SlideShare a Scribd company logo

The Role of Contracts in Privacy, Cybersecurity, and Data Breach

Download as PPTX, PDF
Shawn Tuma
Shawn Tuma

Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Texas Bar CLE's Making and Breaking Iron-Clad Contracts course in Austin, Texas on March 6, 2020.

Law
1 of 36
Spencer Fane LLP | spencerfane.com 1 The Role of Contracts in Privacy, Cybersecurity, and Data Breach Shawn E. Tuma Co-Chair, Data Privacy & Cybersecurity Practice Spencer Fane LLP
Spencer Fane LLP | spencerfane.com 2Credit: NASA’s Goddard Space Flight Center/Jeremy Schnittman
Spencer Fane LLP | spencerfane.com 3 Security and IT protect companies’ data; Legal protects companies from their data.
Spencer Fane LLP | spencerfane.com 4 Cybersecurity is a legal issue • Types – Security – Privacy – Unauthorized Access • International Laws – GDPR – Privacy Shield – China’s Cybersecurity Law • Federal Laws and Regs – FTC, SEC, HIPAA • State Laws – All 50 States – Privacy (50) + security (25+) – CCPA, NYDFS, Colo FinServ • Industry Groups – PCI – FINRA • Contracts – 3rd Party Bus. Assoc. – Privacy / Data Security / Cybersecurity Addendum
Spencer Fane LLP | spencerfane.com 5
Spencer Fane LLP | spencerfane.com 6
Spencer Fane LLP | spencerfane.com 7
Spencer Fane LLP | spencerfane.com 8
Spencer Fane LLP | spencerfane.com 9
Spencer Fane LLP | spencerfane.com 10 Cyber is an overall business risk issue – in fact, It is THE ONE RISK ...
Spencer Fane LLP | spencerfane.com 11 Common cybersecurity best practices 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. – Social engineering, password, security questions. 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Really top-notch battle-tested CISO. 18. Cyber risk insurance.
Spencer Fane LLP | spencerfane.com 12 Supply Chain Risk Management (SCRM) / Third-Party Risk Management
Spencer Fane LLP | spencerfane.com 13 Ancient Cybersecurity Wisdom “Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing.” “In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.”
Spencer Fane LLP | spencerfane.com 14 Lesson: Evaluate and audit third-parties’ security • In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14, 2014). • FTC’s Order requires business to follow 3 steps when working with third-party service providers: 1. Investigate before hiring data service providers 2. Obligate data service providers to adhere to the appropriate level of data security protections 3. Verify that the data service providers are complying with obligations
Spencer Fane LLP | spencerfane.com 15 NIST Cybersecurity Framework • Adds “Supply Chain Risk Management (SCRM)” as a “Framework Core” function • Coordinate cybersecurity efforts with suppliers of IT and OT (operational technology) partners • Enact cybersecurity requirements through contracts; • Communicate how cybersecurity standards will be verified and validated; and • Verify cybersecurity standards are met.
Spencer Fane LLP | spencerfane.com 16 Lesson: This is the “WHY” for the contractual obligations • Addendum to business contracts • Common names: Data Security & Privacy Agreement; Data Privacy; Cybersecurity; Privacy; Information Security • Common features: – Defines subject “Data” / “Network” protected in categories – Establishes acceptable and prohibited uses for Data / Network – Establishes standards for protecting Data / Network (3rd / Nth) – Allocates obligations and responsibility for incident – Notice, roles, expenses – Requires binding third-parties to similar provisions
Spencer Fane LLP | spencerfane.com 17 How about a few examples for “WHY”?
Spencer Fane LLP | spencerfane.com 18 Example 1: “It’s not our fault!” • Private security firm’s job applicants’ personal data (including identification of those with Top Secret security clearances) is exposed on an unsecured Amazon server. • Firm says it wasn’t its fault, it was fault of its third-party vendor that we hired to process new job applications that left the data exposed. – Former CIA, NSA, Secret Service – Names, home addresses, telephone numbers, email addresses – Applicant transported nuclear activation codes – Applicant was “warden advisor” at Abu Ghraib black site • Who do you think is responsible? • Do you think a better contract would have helped? • What would have helped prevent this?
Spencer Fane LLP | spencerfane.com 19 Example 2: “We can’t afford it” • MegaCorp is a global leader in biotechnology and one of the world’s wealthiest companies. MegaCorp developed new highly confidential and proprietary bio- authentication technology that could solve the world’s cybersecurity problem by setting access rights to data based on users’ unique DNA. • MegaCorp recognizes the cyber threat and has state-of-the-art cybersecurity for its network, having a larger cybersecurity budget than the revenue of many biotech companies. • For testing to prove the technology works, MegaCorp turns to the 4 best biotech research facilities, known for the quality and integrity of their research, not their profitability. • MegaCorp’s contracts with the facilities requires they maintain security and confidentiality of its intellectual property (IP).
Spencer Fane LLP | spencerfane.com 20 Example 2: “We can’t afford it” (cont.) • During testing for MegaCorp, Research1 discovers an intrusion in its network. Due to budget limitations, its “IT guy” calls his buddy to do “forensics” and discover Research1’s network was being used to mine Bitcoin. They block the hacker and conclude “no problem.” • Two weeks later Research1 gets hit with ransomware and a demand for $1,000,000 paid in Bitcoin. IT guy was able to restore the network from backups so he sent a taunting email to the hacker, just for fun. He also ignored that lawyer who warns of possible advanced persistent attack and said it may be a legal breach. • One week later the hacker emails MegaCorp’s Board of Directors saying they have MegaCorp’s data, demand $100 million to not disclose it.
