The report is the
output of the OECD's peer review process which is designed to facilitate
effective implementation of the OECD Principles and to assist market
participants, regulators and policy makers.The process covers the corporate governance framework and practices relating
to corporate risk management of the 26 jurisdictions that participate in the
OECD Corporate Governance Committee. Its
findings are based on general survey responses from participating jurisdictions
as well as an in-depth review of corporate risk management practices in Norway,
Singapore and Switzerland.
The report, which
analysed both private sector and state-owned enterprises, found that "while risk-taking is a fundamental driving
force in business and entrepreneurship, the cost of risk management failures is
still often underestimated, both externally and internally, including the cost
in terms of management time needed to rectify the situation."Risk governance standards tend to be very
high-level.This limits their practical usefulness,
says the OECD, as they should be more operational.And in the nonfinancial sectors, risk
management is less prevalent. "Outsourcing- and supplier-related risks
...deserve attention in both the financial and the nonfinancial sector."
The effectiveness of
an enterprise's risk management culture can be critical to an organisation's
success (or failure).The OECD lists accounting frauds (Olympus,
Enron, WorldCom, Satyam, Parmalat), foreign bribery cases (Siemens) and
environmental catastrophes (Deep Water Horizon, Fukushima) to demonstrate that
the headlines are not restricted to the financial sector; cases where wrong-doing
was compounded by corporate governance failure and deficient risk management
systems, with company boards which failed to fully appreciate the risks that
the companies were taking (if they were not engaging in reckless risk-taking
The typical modern
enterprise has a complex supply chain with a multitude of third party and
outsourced relationships.In the
absence of an adequate risk management and assurance framework, says the OECD, reliance
on these outsourced and third party relationships can quickly contaminate the
organisation, especially if "only lip
service only is paid to important parts of the company's value chain that are
outsourced".A risk management
framework should address all dependence on key suppliers or joint venture
partners, with particular sensitivity to suppliers or other third parties
located in countries that may follow different standards from the home country.Companies with diverse, global supply chains
should operationalise strategies to cope with the risks which result from a
lack of control over their suppliers and contractors spread out across various parts
of the world.
Given high profile
supplier failures such as Satyam Computer Services (subsequently rescued by Mahindra
Group although not before several significant customers including Merrill Lynch
(now a part of Bank of America) and State Farm Insurance terminated their
contracts with Satyam), as well as headline hitting events such as factory
fires and a building collapse in Bangladesh, companies should ensure that third
party supplier risk management is given adequate resource and attention,
including examining available insurance and other mitigation strategies such as
dual sourcing, supplier assessments, contract compliance reviews, exit
strategies and stress testing contractual remedies, where these have been
negotiated, such as step-in rights and exit plans.
head of the UK's Financial Conduct Authority, Chief Executive Martin Wheatley,
used a speech at Bloomberg, London given on 3 June 2014 to promote the FCA's
Project Innovate (the drafted text of Martin Wheatley's speech can be read at http://www.fca.org.uk/news/making-innovation-work).The FCA is the regulatory body that,
following reforms introduced by the Financial Services Act 2012, succeeded the
Financial Services Authority. It has supervisory powers over the conduct of
over 50,000 financial services firms in the UK, and authority to regulate the
prudential standards of those firms not covered by the Prudential Regulation
Authority. The PRA regulates deposit takers, insurers and significant
Innovate is intended to allow financial services firms to develop innovative
products for consumers.This has been
generally well received, with Wheatley describing Innovate as "an agreement to
grant waivers to products that do not necessarily follow FCA guidance to the
letter" where firms can show better outcomes for consumers.Part of the driving force behind Innovate,
which will resonate with business leaders across the UK, is to prevent good
products from drowning in the "overwhelming red tape that is inevitable as
we introduce more regulation, not just at UK but at a European level."
the need for regulators to keep pace with new technologies, rather than - as
present - running to catch up, and a desire for a regulatory environment that
supports innovation rather than acting as an entry barrier, Wheatley singled
out mobile banking, online investment and money transfer as priority areas, and
the emergence of London-based innovative companies such as WorldRemit,
Monitise, TransferWise and Nutmeg. Wheatley went on to cite digitalisation, big
data analytics, venture capital, virtual currencies, crowd funding and
peer-to-peer as important, transformational areas.
firms and start-ups can, in particular, be expected to benefit from the
Innovate approach which will encourage collaboration with the FCA in order to
develop new technologies that are compliant from day one, with a regulatory
environment that, instead of acting as a "drag anchor" supports innovation and
encourages the "brightest and most innovative companies to enter the sector".
Whether this marks a shift in the FCA's approach to digital currencies, such as
bitcoin, remains to be seen, with the regulator so far having kept a wide
probably too early to call a trend (more evolution than revolution) but this
initiative shows promising signs, with Wheatley recognising, and taking steps
to bolster, London's leading position in the European market in financial
technology (Wheatley cites growth of global investment in financial technology
having tripled over the 5 years to 2013 up to $2.9bn, with UK and Ireland the
fastest growing incubators, developing at an annual rate of 74% since 2008,
compared with 23% in Silicon Valley).A
single paper and a wider FCA consultation on potential handbook changes are due
later this year.In the meantime, the
FCA has started to engage with business including a number of start-ups and
organisations such as Tech City and Level 39. It has "opened a hub"
in its policy team to pull together expertise and provide support to advise
firms developing new models or products on compliance and how to navigate the
regulatory system, and by "looking for areas where the system itself needs
to adapt to new technology or broader change - rather than the other way
round". Wheatley also foreshadowed that a single paper combining all of
these initiatives, and wider FCA consultation on potential handbook changes,
are due later this year.
1, we noted that
financial institutions could find themselves potentially liable for committing an
Deceptive, or Abusive Act or Practice (UDAAP)
as a result of the actions of certain types of external service providers,
particularly those that interface directly with customers.In this Part 2, we will discuss how financial
institutions can mitigate the risk of UDAAP enforcement actions through their contracting
strategies with their service providers.
