties to similar
contractual obligations.
“Business Associates”?