webinar slides: outsourcing services to a third party – privacy impacts and soc reporting

EXECUTIVE EDUCATION SERIES: Outsourcing Services to a Third Party –

Privacy Impacts and SOC Reporting

Presented by: Shareholder John Robichaud and Guest Presenter Cynthia Larose of Mintz Levin

May 2, 2013

Co-presented by 2 #MHMwebinar ‹#›

To view this webinar in full screen mode, click on view options in the upper right hand corner.

Click the Support tab for technical assistance.

If you have a question during the presentation, please use the Q&A feature at the bottom of your screen.

Before We Get Started…


This webinar is eligible for CPE credit. To receive credit, you will need to answer periodic polling questions throughout the webinar.

External participants will receive their CPE certificate via email immediately following the webinar.

CPE Credit

Co-presented by 4 #MHMwebinar

John Robichaud, CPA Shareholder 617.761.0546 | [email protected] Located in our Boston office, John specializes in service organization control (SOC) reporting, specialized agreed upon procedures, privacy, risk assessments and enterprise risk management, internal controls and project management. He works with a wide variety clients — many from service organizations, nonprofits, financial services and technology industries.

‹#›

Today’s Presenters

Cynthia Larose, CIPP Mintz Levin 617.348.1732 | [email protected] Cynthia is a Member of Mintz Levin’s Corporate & Securities Section, Chair of the Privacy & Security practice, and a Certified Information Privacy Professional (CIPP/US). Cynthia represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.


Full-service, multi-disciplinary law firm

450 attorneys and senior professionals

Offices across the country, and in the UK:

Liaison office in Israel

International network of contacts

Government relations, public policy and real estate project development consulting affiliate – ML Strategies

About Mintz Levin

Boston New York Washington, DC Stamford

Los Angeles San Diego San Francisco London


Antitrust & Federal Regulation

Bankruptcy, Restructuring & Commercial Law

Communications

Consumer Product Safety

Corporate & Securities

Corporate Compliance & Investigations

Employment, Labor & Benefits

Environmental Law

Government Law & Contracts

Health Law

Immigration

Intellectual Property

International

Litigation

Privacy & Security

Private Client

Private Equity

Project Development & Finance

Public Finance

Real Estate

Tax

White Collar Criminal Defense

A Full-Service Firm


Construction

Education

Energy & Clean Technology

Financial Services

Health Care

Insurance

Internet & E-commerce

Life Sciences

Manufacturing

Nonprofits

Professional Services

Real Estate

Retail & Consumer Products

Sports, Arts & Entertainment

Technology, Communications & Media

Transportation, Shipping & Logistics

Representative Industries We Serve


Today’s Agenda

1

2

3

4

5

6

Outsourcing Overview

Landscape and impact of privacy laws and regulations

Privacy compliance challenges and common pitfalls

Emergency privacy legal and regulatory compliance issues

Navigating reporting from third party service providers

AICPA Service Organization Control Reports

7 Trust Services

OUTSOURCING OVERVIEW

Opportunities, Reasons, Benefits and Challenges


Continually growing wide range of opportunities for organizations to outsource, including: Payroll Human resources and benefits administration Accounting Printing distribution Warehousing and fulfillment Call center and customer support Data center and application hosting Software as a Service Platform as a Service Infrastructure as a Service

Outsourcing Overview - Opportunities


Many reasons and benefits, including: Pressure to reduce costs Leverage experts specialized in the outsourced service

offering Potential availability of more sophisticated resources Availability of a virtual workforce Meet short-term demands or needs Lack of resources to support a business process or function

Outsourcing Overview – Reasons and Benefits


Outsourcing Overview – Challenges

Due Diligence Compliance Oversight

LANDSCAPE AND IMPACT OF PRIVACY LAWS AND

REGULATIONS


Privacy Laws and Regulations Compelled disclosure to the government:

Electronic Communications Privacy Act (ECPA) 1986

Protests electronic communications while in transit and while held in storage from disclosure

Different levels of protection based on outdated distinctions on storage such as "electronic storage" or storage by a "remote computing service" or how old the data is

Stored Communications Act (SCA)

USA Patriot Act

Enacted in 2001, amended in 2005

Allows FBI access to certain business records with a court order

National Security Letters can also obtain records

Warrants and Subpoenas


Privacy Laws and Regulations

Data security issues and data breach notification: Certain Federal Laws and Regulations impose industry-specific data security

or breach notification obligations

Educational Institutions- Family Educational Rights and Privacy Act (FERPA)