A New Wrinkle of Risk
In some ways, the
CFPB's UDAAP authority resembles other regulatory regimes in that it places
compliance obligations on both the issuer of the product as well as the
third-party service provider that helps effectuate a transaction involving such
a product.For example, export control
laws place Office of Foreign Assets Control compliance obligations on both parties
to a transaction.Data protection laws
apply both to the controller as well as the processor of data.HIPAA protections for health information
apply to the covered entity and its business associates.
In other ways, however,
the CFPB's UDAAP authority differs from other regulatory regimes because it expressly
imposes upon a financial institution an affirmative obligation to supervise closely
the behavior of its service providers.While
some other regulators may also impose express obligations (e.g., Office of the
Comptroller of the Currency), in many other regulatory contexts, any required
supervisory role is typically either less onerous and/or only implied by the
Of course, it is an outsourcing
best practice for a customer to have good management and oversight over its
service providers, but the CFPB's requirements go further.Indeed, this supervisory obligation may even
undercut a financial institution's rationale to outsource certain functions in
the first place and lead an institution to forego pursuing the outsourcing
relationship during an initial risk assessment if the institution believes the
potential service provider could expose the institution to UDAAP liability.
relationships involve some level of risk.Depending on the nature of the services, a bank may be handing over sensitive
data, management of key processing functions, or responsibility to keep IT
infrastructure safe and secure.
The CFPB, however,
appears to have added a new wrinkle of risk to what would otherwise be
considered a "standard" level of outsourcing risk - for certain services
related to consumer financial products or services, if a financial institution's
service provider engages in behavior that the CFPB finds unlawful under its UDAAP
authority, then the financial
institution itself is potentially
liable for the conduct of its service providers and could be subject to
A Delicate Balance
But this risk is not
insurmountable.A thoughtful vendor
management/contracting strategy can mitigate a financial institution's risk by
incorporating UDAAP obligations into its service provider contracts and sensibly
allocating the risk between the parties.In addition to addressing the risk responsibility in the contract, the
financial institution should consider establishing a service provider
monitoring and governance framework that expressly addresses UDAAP risk.
will want to implement specific solutions (which may even vary service provider
to service provider) to ensure that it sufficiently protects itself while at
the same time not being too heavy handed with its business partner.A financial institution and its counsel will
need to maintain that delicate balance between seeking the necessary protection
and creating obligations that can get in the way of doing business.
With this balance in
mind, there are two high-level procedural approaches a financial institution's counsel
may want to consider.
One method a financial
institution could employ is to execute single purpose "UDAAP Agreements" with
all of the relevant service providers across the enterprise.This approach is analogous to a company
requiring its service providers to enter into NDAs or (for HIPAA covered
entities) Business Associate Agreements.
Such an initiative
will likely take a fair amount of effort, but it could also bring significant
benefits.First, the institution is
starting out with standard terms.Assuming counsel is successful in limiting negotiation, then all the
relevant service providers are signing up to more or less the same obligations,
which creates consistency with respect to meeting the CFPB's duty to supervise.
Second, this approach gives
the institution room to be specific about what is required.Some service providers may not know their precise
obligations with respect to the prohibition on UDAAP, and having such clear
obligations may be beneficial to the financial institution in showing the CFPB
that the institution is taking its affirmative obligations seriously.
Finally, with respect
to those agreements already in place, a single purpose approach avoids having
to reopen and amend the existing terms.With respect to new agreements being negotiated, the single purpose
approach allows the institution to segregate the risk terms (e.g., liability
and indemnities) from the underlying commercial transaction, which may result
in more efficient negotiations.
Integrate the Terms
Another approach is to
integrate the UDAAP obligations into the underlying service provider
contract.Integrating the terms into an
underlying agreement may enhance the institution's leverage because each party
has the "let's get a deal done now" mentality if it is a new contract.
Integration of the
terms into the underlying transaction is also similar to the way many
outsourcing contracts deal with other regulatory issues like data protection and
export controls, so the approach is unlikely to surprise the service provider.Taking this approach may result in
negotiating "fewer words" because some aspects of compliance (e.g., reporting
and audit rights) may already be captured by other portions of the contract.
For those outsourcing
transactions that, in the grand scheme of things, present a comparatively lower
risk to the financial institution, a single purpose agreement may be too much
when simpler integrated terms would suffice.Compliance obligations with such low-risk transactions may simply be
handled in a standard "compliance with laws" section in the agreement.
With respect to
medium-risk to high-risk transactions, however, an institution will want to
guard against taking a simplistic approach to integration.In other words, the institution should resist
trying to address UDAAP by simply inserting a "compliance with Dodd-Frank"
obligation or "compliance with bank policies" obligation into the
contract.Although the service provider
may be more agreeable to closing the issue this way, the actual obligations to
prevent UDAAP violations are not spelled out.If CFPB examiners come looking for UDAAP violations, the bank may not
have a good story to tell about its good faith effort to mitigate risky UDAAP
behavior with that service provider.
Key Negotiation Points
In addition to
deciding on the best approach as described above, the financial institution
will need to able to negotiate the substantive UDAAP terms.Of course, a bank's negotiation strategy is
highly dependent on the nature of the deal, the leverage each party has, and whether
the particular relationship is high or low risk.
institution should focus on the following key areas of risk when negotiating
1.Liability.As we noted in Part 1, CFPB enforcement
actions to date have resulted in fines and restitution obligations that could run
into the hundreds of millions of dollars.Such penalties likely would vastly exceed an agreement's standard
liability cap on direct damages.Therefore, a bank's counsel should attempt to exclude such regulatory
fines from any liability caps.
2.Indemnities.A full indemnity from the service provider
for regulatory fines may also be appropriate depending on the nature of the
services, particularly for high-risk services that directly interface with an
3.Termination.An institution should also negotiate flexible
termination rights with the service provider, so that the institution can exit
a relationship in case the service provider engages in prohibited UDAAP
activity.CFPB examiners will likely
look favorably upon an institution with such flexible termination rights.