Spencer Fane LLP | spencerfane.com 21 Lessons from “We can’t afford it!” • Larger enterprises have a better appreciation of cyber risk and more resources to spend on it. SMBs are not there … yet … still thinking, “we can’t afford it,” is justifiable. • Does the harm to MegaCorp’s IP change depending on whether taken from it or Research1? • MegaCorp would crush Research1 in a lawsuit … “indemnification”… so what? • MegaCorp would have gladly paid the $1million ransom to try and protect its IP, even with no guarantee. • What contractual terms would have helped MegaCorp? • What practical discussions would have helped MegaCorp? • What risk transfer devices would have helped? • What technology would have helped?
Spencer Fane LLP | spencerfane.com 22 Key Takeaways
Spencer Fane LLP | spencerfane.com 23 Focus on basic principles • Two primary reasons for cybersecurity in contracting are to: – Minimize risk, including third-party risk; and – Determine the process and responsibility for incidents. • Risk can be reduced to two basic things: protecting – wherever and however – and responding to incidents concerning: – Networks – Data
Spencer Fane LLP | spencerfane.com 24 Checklist: Using contracts to manage supply chain / third-party risk Focus on objectives: protecting, responding, responsibility for data/network Staff appropriately Understand facts of relationship/transaction Understand risks by thinking worst case scenario from outset Minimalize risks: do not risk it if you do not have to Discuss objectives, facts, risks, protection with those responsible Assess third-party’s sophistication and commitment Agree upon appropriate protections Investigate ability to comply Obligate compliance, notification (to you), responsibility Include in incident response planning Cyber Insurance: transfer risk where possible
Spencer Fane LLP | spencerfane.com 25 Ok, ok, ok … here are your example contract provisions …
Spencer Fane LLP | spencerfane.com 26
Spencer Fane LLP | spencerfane.com 27 "Highly Sensitive Personal Information" means an (i) individual's government-issued identification number (including Social Security number, driver's license number, or state-issued identification number); (ii) financial account number, credit card number, debit card number, or credit report information, with or without any required security code, access code, personal identification number, or password that would permit access to an individual’s financial account; or (iii) biometric, genetic, health, medical, or medical insurance data. Source: Westlaw THE POINT: Clearly define your data and networks at issue
Spencer Fane LLP | spencerfane.com 28 "Security Breach" means [(i)] any act or omission that [materially] compromises either the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place by Service Provider [(or any Authorized Persons)], or by Customer should Service Provider have access to Customer’s systems, that relate to the protection of the security, confidentiality, or integrity of Personal Information [, or (ii) receipt of a complaint in relation to the privacy and data security practices of Service Provider [(or any Authorized Persons)] or a breach or alleged breach of this Agreement relating to such privacy and data security practices]. Without limiting the foregoing, a [material] compromise shall include any unauthorized access to or disclosure or acquisition of Personal Information. Source: Westlaw THE POINT: Clearly define important events, what is a cyber “event”, “incident”, “security breach”, “data breach”?
Spencer Fane LLP | spencerfane.com 29 Source: Westlaw THE POINT: Specify what security measures must be taken to protect the data and networks Information Security. (a) Service Provider represents and warrants that its creation, collection, receipt, access, use, storage, disposal, and disclosure of Personal Information does and will comply with all applicable federal [and], state[, and foreign] privacy and data protection laws, as well as all other applicable regulations and directives. (b) Service Provider shall implement and maintain a written information security program including appropriate policies, procedures, and risk assessments that are reviewed at least annually. Without limiting Service Provider's obligations under Section [3(a)], Service Provider shall implement administrative, physical, and technical safeguards … ***
Spencer Fane LLP | spencerfane.com 30 Source: Westlaw THE POINT: Specify what (1) must be done and (2) by whom if there is a “Security Breach” Security Breach Procedures. (a) Service Provider shall: (i) provide Customer with the name and contact information for [an employee/security operations or other service desk] of Service Provider [who/which] shall serve as Customer's primary security contact and shall be available to assist Customer twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with a Security Breach; (ii)notify Customer of a Security Breach as soon as practicable, but no later than [twenty-four (24) hours/[AGREED TIMEFRAME]] after Service Provider becomes aware of it; and… ***