Financial Institutions- Gramm-Leach-Bliley ACT (GLBA)

Prevent disclosure of non public personal information

Health Care- Health Insurance Portability and Accountability Act (HIPAA) and (HITECH)


Privacy Laws and Regulations

Payment Card Industry (PCI) Prevent disclosure of online credit card and account information

FTC Breach Disclosure Requirement

Section 5 of the FTC Act

Data Security Standard (DSS)

Clinical Laboratory Improvement Amendments (CLIA) Applies to health care organizations

NYSE Rule 340


Privacy Laws and Regulations Continued

FDIC Meet regulatory requirements around core vendors

Publicly traded companies- Sarbanes Oxley (SOX) Generally, an entity cannot contract away its obligation to comply with these

industry-specific regimes

State Laws and Regulations Avoid requirements to disclose data comprised at a vendor

Depending on where your organization does business

Examples: MA, CA, TX, and MI have their own privacy and security laws

PRIVACY COMPLIANCE CHALLENGES AND COMMON

PITFALLS


Assuming Third Party Vendors Are Covering Compliance Issues

Under many privacy laws, there exists no formal compliance violation if a company fails to monitor the activities of it's vendors. "Voluntary" obligation to monitor creates risks for the company, committing to follow through if oversight is not effective.

Case study: A medical transcriptionist in Pakistan threatened to post patient names and information on the Internet unless given better pay. The story received global coverage resulting in serious reputational damage to the hospital.

Why Monitor? Why Not?


Common Pitfalls and Repercussions

Lack of Standard Process Case study: A Ponemon Institute study revealed a difference in view between cloud providers and users about who is primarily responsible for security in the cloud. 69% of third party vendors saw their users as responsible for their own security. Only 35% of these users saw themselves as responsible.

This confusion about who is responsible for data security leads users to complacent behavior.

Failure to manage vendors Companies spend millions on their own internal compliance challenges but

provide all the same info to vendors.

Vendors could give low priority to safeguarding this information.



Volume of vendors Simply keeping track of all privacy information spurs a concern for

error/breaches.

Larger vendors dealing with substantial volume of personal date faces higher risks than other vendors with more manageable information.

Mitigation Issues How will a company interact if a vendor breaches privacy?

Vendors should be contractually committed to take all reasonable action dictated by the company.



New HIPAA Omnibus Rule If you handle protected health

information, you have HIPAA liability

HIPAA breaches generate severe negative publicity not to mention fines and civil penalties – also possible class actions.

Many lawsuits have been filed against healthcare providers that breach PHI that can seek damages in the millions.

Total breach costs have grown every year since 2006.


Failure to do Third Party Due Diligence

What if the vendor goes out of business?

Does the third party have a disaster recovery plan?

What is the vendor’s identity theft protection plan?

EMERGING PRIVACY LEGAL AND REGULATORY COMPLIANCE

ISSUES


Cloud

If a company stores information on the cloud, they face the threat of FTC enforcement if their representations to consumers about where/how information is stored and secured does not match their actual practices

Who owns data on the cloud?

Can a cloud provider use the data for its own purposes?

Under what circumstances can the customer obtain a copy of information stored in the cloud?

What happens when service to the cloud is interrupted?


Cloud

CONTRACT!

Almost all issues can be dealt with contractually Where data is stored

What security standards the cloud provider adheres to • Segregated data

• Does the cloud conform to industry standards?

• Do outside auditors confirm its security practices?

Who is liable for a data breach

Regulatory compliance and indemnification responsibilities

Ownership/control of information and cloud maintenance


Off Shore Vendors

Problems associated with digital technology

Internet file sharing networks make it much easier to trade secrets, proprietary products, plans and schematics

Much of theft takes place outside of the United States

Vendors may be "offshore"

Creates perception that U.S. privacy rules do not apply to other countries (See Pakistani case study)

Companies must evaluate how best to enforce contractual obligations

KNOW YOUR VENDOR


Vendor Assessment

“Ignorance is not a valid defense”

Regulators and executive manage expect you to understand, manage, and reduce risk.

Perform a cost/benefit analysis when choosing a provider.

Ask: What is the reputational risk to your company if something goes wrong? How sensitive is this stored data?

Average cost per record:

$198

Average incident:

$6.3 million


Looking Ahead

Use of third-party vendors for business functions has become a standard business practice, but security still varies greatly.

Organizations must be extremely vigilant in assessing risks to their data even if they reside at a vendor location.