4.Operational Oversight.In addition to the traditional risk terms
described above, other business and operational terms warrant consideration as
well.To ensure that the institution is able
to exercise its heightened obligations to monitor and supervise, it should seek
frequent reporting and good recordkeeping practices from its service
providers.Strong audit rights on behalf
of the institution are also recommended by the CFPB.A robust governance framework with the
service provider may also be an important part of the financial institution's
ongoing monitoring and compliance efforts.
5.Performance Incentives.In its guidance documents, the CFPB has noted
that consumer complaints can serve as a leading indicator as to whether a UDAAP
has occurred.Not only should an
institution look to implement a process for how customer complaints get
analyzed and reported up to the bank, but also the institution should consider
tailor-made service levels for incentivizing the service provider to limit such
complaints in the first place.Implementing
such proactive performance measures will likely show CFPB examiners that the
institution is looking to curb violations before they occur.
Implementing such a contracting
strategy is an essential component of any financial institution compliance
program.Among other things, it likely
will go a long way in showing the CFPB that a good faith effort has been made
to comply with UDAAP rules and ultimately help the financial institution avoid
With the number of (internet) connected devices rapidly surpassing the number of internet people (actually, all people whether or not connected), we take this opportunity to explore some of the legal complexity brought about by all of this connectivity.
First, some background:
Introduction of IPv6 uses 128 bit addresses - limit: 340 Trillion addresses
This means that with the current population, we have the ability to address over 47,000 addresses/devices per person
The Sheep's Clothing
The Internet of Things has some wonderful benefits. For example:
You can now remotely control your thermostat to save energy;
You can monitor systems in your house when away to protect its physical security;
Companies can monitor the flow of goods and inventory through their systems;
Utilities can manage the flow of resources based on supply and demand through smart metering;
Distributers can monitor the movement of their fleets;
Municipalities can monitor flow of traffic on streets and availability of parking spaces;
And the list goes on as far as our imagination
But . . . the Internet of Things also creates huge amounts of information. And with that information, come all of the risks and challenges of having information.
Companies or other entities collecting or processing information need to protect the confidentiality of that information. Information about the things of individuals can disclose significant information about that individual.
For example, the GPS tracking on a cell phone may be used to tell the owner of an App where the person is going which could disclose private, or even Protected Health Information--imagine, if you will, a company that uses the GPS tracking to monitor the movement of its distributed sales force and learns that one of the sales personnel has been frequenting a certain kind of medical establishment.
Entities need to understand what information they may obtain, and need to develop clear policies and manage expectations of the users. In some countries, even having employees consent to such monitoring may not be enforceable given the "coerced" nature of employee "consent."
This gets even more concerning when companies are monitoring their customers rather than their employees. Although the monitoring may be for the most well-intentioned purposes, the company still possesses sensitive data. For example, the App on smartphones that tracks where people exercise using GPS also knows when people are exercising far from home. If someone was able to hack into that data, they would know when was a good time to break into the home or harm the user's family.
In addition to privacy concerns, there are also more direct employment concerns. Internet connected devices make it easier for employees to work whenever and wherever. This sounds great, but this also means that hourly employees may be encouraged to work outside of their normal work hours. Not only does the device facilitate this extra work, it also reports on it. There are reported cases where this has led to companies incurring unanticipated overtime liability for hourly employees responding to emails from their smartphones.
The Internet of Things also facilitates more direct monitoring--both by private companies and by the government.
Having this data also makes an entity subject to inquiries from law enforcement and in litigation. This volume of data compounds the classic eDiscovery problems which can drive huge costs in terms of gathering, reviewing, and providing data. In addition, a company may be faced with a decision of incurring the legal expense of defending a request for information to protect the privacy of its customers, or sharing the information and affecting its reputation with the customer-base.
Don't Get Eaten
So, what is the purpose of this blog post? The move to the Internet of Things is both unavoidable and, by-in-large, beneficial. By all means, get on board, or be left behind. But entities should be thoughtful and understand some of the associated risks so that they can be built into the decision-making process. By understanding the legal risks, systems can be designed to generate great benefits while accommodating legitimate legal concerns. Advanced awareness and planning can empower those who embrace the Internet of Things, rather than allowing them to be blindsided when it is too late.
Database marketing outsourcing is a strategic transaction for retailers. This type of outsourcing can facilitate the integration of diverse marketing channels e.g., web, social media, catalog and in-store sales) and enable more targeted and effective marketing to consumers.
Database marketing encompasses a potentially broad array of services, including:
Implementation and hosting of a CRM database marketing solution;
Data cleansing, matching, updating and enrichment;
There are a variety of different measures of supplier performance depending on the specific services to be provided by the supplier and the supplier's solution for providing those services. Typical service level measures include the following:
Solution Availability - This service level measures the availability of the components of the supplier's database marketing solution that are to be accessed and used by the customer in connection with the services, such as reporting datamarts. Similar to traditional IT measures of system availability, this service level holds the supplier accountable for the solution being available to the customer's authorized users without material degradation in performance during scheduled hours of operation (excluding scheduled maintenance windows). The supplier is responsible for the application, infrastructure and network elements of the solution managed by or on behalf of the supplier. Availability is normally in the 99.0 - 99.5% range.
Database Update Processing - Database marketing services typically involve the supplier updating customer data through cleansing, appends, enrichment and refreshes in accordance with a defined schedule. As a result, there should be one or more service levels that measure the supplier's successful completion of the scheduled updates in a timely manner. This service level is typically measured either as the percentage of scheduled updates that are completed on time during
the measurement period (e.g., monthly or quarterly) or in terms of a permitted number of misses over the course of a contract year. This service level is important in ensuring that the most up-to-date information about consumers is used in designing and implementing marketing campaigns and strategies.