Spencer Fane LLP | spencerfane.com 31 Source: Westlaw THE POINT: Right to audit – sure we trust you, but we want to verify because we are responsible for our data Oversight of Security Compliance. [Upon Customer's [written] request, to confirm Service Provider’s compliance with this Agreement, as well as any applicable laws, regulations, and industry standards, Service Provider grants Customer or, upon Customer’s election, a third party on Customer's behalf, permission to perform an assessment, audit, examination, or review of all controls in Service Provider’s physical and/or technical environment in relation to all Personal Information being handled and/or services being provided to Customer pursuant to this Agreement. Service Provider shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software that processes, stores, or transports Personal Information for Customer pursuant to this Agreement. In addition, upon Customer's [written] request, Service Provider shall provide Customer with the results of any audit by or on behalf of Service Provider performed that assesses the effectiveness of Service Provider's information security program as relevant to the security and confidentiality of Personal Information shared during the course of this Agreement.] ***
Spencer Fane LLP | spencerfane.com 32 Source: Westlaw THE POINT: “Data is the hot potato” – if you don’t need it, get rid of it … securely. Return or Destruction of Personal Information. At any time during the term of this Agreement at Customer's [written] request or upon the termination or expiration of this Agreement for any reason, Service Provider shall, and shall instruct all [Authorized Employees/Authorized Persons] to, promptly return to Customer all copies, whether in written, electronic, or other form or media, of Personal Information in its possession or the possession of such [Authorized Employees/Authorized Persons], or securely dispose of all such copies, and certify in writing to Customer that such Personal Information has been returned to Customer or disposed of securely. Service Provider shall comply with all [reasonable] directions provided by Customer with respect to the return or disposal of Personal Information.
Spencer Fane LLP | spencerfane.com 33 Source: Westlaw THE POINT: Pay up … well, if you can (but you had better both have privacy / cyber risk insurance). Indemnification. Service Provider shall defend, indemnify, and hold harmless Customer [and Customer's parent company] and [its/their] subsidiaries, affiliates, and [its/their] respective officers, directors, employees, agents, successors, and permitted assigns (each, a "Customer Indemnitee") from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys' fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers, arising out of or resulting from any third-party claim against any Customer Indemnitee arising out of or resulting from Service Provider's failure to comply with any of its obligations under [this Section/[SECTION NUMBER]].
Spencer Fane LLP | spencerfane.com 34 THE POINT: You – and everyone you rely upon in the supply chain – better have privacy / cyber risk insurance. Privacy/Cyber/Network Security/Professional Liability. Service Provider shall maintain appropriate Privacy/Cyber/Network Security/Professional Liability coverage in the amount of not less than $1,500,000 per occurrence and $10,000,000 in the aggregate with coverage to specifically provide protection against liability for the following: (a) privacy breaches and resulting liability arising from the loss or disclosure of BIGCORP Data or Personal Information (b) denial or loss of service (c) introduction, implantation or spread or malicious code software and (d) unauthorized access to or use of computer systems to include first party coverage for forensic investigation, notification and credit monitoring and Third Party coverage for network security errors and omissions with no exclusions for unencrypted portable devices or media or cyber events. Service Provider agrees to provide proof that this insurance is maintained for a period of two years after the termination of the Agreement.
Spencer Fane LLP | spencerfane.com 35 THE POINT: The security and privacy protections for the data flow down to the nth level downstream. Subcontractors. Service Provider and Affiliates of Service Provider will perform sufficient due diligence prior to the retention of any Subcontractor to ensure that such Subcontractor will not, in any way, compromise the security, confidentiality, availability or integrity of any BIGCORP Data. Further, Service Provider and Affiliates of Service Provider will ensure that the terms of its subcontract with any Subcontractor are sufficient to enable such Service Provider or Affiliate of Service Provider to perform all of its responsibilities and obligations of the Agreement and the Security Datasheet. Service Provider will take appropriate action to cause its Affiliates, Subcontractors, and Service Provider Personnel to be advised of and comply with the applicable terms and conditions of the Agreement and the Security Datasheet, and will ensure that Service Provider Personnel are trained regarding their handling of BIGCORP Data and obligations under the Agreement and Security Datasheet.
Spencer Fane LLP | spencerfane.com 36 Shawn Tuma Co-Chair, Cybersecurity & Data Privacy Spencer Fane LLP 972.324.0317 stuma@spencerfane.com • 20+ Years of Cyber Law Experience • Practitioner Editor, Bloomberg BNA – Texas Cybersecurity & Data Privacy Law • Council Member, Southern Methodist University Cybersecurity Advisory • Board of Advisors, North Texas Cyber Forensics Lab • Policy Council, National Technology Security Coalition • Board of Advisors, Cyber Future Foundation • Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016) • SuperLawyers Top 100 Lawyers in Dallas (2016) • SuperLawyers 2015-20 • Best Lawyers in Dallas 2014-20, D Magazine • Chair-Elect, Computer & Technology Section, State Bar of Texas • Privacy and Data Security Committee of the State Bar of Texas • College of the State Bar of Texas • Board of Directors, Collin County Bench Bar Conference • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science & Technology Committee of the American Bar Association • North Texas Crime Commission, Cybercrime Committee & Infragard (FBI) • International Association of Privacy Professionals (IAPP)

