webinar slides: outsourcing services to a third party – privacy impacts and soc reporting
DESCRIPTION
Join MHM for a rebroadcast of this presentation on Aug. 20. More information at http://www.mhm-pc.com. Taking advantage of opportunities to outsource services and functions to third party providers can create legal, compliance, due diligence and audit oversight challenges in an environment where privacy laws can vary by jurisdiction and be interpreted unpredictably. Even the most conscientious company can make a false step as it captures, uses, transfers, and discloses personal information with third party service providers. The extent of privacy laws, regulations and related compliance, security, control and breach reporting responsibilities can be daunting for any company. These challenges are further compounded when a company uses third party service providers. Because it is often impractical and not cost effective to perform their own onsite due diligence and oversight auditing, companies frequently seek assurance reporting from their third party service providers about their controls and privacy compliance as part of their due diligence and oversight.TRANSCRIPT
EXECUTIVE EDUCATION SERIES: Outsourcing Services to a Third Party –
Privacy Impacts and SOC Reporting
Presented by: Shareholder John Robichaud and Guest Presenter Cynthia Larose of Mintz Levin
May 2, 2013
Co-presented by 2 #MHMwebinar ‹#›
To view this webinar in full screen mode, click on view options in the upper right hand corner.
Click the Support tab for technical assistance.
If you have a question during the presentation, please use the Q&A feature at the bottom of your screen.
Before We Get Started…
Co-presented by 3 #MHMwebinar ‹#›
This webinar is eligible for CPE credit. To receive credit, you will need to answer periodic polling questions throughout the webinar.
External participants will receive their CPE certificate via email immediately following the webinar.
CPE Credit
Co-presented by 4 #MHMwebinar
John Robichaud, CPA Shareholder 617.761.0546 | [email protected] Located in our Boston office, John specializes in service organization control (SOC) reporting, specialized agreed upon procedures, privacy, risk assessments and enterprise risk management, internal controls and project management. He works with a wide variety clients — many from service organizations, nonprofits, financial services and technology industries.
‹#›
Today’s Presenters
Cynthia Larose, CIPP Mintz Levin 617.348.1732 | [email protected] Cynthia is a Member of Mintz Levin’s Corporate & Securities Section, Chair of the Privacy & Security practice, and a Certified Information Privacy Professional (CIPP/US). Cynthia represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.
Co-presented by 5 #MHMwebinar
Full-service, multi-disciplinary law firm
450 attorneys and senior professionals
Offices across the country, and in the UK:
Liaison office in Israel
International network of contacts
Government relations, public policy and real estate project development consulting affiliate – ML Strategies
About Mintz Levin
Boston New York Washington, DC Stamford
Los Angeles San Diego San Francisco London
Co-presented by 6 #MHMwebinar
Antitrust & Federal Regulation
Bankruptcy, Restructuring & Commercial Law
Communications
Consumer Product Safety
Corporate & Securities
Corporate Compliance & Investigations
Employment, Labor & Benefits
Environmental Law
Government Law & Contracts
Health Law
Immigration
Intellectual Property
International
Litigation
Privacy & Security
Private Client
Private Equity
Project Development & Finance
Public Finance
Real Estate
Tax
White Collar Criminal Defense
A Full-Service Firm
Co-presented by 7 #MHMwebinar
Construction
Education
Energy & Clean Technology
Financial Services
Health Care
Insurance
Internet & E-commerce
Life Sciences
Manufacturing
Nonprofits
Professional Services
Real Estate
Retail & Consumer Products
Sports, Arts & Entertainment
Technology, Communications & Media
Transportation, Shipping & Logistics
Representative Industries We Serve
Co-presented by 8 #MHMwebinar ‹#›
Today’s Agenda
1
2
3
4
5
6
Outsourcing Overview
Landscape and impact of privacy laws and regulations
Privacy compliance challenges and common pitfalls
Emergency privacy legal and regulatory compliance issues
Navigating reporting from third party service providers
AICPA Service Organization Control Reports
7 Trust Services
OUTSOURCING OVERVIEW
Opportunities, Reasons, Benefits and Challenges
Co-presented by 10 #MHMwebinar ‹#›