System Response Times - This service level measures the response time of the supplier's system to queries executed by the customer's marketing department or other users. Because queries can vary considerably in terms of complexity, it is necessary to either classify queries by their complexity level (e.g., high, medium and low) with different response times for each classification or pre-define a limited set of common queries that the customer wants to measure (e.g., shopped in the past 12 months, generation of do not mail list) with a specified response time for each query. Failure to meet the required response times for a specified percentage of queries can trigger a service level failure or, alternatively, trigger a severity 1 or 2 incident which needs to be resolved within the required resolution time.
Marketing Campaign Execution - If the services include marketing campaign support, customers may want to include service levels that measure the supplier's timely completion of its responsibilities in connection with the campaigns. For example, the service level could measure the delivery of fulfillment files to direct mail or email vendors in a timely manner. The service level measure will need to be defined based on the specific roles and responsibilities of the supplier and customer in executing marketing campaigns.
Incident Management - In addition to the measures described above, there should be a set of incident management service levels that measure the supplier's effectiveness in responding to and resolving issues that adversely impact the services. Similar to tradition IT measures, incidents are classified by severity level based on the impact to the customer's business and the services.
Key Stakeholder Satisfaction Survey - While the quantitative measures of supplier performance described above address many important aspects of the supplier's performance, they do not capture all aspects of performance that are critical to a successful relationship such as the quality of individuals assigned to the customer's account and the flexibility and customer-focus of the supplier in addressing service and change requests. It is not uncommon for a customer to be unhappy with the supplier's performance even though the supplier is consistently meeting the quantitative measures of performance. As a result, we recommend that customers negotiate a service level that provides for a quarterly evaluation by key customer stakeholders (e.g., CMO, CIO) of the supplier's performance. A modest portion of the supplier's fees should be at risk each quarter if it fails to achieve an acceptable score. Because stakeholder satisfaction is a subjective measure, the first reaction of many suppliers is to resist such a measure. With some effort, however, suppliers can often be persuaded that this is a rationale contract management
tool which if used correctly can also benefit them by providing frequent and candid feedback on their customer's perception of their performance.
Database marketing services involve suppliers managing sensitive consumer data on behalf of the customer. Data typically comes from two sources: (1) the customer's
database containing consumer contact, demographic and transactional information which is to be hosted and maintained by the supplier and (2) the supplier's (and/or
a third party's) databases of consumer contact and demographic information that are to be used to improve the accuracy and enrich the customer's database. As a result, there are several dimensions to addressing data related issues ranging from data license rights to data protection to the return of customer data at the end of the outsourcing contract.
Licensing of Supplier Data - Customers should give careful consideration to the terms of any data licensed by the supplier in connection with database
marketing services. If customers anticipate using any supplier furnished data in connection with co-branding or joint marketing with business partners, they will need to secure express license rights for those activities. In addition, suppliers typically license their data for specified terms (e.g., annual) that expire at the end of the services relationship. However, portions of the data licensed from the supplier may include updated consumer contact information (e.g., new postal or email address, new telephone number) that will be integrated into the customer's consumer records. This information cannot readily be removed from those records and it is not realistic to expect customers to revert to a consumer database with outdated information. As a result, customers should secure unlimited perpetual licenses to such data. To the extent that the customer's license to any data furnished by the supplier will terminate at the end of the services relationship, the supplier should be required to remove such data at no additional charge to the customer without adverse impact to the returned data.
Supplier Use of Customer Data - The outsourcing contract for database marketing services should include appropriate restrictions on the supplier's use of the customer's data. As a general matter, suppliers should agree to use customer data solely for the purpose of providing services to the customer. Suppliers may request the right to use de-identified, aggregated data for various purposes such as making improvements to their services generally and for research and publishing on
industry trends. Before granting this right, Customers are advised to carefully consider whether any of the proposed uses of this data could potentially reveal sensitive competitive information and to prohibit those uses. For example, if customer is dominant in a particular industry segment, the supplier's publication of trends in that segment could provide competitors valuable information about the customer's performance.
Protection of Customer Data - The consumer data hosted and stored by the supplier in a database marketing service contain highly sensitive personally identifiable information. As a result, customers should secure strong contractual commitments from the supplier regarding the protection of that information. These commitments should include:
a comprehensive security program that complies with all applicable data privacy / security laws and regulations and satisfies the customer's internal security policies;
ISO 27001 certification;
annual SOC 2, Type 2 reports, including prompt remediation of deficiencies indicated in the reports;
customer approval of supplier facilities used in delivering the services; and
prompt notice and full cooperation in addressing any security events.
If the supplier will not agree to unlimited liability for breach of its security commitments, the limitations on liability should provide for a significantly
higher cap on liability than the normal cap for performance failures. In addition, the supplier should be responsible for all reasonable costs incurred by customer in addressing security breaches, including investigation, forensics and legal costs; regulatory fines and penalties; and call center and credit monitoring costs.
Return of Customer Data - When the outsourcing contract with the supplier comes to an end, the customer will need to migrate the consumer data hosted by the supplier to another database marketing solution. The outsourcing contract should include commitments from the supplier to assist the customer with this transition. This should include a commitment by the supplier to return all of the customer's data in an industry standard format (e.g., delimited ASCII), together with configuration descriptions and other documentation relating to the data. Absent these commitments, the customer may find that there are significant operational and
financial hurdles in attempting to terminate its relationship with the supplier or negotiate favorable renewal terms.
Join two of our SourcingSpeak bloggers, Joe Nash and Meighan O'Reardon, as they explore "Cybersecurity as a Service," an emerging concept that allows companies to more centrally manage cybersecurity. They will highlight how these services may be leveraged by corporations looking to mature their cybersecurity capabilities and address cybersecurity risk from a legal,
operational and management standpoint. Topics that they will cover include:
How can these cybersecurity services be leveraged by an organization?
How should organizations be structuring themselves to best manage cybersecurity, and ultimately to limit their cybersecurity risk profile?
What is the preferable approach to create a comprehensive program for cybersecurity management? In-house, third-party sources or both?