Ask: "Once we share our information assets with third-party vendors, will we still be in compliance?"

MUST vet your vendors and carefully monitor their security/privacy control environments over extended period of time.

NAVIGATING REPORTING FROM THIRD PARTY SERVICE

PROVIDERS

Due Diligence and Oversight Compliance Challenges, and Relying on Reporting from Service Providers


Performing due diligence and compliance oversight at third party service providers can be a challenge or impractical because of: Limited management and resource bandwidth Cost Timing Contractual restrictions

Organizations often end up needing to rely on reporting provided by the third party service provider.

Reporting from Third Party Service Providers


Internally prepared reports and self assessments Certifications Seals Externally prepared reports and assessments against

an alphabet soup of standards, including: PCI DSS ISO FISMA NIST HIPPA

AICPA Service Organization Control (SOC) Reports

Reporting from Third Party Service Providers

AICPA SERVICE ORGANIZATION CONTROLS REPORTS

SOC 1 -3 Reports


SOC1 versus SOC2 versus SOC3 and Option for Web Site Seal

Type 1 point in time versus type 2 operating period examinations and reports

Trust Services Security, Availability, Processing Integrity, Confidentiality and Privacy Principles and Criteria

AICPA SOC Reports


SOC1 – Report on Controls at a Service Organization Relevant to User Entities’ Internal Controls Over Financial Reporting - replacement of SAS 70 and performed under SSAE 16

SOC2 – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy in accordance with AT Section 101 and Trust Services Principles, Criteria and Illustrated Controls in TSP section100 (long form report)

SOC3 – Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy in accordance with AT Section 101 and Trust Services Principles, Criteria and Illustrated Controls in TSP section 100 (short form report with web site seal option)

SOC 1 – 3 Reports


Internal control over financial reporting Scope includes: Classes of transactions Procedures for processing and

reporting transactions Accounting records of the system Handling significant events, and

conditions other than transactions Report preparation for users Other aspects relevant to processing,

and reporting user transactions

SOC 1


Covers transaction processing controls, and supporting information technology controls relevant to the financial transaction processing and reporting services

Based on control objectives that are defined by the service provider and can vary depending on the type of service provided

Restricted report – intended solely for the information and use of the service provider, their user entities (customers) and the user entities’ auditor in planning their audit of the user entity

SOC1 - Continued


Operational controls Scope includes Infrastructure Procedures People Data

Covers any one or combination of the Trust Services Security, Availability, Processing Integrity, Confidentiality and Privacy Principles and Criteria

SOC2


Intended to meet the needs of a broad range of users that need information and assurance about controls at a service provider that affect the security, availability, processing integrity, confidentiality and privacy

Restricted report with a broader range of intended users, including: Existing users Prospective users Regulators Business partners

Endorsed by the Cloud Security Alliance

SOC2 - Continued


Covers same individual and combined Trust Services Principles and Criteria as SOC2

Does not include detail description of the design of controls and tests of controls performed by the service auditor

Provides a service auditor’s opinion on whether the service provider maintains effective controls over its systems

Unrestricted report intended for users that don’t require a more thorough report

Web site seal option if no carved out subservice providers and an unqualified opinion

SOC3


Type 1 is a point in time examination and report opining on the suitability of design of controls and description with no test of operating effectiveness of controls.

Type 2 is an examination and report opining on the suitably of design of controls and description, and operating effectiveness of controls with reported tests and results covering a period of time, which is: Six months or greater for a SOC1 Two months or greater for a SOC2 and SOC3 Based on the usability of coverage period for the intended

recipients of the report

Type 1 versus Type 2

TRUST SERVICES

Security, Availability, Processing Integrity, Confidentiality and Privacy Principles and Criteria

(Framework for SOC2 and SOC3 Reporting)


Security, Availability, Processing Integrity, Confidentiality and Privacy Principles and Criteria address risks and controls of IT enabled systems and privacy programs with illustrated benchmark control best practices.

Trust Services Principles and Criteria


Policies – The service provider has defined and document its policies particular to each principle, which address management’s intent, objectives, requirements, responsibilities and standards.

Communication – The service provider has communicated its defined policies to responsible parties and users of the system.

Procedures – The service provider has placed procedures into operation to achieve its principles in accordance with its defined policies.

Monitoring – The service provider monitors the system and takes action to maintain compliance with its defined policies.

Trust Services Principles and Criteria Continued


Security – The system is protected against unauthorized access (both physical and logical).

Availability – The system is available for operation and use as committed and agreed.