Continually growing wide range of opportunities for organizations to outsource, including: Payroll Human resources and benefits administration Accounting Printing distribution Warehousing and fulfillment Call center and customer support Data center and application hosting Software as a Service Platform as a Service Infrastructure as a Service
Outsourcing Overview - Opportunities
Co-presented by 11 #MHMwebinar ‹#›
Many reasons and benefits, including: Pressure to reduce costs Leverage experts specialized in the outsourced service
offering Potential availability of more sophisticated resources Availability of a virtual workforce Meet short-term demands or needs Lack of resources to support a business process or function
Outsourcing Overview – Reasons and Benefits
Co-presented by 12 #MHMwebinar ‹#›
Outsourcing Overview – Challenges
Due Diligence Compliance Oversight
LANDSCAPE AND IMPACT OF PRIVACY LAWS AND
REGULATIONS
Co-presented by 14 #MHMwebinar
Privacy Laws and Regulations Compelled disclosure to the government:
Electronic Communications Privacy Act (ECPA) 1986
Protests electronic communications while in transit and while held in storage from disclosure
Different levels of protection based on outdated distinctions on storage such as "electronic storage" or storage by a "remote computing service" or how old the data is
Stored Communications Act (SCA)
USA Patriot Act
Enacted in 2001, amended in 2005
Allows FBI access to certain business records with a court order
National Security Letters can also obtain records
Warrants and Subpoenas
Co-presented by 15 #MHMwebinar
Privacy Laws and Regulations
Data security issues and data breach notification: Certain Federal Laws and Regulations impose industry-specific data security
or breach notification obligations
Educational Institutions- Family Educational Rights and Privacy Act (FERPA)
Financial Institutions- Gramm-Leach-Bliley ACT (GLBA)
Prevent disclosure of non public personal information
Health Care- Health Insurance Portability and Accountability Act (HIPAA) and (HITECH)
Co-presented by 16 #MHMwebinar
Privacy Laws and Regulations
Payment Card Industry (PCI) Prevent disclosure of online credit card and account information
FTC Breach Disclosure Requirement
Section 5 of the FTC Act
Data Security Standard (DSS)
Clinical Laboratory Improvement Amendments (CLIA) Applies to health care organizations
NYSE Rule 340
Co-presented by 17 #MHMwebinar
Privacy Laws and Regulations Continued
FDIC Meet regulatory requirements around core vendors
Publicly traded companies- Sarbanes Oxley (SOX) Generally, an entity cannot contract away its obligation to comply with these
industry-specific regimes
State Laws and Regulations Avoid requirements to disclose data comprised at a vendor
Depending on where your organization does business
Examples: MA, CA, TX, and MI have their own privacy and security laws
PRIVACY COMPLIANCE CHALLENGES AND COMMON
PITFALLS
Co-presented by 19 #MHMwebinar
Assuming Third Party Vendors Are Covering Compliance Issues
Under many privacy laws, there exists no formal compliance violation if a company fails to monitor the activities of it's vendors. "Voluntary" obligation to monitor creates risks for the company, committing to follow through if oversight is not effective.
Case study: A medical transcriptionist in Pakistan threatened to post patient names and information on the Internet unless given better pay. The story received global coverage resulting in serious reputational damage to the hospital.
Why Monitor? Why Not?
Co-presented by 20 #MHMwebinar
Common Pitfalls and Repercussions
Lack of Standard Process Case study: A Ponemon Institute study revealed a difference in view between cloud providers and users about who is primarily responsible for security in the cloud. 69% of third party vendors saw their users as responsible for their own security. Only 35% of these users saw themselves as responsible.
This confusion about who is responsible for data security leads users to complacent behavior.
Failure to manage vendors Companies spend millions on their own internal compliance challenges but
provide all the same info to vendors.
Vendors could give low priority to safeguarding this information.
Co-presented by 21 #MHMwebinar
Common Pitfalls and Repercussions
Volume of vendors Simply keeping track of all privacy information spurs a concern for
error/breaches.
Larger vendors dealing with substantial volume of personal date faces higher risks than other vendors with more manageable information.