What are some of the legal ramifications companies must keep in mind?
We recently completed a major renegotiation of a very large, longstanding infrastructure outsourcing contract. As is typical with renegotiations, there were areas of the contract that required changes and areas the client wanted to leave alone. In this case, scope (and the presumed current solution) was to be left alone as the focus of concern was thought to be on other areas of the relationship. However, the need to update a seemingly simple exhibit - the Key Supplier Personnel list - told the client they had reason to be a lot more concerned about the supplier's current solution.
The security community has been abuzz this week with the US. District Court of New Jersey's April 7 ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al. (see http://www.adlawaccess.com/wp-content/uploads/sites/137/2014/04/Opinion.pdf). Wyndham had asserted in a motion to dismiss that the Federal Trade Commission ("FTC") did not have the authority to pursue enforcement actions against the hotelier related to data security. The District Court denied the motion and held that the FTC may in fact pursue claims related to data security under Section 5(a) of the FTC Act's prohibition on unfair or deceptive acts or practices affecting commerce (see 15 U.S.C. 45(a)). While the significance of the holding is being debated in the legal community, this week's decision highlights the Federal Government's increasing emphasis on requiring certain baseline cybersecurity practices by the private sector.
The background facts of the case are fairly straightforward. The FTC brought suit against Wyndham Worldwide, Corp. in the wake of three separate security breaches that occurred between 2008 and 2011 and resulted in the theft of guests' personal information (e.g., payment card account numbers, expiration dates, and security codes). The FTC alleges that after the initial two security incidents, Wyndham failed to implement reasonable and appropriate security measures which exposed consumers' personal information to unauthorized access and resulted in consumer injury. Specifically, the FTC alleges that there were several problems with the Wyndham's information security practices including wrongly configured software, weak passwords, and insecure computer servers.
So what does the Court's holding mean for the private sector? Since, up until this case, the FTC's data security actions have been settled out of court, this case marks the first time that the courts have ruled on the merits of the FTC's authority related to data security actions. Fundamentally, the decision affirms that the FTC has the power to pursue enforcement actions for unreasonable cybersecurity practices under existing laws. The Court, however, cautioned that "this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked." It is also important to note that the Court's decision did not include a verdict on Wyndham's liability in the matter (interested parties should continue to watch as the matter continues).
One significant question that remains unresolved is what constitutes "reasonable" security in this context. It seems possible that we may be starting to see an intersection with cases like this and wider US cybersecurity policy...does "reasonable" equate to adopting a risk mitigation strategy akin to the NIST Cybersecurity Framework? Or, does it mean something even more? Ultimately, this ruling on the FTC's enforcement authority adds to the already dynamic cybersecurity legal landscape and should cause companies to take pause to examine whether their cybersecurity practices are defensible with regulators and in court.
business clients would rather be in the dentist's chair than sit through
negotiation of the indemnity and liability provisions of their agreement. Admit
it: your eyes glaze over, time appears to visibly slow down, and you wonder at
how the lawyers can find this stuff interesting enough to argue about.
dull as they appear to be, there are some significant issues that can arise
from the indemnity clause. One issue that I see more often than not is that
suppliers try to put a financial limit on their indemnification obligations.
Sometimes the supplier will agree to remove the limitation, but not always. What
are the consequences of having a limitation on an indemnification obligation,
and why should you be interested?
consider a software license agreement, which includes an obligation by the
software owner (the licensor) to indemnify you (the licensee) for third party
claims that the software infringes the third party's intellectual property. If
that happens, the licensor will conduct the defense of the claim - that is,
they will be the one to hire the attorneys, go to court, and argue why there is
agreement also includes a limitation of liability that limits each party's
liability to the annual software license and maintenance fees. The liability
provisions could be drafted so that the limit applies to the indemnity
obligation. Assume that you are paying $200,000 annually to the licensor, and
so that becomes the limit of the licensor's indemnity obligations.
can be used up pretty quickly in litigation. There will significant costs to
investigate and build a case to rebut the claim - reviewing IP registrations
and other documents, interviewing witnesses, researching related lawsuits etc. Legal
fees, and the fees of experts and consultants that may need to be retained,
quickly build. Then comes the discovery and interrogatory phases.You may not even be at the point of a court hearing
or close to settlement discussions when the amount spent has exhausted the
what will happen? Based on your agreement, the licensor could simply walk away
and leave you holding the baby. From a practical perspective, it would be
foolish for them to do that, as it's their software that is allegedly
infringing, and you have no reason to defend their product. The only thing that
you will want to do at that point is get out of the litigation as quickly and
cheaply as possible, and so handing the defense over to you would be commercial
suicide for the licensor. But in negotiating the indemnity clauses, many
suppliers and licensors don't consider the practicalities of dealing with the
litigation - they are only looking at the total risk profile of the agreement
that they are entering into.
the licensor wanted to enforce the terms of the agreement, they could do so,
leaving you in the position where you have to step into their role in defending
the case, or pay them to continue to do so. Doing either would be at
significant cost to you, not to mention the disruption defending the claim may
have on your business.
you are not able to negotiate out the limitation of liability from the
indemnity obligations, then you should do two things:First, try to exclude the costs of defense
from the liability cap.Second, pay
extra attention to the indemnification procedures.For example, how will the parties handle the
situation where the expected liability exceeds the liability cap? Are you free
to defend and seek contribution from the licensor up to the value of the
cap?And what if the licensor takes
responsibility for defending the claim and it later appears that the cap will
be exceeded?You should avoid that
scenario by negotiating a requirement for the licensor to waive its limitation
of liability in return for assuming full defense of the claim; the alternative
(short of having the licensee write a blank check) would be to give you some
level of involvement and/or control over defense and settlement, which would
quickly become unworkable.
no simple answer to this issue, but there are certainly some options that can
be explored in negotiations.