Recommended

Lawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for CybersecurityLawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for Cybersecurity
Shawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Shawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Shawn Tuma
 
The Dark Side of Digital Engagement
The Dark Side of Digital EngagementThe Dark Side of Digital Engagement
The Dark Side of Digital Engagement
Shawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Shawn Tuma
 
Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.
Shawn Tuma
 
Cybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and ClientsCybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and Clients
Shawn Tuma
 
Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber Attack
Shawn Tuma
 

Recommended

Lawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for CybersecurityLawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for Cybersecurity
Shawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Shawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Shawn Tuma
 
The Dark Side of Digital Engagement
The Dark Side of Digital EngagementThe Dark Side of Digital Engagement
The Dark Side of Digital Engagement
Shawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Shawn Tuma
 
Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.
Shawn Tuma
 
Cybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and ClientsCybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and Clients
Shawn Tuma
 
Recovering from a Cyber Attack
Recovering from a Cyber AttackRecovering from a Cyber Attack
Recovering from a Cyber Attack
Shawn Tuma
 
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Shawn Tuma
 
Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, EntredaLaser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Software
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
NetWatcher
 
Cybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowCybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to Know
Shawn Tuma
 
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
Shawn Tuma
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
Shawn Tuma
 
A Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesA Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for Businesses
Advanced Imaging Solutions & Pinnacle
 
Exhibitor session: Fortinet
Exhibitor session: FortinetExhibitor session: Fortinet
Exhibitor session: Fortinet
Jisc
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
Shawn Tuma
 
Cybersecurity | Fraud 2.0 Presentation to the Association of Certified Fraud ...
Cybersecurity | Fraud 2.0 Presentation to the Association of Certified Fraud ...Cybersecurity | Fraud 2.0 Presentation to the Association of Certified Fraud ...
Cybersecurity | Fraud 2.0 Presentation to the Association of Certified Fraud ...
Shawn Tuma
 
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasGet the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Shawn Tuma
 
Preserving the Privilege during Breach Response
Preserving the Privilege during Breach ResponsePreserving the Privilege during Breach Response
Preserving the Privilege during Breach Response
Priyanka Aash
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Shawn Tuma
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
Paul Melson
 
Cyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to KnowCyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to Know
Sandra Fathi
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Shawn Tuma
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
Yasser Mohammed
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye, Inc.
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
Khawar Nehal khawar.nehal@atrc.net.pk
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
Shawn Tuma
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
Shawn Tuma
 

More Related Content

What's hot

Cybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowCybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to Know
Shawn Tuma
 
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
Shawn Tuma
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Exhibitor session: Fortinet
Exhibitor session: FortinetExhibitor session: Fortinet
Exhibitor session: Fortinet
Jisc
 
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasGet the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Shawn Tuma
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
Yasser Mohammed
 

What's hot (20)

Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
 
Laser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, EntredaLaser App Conference 2017 - Sid Yenamandra, Entreda
Laser App Conference 2017 - Sid Yenamandra, Entreda
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
Cybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to KnowCybersecurity Legal Issues: What You Really Need to Know
Cybersecurity Legal Issues: What You Really Need to Know
 
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
 
A Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesA Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for Businesses
 
Exhibitor session: Fortinet
Exhibitor session: FortinetExhibitor session: Fortinet
Exhibitor session: Fortinet
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
 
Cybersecurity | Fraud 2.0 Presentation to the Association of Certified Fraud ...
Cybersecurity | Fraud 2.0 Presentation to the Association of Certified Fraud ...Cybersecurity | Fraud 2.0 Presentation to the Association of Certified Fraud ...
Cybersecurity | Fraud 2.0 Presentation to the Association of Certified Fraud ...
 
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasGet the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
 
Preserving the Privilege during Breach Response
Preserving the Privilege during Breach ResponsePreserving the Privilege during Breach Response
Preserving the Privilege during Breach Response
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
 
Cyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to KnowCyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to Know
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
 

Similar to The Role of Contracts in Privacy, Cybersecurity, and Data Breach

Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Shawn Tuma
 
[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities
TrustArc
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 Predictions
Resilient Systems
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
Financial Poise
 

Similar to The Role of Contracts in Privacy, Cybersecurity, and Data Breach (20)

Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 Predictions
 
Date Use Rules in Different Business Scenarios: It's All Contectual it is all...
Date Use Rules in Different Business Scenarios: It's All Contectual it is all...Date Use Rules in Different Business Scenarios: It's All Contectual it is all...
Date Use Rules in Different Business Scenarios: It's All Contectual it is all...
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
Wm Tanenbaum Data Business Cases
Wm Tanenbaum Data Business CasesWm Tanenbaum Data Business Cases
Wm Tanenbaum Data Business Cases
 
Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual
 
William Tanenbaum Data Use Rules in Different Business Scenarios: It's All C...
William Tanenbaum Data Use Rules in Different Business Scenarios: It's All C...William Tanenbaum Data Use Rules in Different Business Scenarios: It's All C...
William Tanenbaum Data Use Rules in Different Business Scenarios: It's All C...
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
 
Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
 
Data Use Rules in Different Business Scenarios: It's All Contextual
Data Use Rules in Different Business Scenarios: It's All Contextual Data Use Rules in Different Business Scenarios: It's All Contextual
Data Use Rules in Different Business Scenarios: It's All Contextual
 
Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual Date Use Rules in Different Business Scenarios: It's All Contextual
Date Use Rules in Different Business Scenarios: It's All Contextual
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
Date Use Rules in Different Business Scenarios:It's All Contextual
Date Use Rules in Different Business Scenarios:It's All Contextual Date Use Rules in Different Business Scenarios:It's All Contextual
Date Use Rules in Different Business Scenarios:It's All Contextual
 

More from Shawn Tuma

Cyber Incident Response Checklist
Cyber Incident Response ChecklistCyber Incident Response Checklist
Cyber Incident Response Checklist
Shawn Tuma
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Shawn Tuma
 

More from Shawn Tuma (18)

Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
 
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware AttackIncident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
 
Cyber Hygiene Checklist
Cyber Hygiene ChecklistCyber Hygiene Checklist
Cyber Hygiene Checklist
 
Cyber Incident Response Checklist
Cyber Incident Response ChecklistCyber Incident Response Checklist
Cyber Incident Response Checklist
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
 
Something is Phishy: Cyber Scams and How to Avoid Them
Something is Phishy: Cyber Scams and How to Avoid ThemSomething is Phishy: Cyber Scams and How to Avoid Them
Something is Phishy: Cyber Scams and How to Avoid Them
 
Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)
 
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
 
Cybersecurity Update
Cybersecurity UpdateCybersecurity Update
Cybersecurity Update
 
Effective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businessesEffective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businesses
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
"What Could Go Wrong?" - We're Glad You Asked!
"What Could Go Wrong?" - We're Glad You Asked!"What Could Go Wrong?" - We're Glad You Asked!
"What Could Go Wrong?" - We're Glad You Asked!
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
 
Cybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber AttackCybersecurity: How to Protect Your Firm from a Cyber Attack
Cybersecurity: How to Protect Your Firm from a Cyber Attack
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
 
Cybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal ProfessionalsCybersecurity Fundamentals for Legal Professionals
Cybersecurity Fundamentals for Legal Professionals
 
The Essentials of Cyber Insurance: A Panel of Industry Experts
The Essentials of Cyber Insurance: A Panel of Industry ExpertsThe Essentials of Cyber Insurance: A Panel of Industry Experts
The Essentials of Cyber Insurance: A Panel of Industry Experts
 

Recently uploaded

Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
SUHANI PANDEY
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
Airst S
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
Airst S
 
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
bd2c5966a56d
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...
James Watkins, III JD CFP®
 
Contract law. Indemnity
Contract law. IndemnityContract law. Indemnity
Contract law. Indemnity
mahikaanand16
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
Airst S
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
Airst S
 
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
Delhi Call girls
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
Airst S
 

Recently uploaded (20)

Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
 
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...
 
589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
Contract law. Indemnity
Contract law. IndemnityContract law. Indemnity
Contract law. Indemnity
 
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxAnalysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
 
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptxMOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
MOCK GENERAL MEETINGS (SS-2)- PPT- Part 2.pptx
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
 
Police Misconduct Lawyers - Law Office of Jerry L. Steering
Police Misconduct Lawyers - Law Office of Jerry L. SteeringPolice Misconduct Lawyers - Law Office of Jerry L. Steering
Police Misconduct Lawyers - Law Office of Jerry L. Steering
 
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptxMunicipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
 
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
 
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top BoutiqueAndrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
 
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptxPresentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 