Mitigation Issues How will a company interact if a vendor breaches privacy?
Vendors should be contractually committed to take all reasonable action dictated by the company.
Co-presented by 22 #MHMwebinar
Common Pitfalls and Repercussions
New HIPAA Omnibus Rule If you handle protected health
information, you have HIPAA liability
HIPAA breaches generate severe negative publicity not to mention fines and civil penalties – also possible class actions.
Many lawsuits have been filed against healthcare providers that breach PHI that can seek damages in the millions.
Total breach costs have grown every year since 2006.
Co-presented by 23 #MHMwebinar
Failure to do Third Party Due Diligence
What if the vendor goes out of business?
Does the third party have a disaster recovery plan?
What is the vendor’s identity theft protection plan?
EMERGING PRIVACY LEGAL AND REGULATORY COMPLIANCE
ISSUES
Co-presented by 25 #MHMwebinar
Cloud
If a company stores information on the cloud, they face the threat of FTC enforcement if their representations to consumers about where/how information is stored and secured does not match their actual practices
Who owns data on the cloud?
Can a cloud provider use the data for its own purposes?
Under what circumstances can the customer obtain a copy of information stored in the cloud?
What happens when service to the cloud is interrupted?
Co-presented by 26 #MHMwebinar
Cloud
CONTRACT!
Almost all issues can be dealt with contractually Where data is stored
What security standards the cloud provider adheres to • Segregated data
• Does the cloud conform to industry standards?
• Do outside auditors confirm its security practices?
Who is liable for a data breach
Regulatory compliance and indemnification responsibilities
Ownership/control of information and cloud maintenance
Co-presented by 27 #MHMwebinar
Off Shore Vendors
Problems associated with digital technology
Internet file sharing networks make it much easier to trade secrets, proprietary products, plans and schematics
Much of theft takes place outside of the United States
Vendors may be "offshore"
Creates perception that U.S. privacy rules do not apply to other countries (See Pakistani case study)
Companies must evaluate how best to enforce contractual obligations
KNOW YOUR VENDOR
Co-presented by 28 #MHMwebinar
Vendor Assessment
“Ignorance is not a valid defense”
Regulators and executive manage expect you to understand, manage, and reduce risk.
Perform a cost/benefit analysis when choosing a provider.
Ask: What is the reputational risk to your company if something goes wrong? How sensitive is this stored data?
Average cost per record:
$198
Average incident:
$6.3 million
Co-presented by 29 #MHMwebinar
Looking Ahead
Use of third-party vendors for business functions has become a standard business practice, but security still varies greatly.
Organizations must be extremely vigilant in assessing risks to their data even if they reside at a vendor location.
Ask: "Once we share our information assets with third-party vendors, will we still be in compliance?"
MUST vet your vendors and carefully monitor their security/privacy control environments over extended period of time.
NAVIGATING REPORTING FROM THIRD PARTY SERVICE
PROVIDERS
Due Diligence and Oversight Compliance Challenges, and Relying on Reporting from Service Providers
Co-presented by 31 #MHMwebinar ‹#›
Performing due diligence and compliance oversight at third party service providers can be a challenge or impractical because of: Limited management and resource bandwidth Cost Timing Contractual restrictions
Organizations often end up needing to rely on reporting provided by the third party service provider.