In a recent judgement, the Court of Appeal of England and Wales held that an electronic database was not a chose in possession or a chattel but a chose in action (see our earlier blog regarding the grant of leave to appeal in this case). In other words, a database is intangible property, not goods which can be possessed. This means that when the parties to a database hosting contract are silent about what happens to the database when the contract ends, the service provider cannot exercise a common law lien over the database so as to force full payment of its fees, and must return the database to its customer.
In giving the lead judgement in the Court of Appeal, Lord Justice Moore-Bick, quoted extensively from the judgment of Lord Justice Diplock in Tappenden v Artus (Tappenden v Artus  2 Q.B. 185). Tappenden is a case with which most first year law students in the UK will be familiar. In that case, a van owner allowed a customer to use the van pending the completion of a hire-purchase agreement. The van then broke down and was repaired by the defendant garage, but the price of the repairs was not paid. The question arose whether the garage could exercise a lien over the van against the owner. In finding that it could, Diplock L.J emphasised "actual possession of goods" as necessary for the self-help remedy of possessory lien to arise under the common law.
Referring to another leading case, Moore-Bick LJ went on to state that "[a]s OBG v Allan makes clear... the common law draws a sharp distinction between tangible and intangible property...", which leads to the conclusion that "it is [not] possible to have actual possession of an intangible thing ...[and that] it is [not] open to this court to recognise the existence of a possessory lien over intangible property ..."
So, in sharp distinction to the common law as it applies to tangible property (such as the van in Tappenden) a database service provider has no common law right which can be used to stop a customer from accessing its database until the service provider's fees are paid. Of course, there is nothing to stop the parties including such right in the database hosting contract.
Much has been said about the EU "Cookie" laws
introduced by an amendment to the Privacy and Electronic Communications
Directive in 2011.Companies with
European customers (including those in the US) have grappled with the law's requirement
to obtain informed consent from visitors to their websites before cookies can
Not only being the subject of much academic
debate, European regulators have also issued a series of guidance papers on the
issue, including recent publications from the UK's Information Commissioner's
Office and from the Article 29 Working Party, the group made up of
representatives from the various EU privacy regulators.These provide layers of at times arguably
conflicting commentary on how to comply with the law.
Whilst question marks hang over key issues (e.g.
what constitutes valid consent before cookies can be placed?), with the various
EU data protection authorities mooting and often disagreeing on the same, the
regulators across the EU appeared to be approaching enforcement actions for
breach of the new laws rather gingerly, no doubt a reflection of the wider
debates taking place.
Whilst the fines were not exactly earth-shattering
(3,500 Euros a piece) the fact that the cookies used were rather commonplace
and not particularly intrusive to individuals' privacy makes these cases more
worthy of note and acts as a stark warning to those who have taken a similar
relaxed attitude to compliance so far.
Furthermore, it's not as if the websites in
question didn't take any action after the new law was introduced.To the contrary, they reportedly made
attempts to comply with the law, but their measures didn't go far enough -
which should make those companies who have buried their heads in the sand even
The key point for business is not just the
fact we are seeing more enforcement now, nor the level of fine, but rather the
fact that cookie law breach is a highly visible "marker" that can
draw the attention of the regulators and increase the chances of a deeper
audit, which can potentially expose wider breaches and more serious enforcement
action. This is the greater consequence of these recent developments and more
reason to get one's compliance right
These cases underline how EU member states,
intrusive.Companies doing business in
Europe have had time since the passing of the Cookie law to take action.We expect to see a significant ramp up in enforcement
action across the EU; we hear reports of numerous warning letters coming from
regulators across the EU.For companies
that have not yet reviewed their cookie policies and procedures, compliance
should move to the top of the corporate agenda.
Rafi Azim-Khan, Partner and Head of Data Privacy, Europe at Pillsbury and Chair of the British American Business' Law Forum, was in Washington, DC yesterday to hear the important announcement of a key new data privacy initiative, blessed by regulators across the North America, Europe and Asia Pacific regions.
The initiative is aimed at assisting international businesses struggling to come to terms with increasingly complex global data privacy laws and increasing enforcement risks.
FTC Chairwoman Edith Ramirez and new EU Article 29 Working Party Chair Isabelle Falque-Pierrotin of CNIL were joined by UK Commissioner Christopher Graham, Ted Dean of the US Department of Commerce and Canadian APEC lead Daniele Chatelois in announcing publicly for the first time a new "Checklist" tool known as the "Referential", designed to assist companies who have to deal with and transfer consumer and other types of data internationally. It applies to all businesses and all sectors.
Azim-Khan, who discussed with the Commissioners the goals behind the initiative, commented, "Whether a social media company or a car manufacturer marketing via its website, businesses of all shapes and sizes have been crying out for some practical help and guidance regarding their use of data and what is or is not likely to land them in hot water. Many feel recent changes to the laws in the EU and beyond, as well as significantly increased fine levels and scrutiny, are making day to day operations much more difficult and risky."
"Given the world is becoming more connected, business more global and data use increasing, literally by the day, current laws and enforcement are proving very difficult to navigate without detailed analysis and a very careful approach. It can be time intensive and costly to get things right, and equally so if there is a breach, so anything which can help business deal with complex issues such as international data transfers and data use in multiple countries is to be welcomed. That said, this is very much just a first additional step and we will have to see what happens in terms of consultations and feedback."
"This new initiative is also not a "silver bullet," i.e. an "adequacy finding" nor "mutual recognition", for example of Asia's laws by the EU. Rather, it is one new tool worth exploring in the bigger scheme of compliance and given all the upheaval in the past year or so companies with significant global reach would still be advised to urgently audit what they are currently doing and seriously consider steps needed to bring their compliance up to date, for example considering the benefits of updated schemes such as Binding Corporate Rules".
Note: The EU and the US have locked horns in recent months over criticisms the US is not doing enough to enforce Safe Harbor breaches by large US companies and the EU is proposing new "atomic weapon" fines of 2 or 5% of global revenue fines for non-compliance as part of new Regulation proposals.