The Role of Contracts in Privacy, Cybersecurity, and Data Breach

  • 1. Spencer Fane LLP | spencerfane.com 1 The Role of Contracts in Privacy, Cybersecurity, and Data Breach Shawn E. Tuma Co-Chair, Data Privacy & Cybersecurity Practice Spencer Fane LLP
  • 2. Spencer Fane LLP | spencerfane.com 2Credit: NASA’s Goddard Space Flight Center/Jeremy Schnittman
  • 3. Spencer Fane LLP | spencerfane.com 3 Security and IT protect companies’ data; Legal protects companies from their data.
  • 4. Spencer Fane LLP | spencerfane.com 4 Cybersecurity is a legal issue • Types – Security – Privacy – Unauthorized Access • International Laws – GDPR – Privacy Shield – China’s Cybersecurity Law • Federal Laws and Regs – FTC, SEC, HIPAA • State Laws – All 50 States – Privacy (50) + security (25+) – CCPA, NYDFS, Colo FinServ • Industry Groups – PCI – FINRA • Contracts – 3rd Party Bus. Assoc. – Privacy / Data Security / Cybersecurity Addendum
  • 5. Spencer Fane LLP | spencerfane.com 5
  • 6. Spencer Fane LLP | spencerfane.com 6
  • 7. Spencer Fane LLP | spencerfane.com 7
  • 8. Spencer Fane LLP | spencerfane.com 8
  • 9. Spencer Fane LLP | spencerfane.com 9
  • 10. Spencer Fane LLP | spencerfane.com 10 Cyber is an overall business risk issue – in fact, It is THE ONE RISK ...
  • 11. Spencer Fane LLP | spencerfane.com 11 Common cybersecurity best practices 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. – Social engineering, password, security questions. 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Really top-notch battle-tested CISO. 18. Cyber risk insurance.
  • 12. Spencer Fane LLP | spencerfane.com 12 Supply Chain Risk Management (SCRM) / Third-Party Risk Management
  • 13. Spencer Fane LLP | spencerfane.com 13 Ancient Cybersecurity Wisdom “Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing.” “In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.”
  • 14. Spencer Fane LLP | spencerfane.com 14 Lesson: Evaluate and audit third-parties’ security • In re GMR Transcription Svcs., Inc., Consent Order (Aug. 14, 2014). • FTC’s Order requires business to follow 3 steps when working with third-party service providers: 1. Investigate before hiring data service providers 2. Obligate data service providers to adhere to the appropriate level of data security protections 3. Verify that the data service providers are complying with obligations
  • 15. Spencer Fane LLP | spencerfane.com 15 NIST Cybersecurity Framework • Adds “Supply Chain Risk Management (SCRM)” as a “Framework Core” function • Coordinate cybersecurity efforts with suppliers of IT and OT (operational technology) partners • Enact cybersecurity requirements through contracts; • Communicate how cybersecurity standards will be verified and validated; and • Verify cybersecurity standards are met.
  • 16. Spencer Fane LLP | spencerfane.com 16 Lesson: This is the “WHY” for the contractual obligations • Addendum to business contracts • Common names: Data Security & Privacy Agreement; Data Privacy; Cybersecurity; Privacy; Information Security • Common features: – Defines subject “Data” / “Network” protected in categories – Establishes acceptable and prohibited uses for Data / Network – Establishes standards for protecting Data / Network (3rd / Nth) – Allocates obligations and responsibility for incident – Notice, roles, expenses – Requires binding third-parties to similar provisions
  • 17. Spencer Fane LLP | spencerfane.com 17 How about a few examples for “WHY”?
  • 18. Spencer Fane LLP | spencerfane.com 18 Example 1: “It’s not our fault!” • Private security firm’s job applicants’ personal data (including identification of those with Top Secret security clearances) is exposed on an unsecured Amazon server. • Firm says it wasn’t its fault, it was fault of its third-party vendor that we hired to process new job applications that left the data exposed. – Former CIA, NSA, Secret Service – Names, home addresses, telephone numbers, email addresses – Applicant transported nuclear activation codes – Applicant was “warden advisor” at Abu Ghraib black site • Who do you think is responsible? • Do you think a better contract would have helped? • What would have helped prevent this?
  • 19. Spencer Fane LLP | spencerfane.com 19 Example 2: “We can’t afford it” • MegaCorp is a global leader in biotechnology and one of the world’s wealthiest companies. MegaCorp developed new highly confidential and proprietary bio- authentication technology that could solve the world’s cybersecurity problem by setting access rights to data based on users’ unique DNA. • MegaCorp recognizes the cyber threat and has state-of-the-art cybersecurity for its network, having a larger cybersecurity budget than the revenue of many biotech companies. • For testing to prove the technology works, MegaCorp turns to the 4 best biotech research facilities, known for the quality and integrity of their research, not their profitability. • MegaCorp’s contracts with the facilities requires they maintain security and confidentiality of its intellectual property (IP).
  • 20. Spencer Fane LLP | spencerfane.com 20 Example 2: “We can’t afford it” (cont.) • During testing for MegaCorp, Research1 discovers an intrusion in its network. Due to budget limitations, its “IT guy” calls his buddy to do “forensics” and discover Research1’s network was being used to mine Bitcoin. They block the hacker and conclude “no problem.” • Two weeks later Research1 gets hit with ransomware and a demand for $1,000,000 paid in Bitcoin. IT guy was able to restore the network from backups so he sent a taunting email to the hacker, just for fun. He also ignored that lawyer who warns of possible advanced persistent attack and said it may be a legal breach. • One week later the hacker emails MegaCorp’s Board of Directors saying they have MegaCorp’s data, demand $100 million to not disclose it.