Reporting from Third Party Service Providers
Co-presented by 32 #MHMwebinar ‹#›
Internally prepared reports and self assessments Certifications Seals Externally prepared reports and assessments against
an alphabet soup of standards, including: PCI DSS ISO FISMA NIST HIPPA
AICPA Service Organization Control (SOC) Reports
Reporting from Third Party Service Providers
AICPA SERVICE ORGANIZATION CONTROLS REPORTS
SOC 1 -3 Reports
Co-presented by 34 #MHMwebinar ‹#›
SOC1 versus SOC2 versus SOC3 and Option for Web Site Seal
Type 1 point in time versus type 2 operating period examinations and reports
Trust Services Security, Availability, Processing Integrity, Confidentiality and Privacy Principles and Criteria
AICPA SOC Reports
Co-presented by 35 #MHMwebinar ‹#›
SOC1 – Report on Controls at a Service Organization Relevant to User Entities’ Internal Controls Over Financial Reporting - replacement of SAS 70 and performed under SSAE 16
SOC2 – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy in accordance with AT Section 101 and Trust Services Principles, Criteria and Illustrated Controls in TSP section100 (long form report)
SOC3 – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy in accordance with AT Section 101 and Trust Services Principles, Criteria and Illustrated Controls in TSP section 100 (short form report with web site seal option)
SOC 1 – 3 Reports
Co-presented by 36 #MHMwebinar ‹#›
Internal control over financial reporting Scope includes: Classes of transactions Procedures for processing and
reporting transactions Accounting records of the system Handling significant events, and
conditions other than transactions Report preparation for users Other aspects relevant to processing,
and reporting user transactions
SOC 1
Co-presented by 37 #MHMwebinar ‹#›
Covers transaction processing controls, and supporting information technology controls relevant to the financial transaction processing and reporting services
Based on control objectives that are defined by the service provider and can vary depending on the type of service provided
Restricted report – intended solely for the information and use of the service provider, their user entities (customers) and the user entities’ auditor in planning their audit of the user entity
SOC1 - Continued
Co-presented by 38 #MHMwebinar ‹#›
Operational controls Scope includes Infrastructure Procedures People Data
Covers any one or combination of the Trust Services Security, Availability, Processing Integrity, Confidentiality and Privacy Principles and Criteria
SOC2
Co-presented by 39 #MHMwebinar ‹#›
Intended to meet the needs of a broad range of users that need information and assurance about controls at a service provider that affect the security, availability, processing integrity, confidentiality and privacy
Restricted report with a broader range of intended users, including: Existing users Prospective users Regulators Business partners
Endorsed by the Cloud Security Alliance
SOC2 - Continued
Co-presented by 40 #MHMwebinar ‹#›
Covers same individual and combined Trust Services Principles and Criteria as SOC2
Does not include detail description of the design of controls and tests of controls performed by the service auditor
Provides a service auditor’s opinion on whether the service provider maintains effective controls over its systems
Unrestricted report intended for users that don’t require a more thorough report
Web site seal option if no carved out subservice providers and an unqualified opinion
SOC3
Co-presented by 41 #MHMwebinar ‹#›
Type 1 is a point in time examination and report opining on the suitability of design of controls and description with no test of operating effectiveness of controls.
Type 2 is an examination and report opining on the suitably of design of controls and description, and operating effectiveness of controls with reported tests and results covering a period of time, which is: Six months or greater for a SOC1 Two months or greater for a SOC2 and SOC3 Based on the usability of coverage period for the intended
recipients of the report
Type 1 versus Type 2
TRUST SERVICES
Security, Availability, Processing Integrity, Confidentiality and Privacy Principles and Criteria
(Framework for SOC2 and SOC3 Reporting)
Co-presented by 43 #MHMwebinar ‹#›
Security, Availability, Processing Integrity, Confidentiality and Privacy Principles and Criteria address risks and controls of IT enabled systems and privacy programs with illustrated benchmark control best practices.
Trust Services Principles and Criteria
Co-presented by 44 #MHMwebinar ‹#›
Policies – The service provider has defined and document its policies particular to each principle, which address management’s intent, objectives, requirements, responsibilities and standards.
Communication – The service provider has communicated its defined policies to responsible parties and users of the system.
Procedures – The service provider has placed procedures into operation to achieve its principles in accordance with its defined policies.
Monitoring – The service provider monitors the system and takes action to maintain compliance with its defined policies.
Trust Services Principles and Criteria Continued
Co-presented by 45 #MHMwebinar ‹#›
Security – The system is protected against unauthorized access (both physical and logical).
Availability – The system is available for operation and use as committed and agreed.
Processing Integrity – System processing is complete, accurate timely and authorized.
Confidentiality – Information designated as confidential is protected as committed or agreed.
Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in the AICPA’s and CICA’ Generally Accepted Privacy Principles.
