THE CLOUDRisks and Benefits from the

Business, Legal and Technology Perspective

September 11, 2013

KEVIN M. LEVY, ESQ. (klevy@gunster.com)

GUNSTER YOAKLEY & STEWART, P.A.

Benefits Identify and Evaluate RiskMitigate Risk:

▪ Policies and Procedures▪ Due Diligence▪ Contracting:▪ Negotiation▪ Monitoring

▪ Breach Preparation and Response

ROAD MAP

DATA Control:

▪ Where is the data?▪ What jurisdictional law(s) control(s)?

Privacy, Security and Segregation Integrity Ownership Breach Destruction Back-up / Recovery:

▪ Whose responsibility?

NETWORK Access:

▪ Internet down or facility offline▪ Law enforcement investigation (i.e., Megaupload)

Continuity Redundancy and Back-up Security

REGULATORY COMPLIANCE Financial Institutions:

▪ Gramm-Leach-Bliley Act (GLBA)▪ Privacy Act and Regulation P▪ Fair Credit Reporting Act (FCRA)▪ Fair and Accurate Credit Transactions Act (FACTA)▪ Bank Secrecy Act▪ State Laws-FL St. Section 655.059

Healthcare (applies to Business Associates):▪ HIPAA▪ HiTECH Act

State Laws:▪ Massachusetts – MA 201 CMR 17.00▪ California – various

OTHER RISKS: Audits Bankruptcy Litigation:▪ e-discovery

Loss of leverage Non-Negotiable Contracts Tax Implications

Policies and Procedures:▪ Clear and Up-To-Date ▪ Contingency Plan(s)

Thorough Due Diligence

Detailed Contract▪ Address “hidden” issues

Insurance:▪ Request specific plan for storage and transmission

of electronic data and information security (“Cyber Policy”)

Breach Preparation and Response

Research, adopt (adapt) and develop applicable policies and procedures

Appoint team and train: IT, accounting, business, legal and PR

PRACTICE, PRACTICE, PRACTICE

Review and Update: Learn from circumstances Periodic audits

Contingency Plans: Business Continuity Plan (BCP) Disaster Recovery “Exit Strategy”

KYV / KYP - Research and get to know your vendors (service providers)

Require applicable SSAE 16 SOC report

Gather internal/external team of knowledgeable professionals to conduct internal discussions to assess vulnerabilities, risks and needs (IT, accounting, business and legal)

Confirm qualifications

Ask questions of vendor until clearly understand

Run performance and security tests

Evaluate privacy and confidentiality concerns

Negotiate and Document “clear”: Terms and Conditions Notice and transition periods Scope of services Service levels (SLAs) Flexibility to add services and service levels Requirement of service provider to provide annual audit Requirement of service provider to provide additional / updated audit if services

added to engagement Confidentiality Privacy and Security Encryption Data breach notification protocol Limitation on use of subcontractors Clear and complete force majeure clauses Representations and Warranties Indemnification Insurance requirements Termination provisions Remedy for breach

Monitor: Relationship with service providers Audits Services provided Service levels

Amendments: When applicable, timely add clear

description of additional services and service levels

Security Breach Notification protocols:▪ 46 of 50 states▪ Fl. St. Section 817.5681

Breach notification process:▪ Gather Team▪ Investigate▪ Evaluate▪ Decide▪ Proceed▪ Provide notice and/or document files▪ Report to regulators as applicable

Failure to comply can lead to: Marketing issues and loss or market share

Regulatory issues:▪ Warning notices and sanctions▪ SEC data breach disclosure requirements

Professional liability claims

Added compliance costs

Reduced shareholder value

“DO NOT BE PENNY-WISE AND POUND FOOLISH.”

How to avoid a breach or failure to comply?

Implement, enhance and maintain a meaningful Vendor Management Program

Get knowledgeable counsel involved early

Kevin M. Levy, Esq. klevy@gunster.com

GUNSTER – FLORIDA’S LAW FIRM FOR BUSINESS

Banking & Financial Services

Business Litigation

Corporate

Environmental & Land Use

Immigration

International

Labor & Employment

Leisure & Resorts

Real Estate

Private Wealth Services

Probate, Trust & Guardianship Litigation

Securities

Tax

Technology & Entrepreneurial Companies

GUNSTER.COM | (305) 376-6094FORT LAUDERDALE | JACKSONVILLE | MIAMI | OCEAN REEF | PALM BEACH | STUART | TALLAHASSEE | TAMPA | VERO BEACH | WEST PALM BEACH

4109726.1