  • 21. Spencer Fane LLP | spencerfane.com 21 Lessons from “We can’t afford it!” • Larger enterprises have a better appreciation of cyber risk and more resources to spend on it. SMBs are not there … yet … still thinking, “we can’t afford it,” is justifiable. • Does the harm to MegaCorp’s IP change depending on whether taken from it or Research1? • MegaCorp would crush Research1 in a lawsuit … “indemnification”… so what? • MegaCorp would have gladly paid the $1million ransom to try and protect its IP, even with no guarantee. • What contractual terms would have helped MegaCorp? • What practical discussions would have helped MegaCorp? • What risk transfer devices would have helped? • What technology would have helped?
  • 22. Spencer Fane LLP | spencerfane.com 22 Key Takeaways
  • 23. Spencer Fane LLP | spencerfane.com 23 Focus on basic principles • Two primary reasons for cybersecurity in contracting are to: – Minimize risk, including third-party risk; and – Determine the process and responsibility for incidents. • Risk can be reduced to two basic things: protecting – wherever and however – and responding to incidents concerning: – Networks – Data
  • 24. Spencer Fane LLP | spencerfane.com 24 Checklist: Using contracts to manage supply chain / third-party risk Focus on objectives: protecting, responding, responsibility for data/network Staff appropriately Understand facts of relationship/transaction Understand risks by thinking worst case scenario from outset Minimalize risks: do not risk it if you do not have to Discuss objectives, facts, risks, protection with those responsible Assess third-party’s sophistication and commitment Agree upon appropriate protections Investigate ability to comply Obligate compliance, notification (to you), responsibility Include in incident response planning Cyber Insurance: transfer risk where possible
  • 25. Spencer Fane LLP | spencerfane.com 25 Ok, ok, ok … here are your example contract provisions …
  • 26. Spencer Fane LLP | spencerfane.com 26
  • 27. Spencer Fane LLP | spencerfane.com 27 "Highly Sensitive Personal Information" means an (i) individual's government-issued identification number (including Social Security number, driver's license number, or state-issued identification number); (ii) financial account number, credit card number, debit card number, or credit report information, with or without any required security code, access code, personal identification number, or password that would permit access to an individual’s financial account; or (iii) biometric, genetic, health, medical, or medical insurance data. Source: Westlaw THE POINT: Clearly define your data and networks at issue
  • 28. Spencer Fane LLP | spencerfane.com 28 "Security Breach" means [(i)] any act or omission that [materially] compromises either the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place by Service Provider [(or any Authorized Persons)], or by Customer should Service Provider have access to Customer’s systems, that relate to the protection of the security, confidentiality, or integrity of Personal Information [, or (ii) receipt of a complaint in relation to the privacy and data security practices of Service Provider [(or any Authorized Persons)] or a breach or alleged breach of this Agreement relating to such privacy and data security practices]. Without limiting the foregoing, a [material] compromise shall include any unauthorized access to or disclosure or acquisition of Personal Information. Source: Westlaw THE POINT: Clearly define important events, what is a cyber “event”, “incident”, “security breach”, “data breach”?
  • 29. Spencer Fane LLP | spencerfane.com 29 Source: Westlaw THE POINT: Specify what security measures must be taken to protect the data and networks Information Security. (a) Service Provider represents and warrants that its creation, collection, receipt, access, use, storage, disposal, and disclosure of Personal Information does and will comply with all applicable federal [and], state[, and foreign] privacy and data protection laws, as well as all other applicable regulations and directives. (b) Service Provider shall implement and maintain a written information security program including appropriate policies, procedures, and risk assessments that are reviewed at least annually. Without limiting Service Provider's obligations under Section [3(a)], Service Provider shall implement administrative, physical, and technical safeguards … ***
  • 30. Spencer Fane LLP | spencerfane.com 30 Source: Westlaw THE POINT: Specify what (1) must be done and (2) by whom if there is a “Security Breach” Security Breach Procedures. (a) Service Provider shall: (i) provide Customer with the name and contact information for [an employee/security operations or other service desk] of Service Provider [who/which] shall serve as Customer's primary security contact and shall be available to assist Customer twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with a Security Breach; (ii)notify Customer of a Security Breach as soon as practicable, but no later than [twenty-four (24) hours/[AGREED TIMEFRAME]] after Service Provider becomes aware of it; and… ***