Asia is presenting a problem for international companies as the laws are hugely varied and some are also now adopting tougher EU-style laws which US companies do not like.
This initiative is the first time the differing parties have tried to put aside differences in such a joined up way.
This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insight.
Managing third-party suppliers presents significant compliance
challenges that often span an organization, raising legal, insurance, human
resources and technology concerns, to name just a few. Corporations will
continue to wrestle with these risks in the year ahead, but the convergence of
external threats, abundance of valuable corporate data and the current
regulatory environment has highlighted the importance of corporate
cybersecurity practices. Cybersecurity is perhaps one of the hottest topics
being discussed in boardrooms today. The Cybersecurity Framework,
anticipated legislation and litany of high-profile data breaches have resulted
in even more heightened scrutiny.
The landscape for corporate cybersecurity is rapidly changing and
outsourced services, including IT and business process services, all stand to
be impacted. Corporate stakeholders, particularly in the legal,
information security and information technology departments, should be keenly
focused on the current cybersecurity climate and the state of cybersecurity
across third-party outsourcing agreements.
A significant aspect of this heightened attention on cybersecurity is
not only how third-party outsourcing partners are managing security as part of
the service they deliver, but also the risk and cybersecurity exposure to an
organization from these third-party relationships. Attackers increasingly
exploit weaknesses in third-party suppliers' networks to access data and assets
from target companies. As a result, having in place the appropriate contractual
and governance safeguards with your third-party suppliers is paramount.
Efforts to integrate and manage cybersecurity in outsourcing
arrangements should start early. Detailed security assessments and internal
cybersecurity stakeholders should be included as part of initial due diligence
efforts with selected suppliers. It is important to understand the security
processes and tools that proposed suppliers will use as part of the outsourced
service, the supplier's vulnerabilities and plans to remediate gaps during the
term of the proposed agreement and the plan for the supplier to integrate with
existing corporate cybersecurity programs. Also, understanding how the
supplier has previously responded to past incidents and improved its operations
as a result is crucial.
Contract documentation should include meaningful cybersecurity
provisions related to liability and indemnification for incidents and identify
the security policies and procedures that the supplier will be expected to
comply with during the term. Ideally, contracts should support liability
and indemnification provisions that align with the value of the data exposed to
the third-party supplier, not simply derivatives of the contract value.
Including adequate audit and risk assessment provisions for regular risk
assessments and remediation plans (annual at a minimum), of the
supplier's operations is also highly recommended.
It is important to remain mindful of proposed cybersecurity legislation
- at both the federal and state levels - that may need to be accounted for in
outsourcing agreements. Compliance professionals should continue to monitor the
proposed landscape of legislative and regulatory changes. Accounting for
requirements in third-party agreements to accommodate new cybersecurity laws
will be critical.
Finally, and perhaps most importantly, governance models that allow
corporations to manage the security functions of individual suppliers as well
as the full portfolio of suppliers in a holistic fashion will become
increasingly important over the next year. The ability to respond quickly
to incidents but also make the appropriate strategic risk management decisions
related to cybersecurity will be a defining characteristic of a strong
corporate cybersecurity program.
Compliance managers and in-house counsel should remain keenly focused on
cybersecurity during the next year when negotiating new agreements, amending
existing contracts or participating in ongoing governance activities with
current service providers. Proactively addressing cybersecurity risks by
incorporating security considerations early in the contracting process and
defining more appropriate services descriptions, service levels and
interaction/governance frameworks can help limit cybersecurity exposures in the
theory, a multi-provider service delivery environment should not create
additional complexities in terms of liability. The contracts -- entered into
separately between the customer and each supplier -- should, if well
constructed, clearly delineate the liabilities between the parties," says Mario Dottori, leader of
the global sourcing
practice in Pillsbury's Washington, D.C. office.
tip offered is to create operation level agreements, "OLAs state how
particular parties involved in the process of delivering IT services will interact
with each other in order to maintain performance, and can help all parties 'see
the forest for the trees,' says Dottori. 'These
arrangements offer the opportunity for enhanced visibility of the service
regime as a whole and helps to reduce -- or better arm the parties with
solutions for -- missed hand-offs and finger pointing.' One caveat: Most
providers will not agree to take on additional liability in OLAs. But such an
agreement can be an effective preventative measure."
February 12, 2014, the National Institute of Standards and Technology ("NIST") released the
final version of its Framework for Improving Critical Infrastructure
Cybersecurity (the "Cybersecurity
Framework" or "Framework")
and the companion NIST Roadmap for Improving Critical Infrastructure
Cybersecurity (the "Roadmap").
The final version is the result of a year-long development process which
included the release of multiple iterations for public comment and working
sessions with the private sector and security stakeholders. The most
significant change from previous working versions is the removal of a separate
privacy appendix criticized as being overly prescriptive and costly to implement
in favor of a more general set of recommended privacy practices that should be
"considered" by companies.
Cybersecurity Framework marks an important step for U.S. cybersecurity policy
after an Executive Order from the Obama Administration called for its creation
in February 2013 (see Executive Order 13636 "Improving Critical Infrastructure
Cybersecurity", February 12, 2013).While use of the Cybersecurity
Framework is voluntary, the Federal government has been actively exploring
various measures to incentivize participation both universally and on a
sector-by-sector basis (see http://m.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework.
See also Incentives Study Analytic Report, Department of Homeland Security,
June 12, 2013 available at https://www.dhs.gov/sites/default/files/publications/dhs-eo13636-analytic-report-cybersecurity-incentives-study.pdf).While the Framework is focused on the 16 sectors identified as critical
infrastructure (the 16 critical infrastructure sectors are chemical, commercial
facilities, communications, critical manufacturing, dams, defense, emergency
services, energy, financial services, food and agriculture, government
facilities, health, information technology, nuclear, transportation, and water),
companies outside those areas can use the Framework in their risk assessment
and enterprise security planning.
What is the Cybersecurity Framework?