Trust Services Principles and Criteria Continued
Co-presented by 46 #MHMwebinar ‹#›
Most commonly requested area of coverage
Security criteria is also included in the other principles because security controls are inherent critical parts of effective availability, processing integrity, confidentiality and privacy controls
Applicable to all outsourced environments, particularly when enterprise users require assurance regarding the service provider’s security controls for any system, and nonfinancial or financial service
Security
Co-presented by 47 #MHMwebinar ‹#›
IT security policy Security awareness and communication Risk assessment Logical access Physical access Security monitoring User authentication Incident management Asset classification and management System development and maintenance Personnel security Configuration management Change management Monitoring and compliance
Security Continued
Co-presented by 48 #MHMwebinar ‹#›
Commonly requested areas of coverage, particularly where availability, disaster recovery and business continuity management are provided as critical parts of the service providers standard service offering.
Most applicable where enterprise users require assurance regarding processes to achieve system availability service level agreements as well as disaster recovery and business continuity management, which cannot be covered as part of a SOC1 report.
Availability
Co-presented by 49 #MHMwebinar ‹#›
Includes security criteria Availability policy Backup and restoration Environmental controls Disaster recovery Business continuity
management
Availability Continued
Co-presented by 50 #MHMwebinar ‹#›
Potentially applicable for a wide variety of non financial and financial services wherever assurance is required as to the completeness, accuracy, timeliness and authorization of system processing
Includes security criteria
System processing integrity policies
Completeness, accuracy, timeliness and authorization of inputs, system processing and outputs
Information tracing from source to disposition
Processing Integrity
Co-presented by 51 #MHMwebinar ‹#›
Most applicable where the user requires additional assurance regarding the service provider’s practices for protecting sensitive business information
Includes security criteria Confidentiality policy Confidentiality of inputs Confidentiality of data processing Confidentiality of outputs Information disclosures including to
third parties Confidentiality of information in
systems development
Confidentiality
Co-presented by 52 #MHMwebinar ‹#›
Most applicable where the service provider interacts directly with end users, and gathers their personnel information
Can also be performed when service provider is a secondary or intermediary recipient of personnel information but requires more complicated disclosures in regard to span of responsibilities for personnel information between all involved parties
Provides a vehicle for demonstrating the effectiveness of a service provider’s controls for maintaining the privacy of information
Privacy
Co-presented by 53 #MHMwebinar ‹#›
Management Notice Choice and consent Collection Use and retention Access Disclosure to third parties Quality Monitoring and
enforcement
Privacy Continued
Co-presented by 54 #MHMwebinar ‹#›
Provides secure encrypted email service
2011–2012 SOC3 on security and confidentiality
2012–2013 SOC2 on security, confidentiality and privacy
Ziptr
Co-presented by 55 #MHMwebinar ‹#›
Questions?
Co-presented by 56 #MHMwebinar ‹#›
If You Enjoyed This Webinar…
Join us for these related EES courses: June 27: Accounting and Finance Issues of Technology
Companies August 20: Outsourcing Services to a Third Party — Privacy
Impacts and Service Organization Control Reporting
Read this related MHM Messenger MHM Messenger 23-12: Evolving Business Practices Spur
Transition from SAS 70 to SOC Reports
Co-presented by 57 #MHMwebinar
John Robichaud, CPA Shareholder 617.761.0546 | [email protected] Located in our Boston office, John specializes in service organization control (SOC) reporting, specialized agreed upon procedures, privacy, risk assessments and enterprise risk management, internal controls and project management. He works with a wide variety clients — many from service organizations, nonprofits, financial services and technology industries.
‹#›
Today’s Presenters
Cynthia Larose, CIPP Mintz Levin 617.348.1732 | [email protected] Cynthia is a Member of Mintz Levin’s Corporate & Securities Section, Chair of the Privacy & Security practice, and a Certified Information Privacy Professional (CIPP/US). Cynthia represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.
Co-presented by 58 #MHMwebinar ‹#›
Connect with Mayer Hoffman McCann
linkedin.com/company/ mayer-hoffman-mccann-p.c.
@mhm_pc
youtube.com/ mayerhoffmanmccann
gplus.to/mhmpc
blog.mhm-pc.com
slideshare.net/mhmpc
facebook.com/mhmpc