  • 31. Spencer Fane LLP | spencerfane.com 31 Source: Westlaw THE POINT: Right to audit – sure we trust you, but we want to verify because we are responsible for our data Oversight of Security Compliance. [Upon Customer's [written] request, to confirm Service Provider’s compliance with this Agreement, as well as any applicable laws, regulations, and industry standards, Service Provider grants Customer or, upon Customer’s election, a third party on Customer's behalf, permission to perform an assessment, audit, examination, or review of all controls in Service Provider’s physical and/or technical environment in relation to all Personal Information being handled and/or services being provided to Customer pursuant to this Agreement. Service Provider shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software that processes, stores, or transports Personal Information for Customer pursuant to this Agreement. In addition, upon Customer's [written] request, Service Provider shall provide Customer with the results of any audit by or on behalf of Service Provider performed that assesses the effectiveness of Service Provider's information security program as relevant to the security and confidentiality of Personal Information shared during the course of this Agreement.] ***
  • 32. Spencer Fane LLP | spencerfane.com 32 Source: Westlaw THE POINT: “Data is the hot potato” – if you don’t need it, get rid of it … securely. Return or Destruction of Personal Information. At any time during the term of this Agreement at Customer's [written] request or upon the termination or expiration of this Agreement for any reason, Service Provider shall, and shall instruct all [Authorized Employees/Authorized Persons] to, promptly return to Customer all copies, whether in written, electronic, or other form or media, of Personal Information in its possession or the possession of such [Authorized Employees/Authorized Persons], or securely dispose of all such copies, and certify in writing to Customer that such Personal Information has been returned to Customer or disposed of securely. Service Provider shall comply with all [reasonable] directions provided by Customer with respect to the return or disposal of Personal Information.
  • 33. Spencer Fane LLP | spencerfane.com 33 Source: Westlaw THE POINT: Pay up … well, if you can (but you had better both have privacy / cyber risk insurance). Indemnification. Service Provider shall defend, indemnify, and hold harmless Customer [and Customer's parent company] and [its/their] subsidiaries, affiliates, and [its/their] respective officers, directors, employees, agents, successors, and permitted assigns (each, a "Customer Indemnitee") from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys' fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers, arising out of or resulting from any third-party claim against any Customer Indemnitee arising out of or resulting from Service Provider's failure to comply with any of its obligations under [this Section/[SECTION NUMBER]].
  • 34. Spencer Fane LLP | spencerfane.com 34 THE POINT: You – and everyone you rely upon in the supply chain – better have privacy / cyber risk insurance. Privacy/Cyber/Network Security/Professional Liability. Service Provider shall maintain appropriate Privacy/Cyber/Network Security/Professional Liability coverage in the amount of not less than $1,500,000 per occurrence and $10,000,000 in the aggregate with coverage to specifically provide protection against liability for the following: (a) privacy breaches and resulting liability arising from the loss or disclosure of BIGCORP Data or Personal Information (b) denial or loss of service (c) introduction, implantation or spread or malicious code software and (d) unauthorized access to or use of computer systems to include first party coverage for forensic investigation, notification and credit monitoring and Third Party coverage for network security errors and omissions with no exclusions for unencrypted portable devices or media or cyber events. Service Provider agrees to provide proof that this insurance is maintained for a period of two years after the termination of the Agreement.
  • 35. Spencer Fane LLP | spencerfane.com 35 THE POINT: The security and privacy protections for the data flow down to the nth level downstream. Subcontractors. Service Provider and Affiliates of Service Provider will perform sufficient due diligence prior to the retention of any Subcontractor to ensure that such Subcontractor will not, in any way, compromise the security, confidentiality, availability or integrity of any BIGCORP Data. Further, Service Provider and Affiliates of Service Provider will ensure that the terms of its subcontract with any Subcontractor are sufficient to enable such Service Provider or Affiliate of Service Provider to perform all of its responsibilities and obligations of the Agreement and the Security Datasheet. Service Provider will take appropriate action to cause its Affiliates, Subcontractors, and Service Provider Personnel to be advised of and comply with the applicable terms and conditions of the Agreement and the Security Datasheet, and will ensure that Service Provider Personnel are trained regarding their handling of BIGCORP Data and obligations under the Agreement and Security Datasheet.
  • 36. Spencer Fane LLP | spencerfane.com 36 Shawn Tuma Co-Chair, Cybersecurity & Data Privacy Spencer Fane LLP 972.324.0317 stuma@spencerfane.com • 20+ Years of Cyber Law Experience • Practitioner Editor, Bloomberg BNA – Texas Cybersecurity & Data Privacy Law • Council Member, Southern Methodist University Cybersecurity Advisory • Board of Advisors, North Texas Cyber Forensics Lab • Policy Council, National Technology Security Coalition • Board of Advisors, Cyber Future Foundation • Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016) • SuperLawyers Top 100 Lawyers in Dallas (2016) • SuperLawyers 2015-20 • Best Lawyers in Dallas 2014-20, D Magazine • Chair-Elect, Computer & Technology Section, State Bar of Texas • Privacy and Data Security Committee of the State Bar of Texas • College of the State Bar of Texas • Board of Directors, Collin County Bench Bar Conference • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science & Technology Committee of the American Bar Association • North Texas Crime Commission, Cybercrime Committee & Infragard (FBI) • International Association of Privacy Professionals (IAPP)