Cybersecurity & Data Privacy Attorney Shawn Tuma delivered the presentation Legal Issues Associated with Third-Party Risk at the ISACA CSX 2017 North America conference in Washington, DC.
9. New York Department of Financial Services Cybersecurity (NYDFS)
Requirements for Financial Services Companies + [fill in]
• All NY “financial institutions” + third party service providers.
• Third party service providers – examine, obligate, audit.
• Establish Cybersecurity Program (w/ specifics):
• Logging, Data Classification, IDS, IPS;
• Pen Testing, Vulnerability Assessments, Risk Assessment; and
• Encryption, Access Controls.
• Adopt Cybersecurity Policies.
• Designate qualified CISO to be responsible.
• Adequate cybersecurity personnel and intelligence.
• Personnel Policies & Procedures, Training, Written IRP.
• Chairman or Senior Officer Certify Compliance.
10. Third Party
Service Provider
Security Policy
Section 500.11
“Each Covered Entity shall implement written policies and
procedures designed to ensure the security of Information
Systems and Nonpublic Information that are accessible to,
or held by, Third Party Service Providers.”
• P&P should be based on CE’s Risk Assessment and
address the following, as applicable:
• The identification and risk assessment of TPSPs;
• Minimum CP required by TPSP to do business with CE;
• Due diligence process used to evaluate the adequacy of CP
by such TPSP;
• Periodic assessment of such TPSP based on risk they
present and continued adequacy of their CP.
• P&P shall include relevant guidelines for due diligence
and/or contractual protections relating to TPSP and
applicable guidelines addressing:
• TPSP’s P&P for access controls and MFA to IS / NPI
• TPSP’s P&P for use of encryption in transit and at rest;
• Notice to be provided to CE for Cybersecurity Event; and
• Reps and warranties addressing TPSP’s cybersecurity P&P
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
11. EU – General Data Protection Regulation (GDPR)
• Goal: Protect all EU citizens from privacy and data breaches.
• When: May 25, 2018.
• Reach: Applies to all companies (controllers and processors):
• Processing data of EU residents (regardless of where processing),
• In the EU (regardless of where processing), or
• Offering goods or services to EU citizens or monitoring behavior in EU.
• Penalties: up to 4% global turnover or €20 Million (whichever is greater).
• Remedies: data subjects have judicial remedies, right to damages.
• Data subject rights:
• Breach notification – 72 hrs to DPA; “without undue delay” to data subjects.
• Right to access – provide confirmation of processing and electronic copy (free).
• Data erasure – right to be forgotten, erase, cease dissemination or processing.
• Data portability – receive previously provided data in common elect. format.
• Privacy by design – include data protection from the onset of designing systems.
12. Third Party
Processing and
Risk Under the
GDPR
• Controller, individually or with other controllers (jointly
and severally), is responsible to the data subjects. Art. 26
• Processor only process on controller’s instructions. Art. 29
• Using a risk assessment, the controller must implement
appropriate technical and organizational safeguards (incl.
P&P) to ensure personal data is processed lawfully.
Reassessment and maturation is required. Art. 24(1)
• Controller shall use only processors providing sufficient
guarantees to implement appropriate technical and
organizational measures to satisfy GDPR. Art. 28
• Processor must have controller’s written authorization to
engage another sub-processor;
• Processor must have binding contract with controller
specifying particulars of processing;
• Processor must be bound to confidentiality;
• Processor must demonstrate compliance and agree to
audits and inspections;
• Nth processors liable to upstream processor, which is liable
to the controller, which is ultimately liable.
• Non-regulated controllers and processors can
contractually agree to be bound. Art. 42
EUROPEAN UNION
GENERAL DATA PROTECTION REGS.