The Cybersecurity Framework is a risk management tool to assist companies with
assessing the risk of cyber-attack, protecting against attack, and detecting
intrusions as they occur. According to NIST, it complements, but does not
replace, an organization's existing risk management processes and cybersecurity
program. It is organized into three parts - the Framework Core, the Framework
Implementation Tiers, and the Framework Profile. The Framework was developed by
leveraging existing cybersecurity standards, guidelines and practices.
Organizations are encouraged to use it as a tool to continuously assess and
improve (where appropriate) cybersecurity practices.
Framework Core is comprised of five key functions: Identify, Protect, Prevent,
Respond, and Recover. These functions are intended to organize companies' basic
cybersecurity activities at the highest level and represent a lifecycle for
managing cybersecurity across an organization. Each function is further broken
down into categories and subcategories that highlight the more detailed
processes and activities associated with managing cybersecurity. As set forth
in the Cybersecurity Framework, examples of the categories under each function
Identify: Asset Management, Business Environment;
Governance; and Risk Assessment Protect:
Access Control; Awareness and Training; Data Security; Information Protection
Processes and Procedures; Maintenance; and Protective Technology Detect:
Anomalies and Events; Security Continuous Monitoring; and Detection Processes Response:
Response Planning; Communications; Analysis; Mitigation; and Improvements Recover:
Recovery Planning; Improvements; and Communications
Cybersecurity Framework includes a maturity model that is characterized by
implementation "Tiers" for companies to use to assess their progress and
development across the various functions. The tiers involve characterizing an
organization's development as Partial, Risk-Informed, Repeatable, or Adaptive
behavior. Partial maturity is characterized by informal and occasional
implementation of the Framework, meaning that the organization is unlikely to
have processes in place to utilize cybersecurity information. Risk-Informed
entities will have formal, risk-aware processes defined and implemented. An
organization that has achieved the Repeatable stage of maturity will have validated
processes that are responsive to larger enterprise requirements and needs.
Finally, entities that are considered Adaptive will be able to anticipate
challenges, adapt rapidly and manage risk in conjunction with changes.
the Cybersecurity Framework, assessing an organization's functions in relation
to the maturity or implementation Tiers and risk tolerance results in its
Profile. NIST encourages companies to use the profile to identify gaps and
develop action plans to improve cybersecurity.
The Cybersecurity Framework has been criticized as being overly broad and
toothless. Some security professionals note that the Framework is not that
different from the checklists that chief security officers already regularly
implement. Most large organizations have already implemented a risk management
process similar to the Cybersecurity Framework to manage their cybersecurity
activities. And, in practice medium and smaller sized organizations may benefit
most significantly from this first version of the Cybersecurity Framework.
However, additional sector-specific iterations are anticipated and many
government analysts note that the Cybersecurity Framework has the potential to
become the de facto standard for managing cybersecurity risk.
What's next for U.S. Cybersecurity Policy?
The companion Roadmap to the Cybersecurity Framework outlines several planned
follow on activities. In the near term, NIST will continue to oversee and
coordinate the ongoing development of the Cybersecurity Framework including by
accepting informal comments on the recent release. Additionally, a workshop
will be held in the next six months for stakeholders to share feedback on their
use of the Cybersecurity Framework. Options for long term governance including
identifying the appropriate responsible partners(s) for overseeing the
Cybersecurity Framework are also being solicited. Finally, the Roadmap
identifies nine cybersecurity disciplines marked for further development and
discussion including: (i) authentication; (ii) automated indicator sharing;
(iii) conforming cybersecurity assessments; (iv) preparation of a skilled
cybersecurity workforce; (v) use of data analytics in cybersecurity; (vi)
Federal agency cybersecurity alignment; (vii) international coordination;
(viii) supply chain risk management; and (ix) technical privacy standards.
How Can Your Organization Use the Cybersecurity
Regardless of whether your company falls within one of the defined critical
infrastructure sectors, the Framework can be a valuable tool for cross-checking
and testing your existing cybersecurity risk management programs. The Framework
provides granularity that can be useful in each phase of your program.
services businesses covered by the Gramm-Leach -Bliley Act have guidance in the
form of the Standards for Safeguarding Customer Information (Safeguarding Rule)
and the Interagency Guidance on Response Programs that require implementation
of an information security program including conducting an annual risk
assessment, assess the sufficiency of any safeguards in place to control the
identified risks, training employees, reviewing information systems (network
and software as well as processing, storage, transmission and disposal),
detecting, preventing and responding to intrusions or system failures, and
overseeing vendors and service providers.
companies that are covered entities under the Health Insurance Portability and
Accountability Act (HIPAA) have fairly specific regulations governing security
of protected health information.
outside financial services and healthcare that comply with the Massachusetts
Standards for the Protection of Personal Information of Residents of the
Commonwealth (201 Mass. Code Regs. § 17.00) will have implemented a written
data security plan that meets the requirements of that regulation, including
designating a responsible employee, conducting a risk assessment, implementing
an employee security policy, enforcing the policies, addressing issues
surrounding terminated employees, overseeing and requiring compliance by
service providers, limiting the amount of information collected, limiting
retention of data, data mapping, restricting access to records, monitoring
performance, reviewing the program annually and implementing an incident
each of these businesses, the Cybersecurity Framework addresses additional
areas where threats may exist and additional specific steps that can be taken
to better protect the business. While the Framework is not designed to replace
an information security program, certain aspects of the Framework may trigger
improvements in a company's program that help meet the business' strategic
priorities: protecting assets and business viability against loss, achieving
the appropriate level of security commensurate with the security and scope of
the company's data, protecting company systems and data against threats to the
network structure and security, anticipating evolving threats to the company's
systems and meeting the company's regulatory compliance obligations.
Pillsbury Global Sourcing advises buyers on all aspects of outsourcing and complex technology acquisitions. We have architected and negotiated deals worth over a half a trillion dollars on behalf of Fortune 500 clients. Blog content taps the insight of our people based in London, New York, Austin, San Francisco, and Washington, DC.