Processing Integrity – System processing is complete, accurate timely and authorized.

Confidentiality – Information designated as confidential is protected as committed or agreed.

Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in the AICPA’s and CICA’ Generally Accepted Privacy Principles.

Trust Services Principles and Criteria Continued


Most commonly requested area of coverage

Security criteria is also included in the other principles because security controls are inherent critical parts of effective availability, processing integrity, confidentiality and privacy controls

Applicable to all outsourced environments, particularly when enterprise users require assurance regarding the service provider’s security controls for any system, and nonfinancial or financial service

Security


IT security policy Security awareness and communication Risk assessment Logical access Physical access Security monitoring User authentication Incident management Asset classification and management System development and maintenance Personnel security Configuration management Change management Monitoring and compliance

Security Continued


Commonly requested areas of coverage, particularly where availability, disaster recovery and business continuity management are provided as critical parts of the service providers standard service offering.

Most applicable where enterprise users require assurance regarding processes to achieve system availability service level agreements as well as disaster recovery and business continuity management, which cannot be covered as part of a SOC1 report.

Availability


Includes security criteria Availability policy Backup and restoration Environmental controls Disaster recovery Business continuity

management

Availability Continued


Potentially applicable for a wide variety of non financial and financial services wherever assurance is required as to the completeness, accuracy, timeliness and authorization of system processing

Includes security criteria

System processing integrity policies

Completeness, accuracy, timeliness and authorization of inputs, system processing and outputs

Information tracing from source to disposition

Processing Integrity


Most applicable where the user requires additional assurance regarding the service provider’s practices for protecting sensitive business information

Includes security criteria Confidentiality policy Confidentiality of inputs Confidentiality of data processing Confidentiality of outputs Information disclosures including to

third parties Confidentiality of information in

systems development

Confidentiality


Most applicable where the service provider interacts directly with end users, and gathers their personnel information

Can also be performed when service provider is a secondary or intermediary recipient of personnel information but requires more complicated disclosures in regard to span of responsibilities for personnel information between all involved parties

Provides a vehicle for demonstrating the effectiveness of a service provider’s controls for maintaining the privacy of information

Privacy


Management Notice Choice and consent Collection Use and retention Access Disclosure to third parties Quality Monitoring and

enforcement

Privacy Continued


Provides secure encrypted email service

2011–2012 SOC3 on security and confidentiality

2012–2013 SOC2 on security, confidentiality and privacy

Ziptr


Questions?


If You Enjoyed This Webinar…

Join us for these related EES courses: June 27: Accounting and Finance Issues of Technology

Companies August 20: Outsourcing Services to a Third Party — Privacy

Impacts and Service Organization Control Reporting

Read this related MHM Messenger MHM Messenger 23-12: Evolving Business Practices Spur

Transition from SAS 70 to SOC Reports

http://www.mhm-pc.com/articles/vw/1/itemid/356.aspx�

http://www.mhm-pc.com/articles/vw/1/itemid/356.aspx�


John Robichaud, CPA Shareholder 617.761.0546 | [email protected] Located in our Boston office, John specializes in service organization control (SOC) reporting, specialized agreed upon procedures, privacy, risk assessments and enterprise risk management, internal controls and project management. He works with a wide variety clients — many from service organizations, nonprofits, financial services and technology industries.

‹#›

Today’s Presenters

Cynthia Larose, CIPP Mintz Levin 617.348.1732 | [email protected] Cynthia is a Member of Mintz Levin’s Corporate & Securities Section, Chair of the Privacy & Security practice, and a Certified Information Privacy Professional (CIPP/US). Cynthia represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.


Connect with Mayer Hoffman McCann

linkedin.com/company/ mayer-hoffman-mccann-p.c.

@mhm_pc

youtube.com/ mayerhoffmanmccann

gplus.to/mhmpc

blog.mhm-pc.com

slideshare.net/mhmpc

facebook.com/mhmpc

http://linkedin.com/company/mayer-hoffman-mccann-p.c.�

http://linkedin.com/company/mayer-hoffman-mccann-p.c.�

http://twitter.com/mhm_pc�

http://youtube.com/mayerhoffmanmccann�

http://youtube.com/mayerhoffmanmccann�

http://gplus.to/mhmpc�

http://blog.mhm-pc.com/�

http://slideshare.net/mhmpc�

http://facebook.com/mhmpc�

webinar slides: outsourcing services to a third party – privacy impacts and soc reporting

Economy & Finance