Sourcing Speak

Because evaluating a service provider’s security posture is more challenging in the cloud, in Part Three of this article we looked at ways to evaluate a cloud service provider’s security prior to signing the contract and some of the issues between customers and suppliers created by the SEC Guidance. In Part Four we’ll look at ways to monitor the provider’s security during the term of the agreement.

Auditing Security

For years customers of outsourced IT services have asked providers for a copy of their SAS 70 Type 2 audit report as a means of evaluating a supplier’s security. Since the SAS 70 wasn’t really designed to be a security audit, it isn’t really suited for this, but in the absence of a more security-specific standard, the SAS 70 was a suitable proxy.

In Parts One and Two of this article we discussed the new Guidance issued by the Securities and Exchange Commission (SEC) Division of Corporation Finance that provides guidance to companies with regard to whether and how a company should disclose the impact of the risk and cost of cybersecurity incidents (both malicious and accidental) on a company.

In particular, the Guidance suggests that companies need to evaluate cyber-related risks including:

• prior cyber incidents and the severity and frequency of those incidents;

Hot on the heels of the UK Information Commissioner’s approval of First Data’s binding corporate rules (BCRs), Viviane Reding, the Vice President of the European Commission and EU Justice Commissioner has signalled reform of the BCR scheme aimed at making BCRs even more effective. BCRs are a way of ensuring compliance with the complexities of European data protection law – they are particularly relevant to multinationals with business operations located in the EEA who need to transfer personal data to affiliates in jurisdictions outside of the EEA.

In a speech given to the International Association of Privacy Professionals’ (IAPP) inaugural Europe Data Protection Congress in Paris on 29 November 2011, Reding announced her plans as part of upcoming revisions to the EU data protection framework. Reding’s proposed reforms will be built around on 3 principles: simplification; consistent enforcement; and innovation. Above all, Reding proposes reform “compatible with small innovative companies’ endeavours to operate on a global scale” so that companies of all sizes and operating across all business models will be able to take advantage of BCRs.

Simplification. Under Reding’s proposal the BCR approval process would be streamlined with approval by one Data Protection Authority (DPA) resulting in automatic recognition by DPAs in all other member states without the need for consultation which currently operates across the 19 participating DPAs. This should help to speed up the approval process and reduce the burden on the applicant. Further, once BCRs are approved by a DPA, there would be no need for additional national authorisation prior to transfer, as is currently required in some member states (but not others, such as the UK).

14 November 2011 saw First Data Corporation become the 11th entity to have binding corporate rules (BCRs) approved by the UK’s Information Commissioner’s Office (ICO).

First Data Corporation is a global electronic commerce and payment processing company. As a payment processor, secure handling of data is at the heart of First Data’s business. First Data has business operations in 35 countries and serves more than 6 million merchant locations, thousands of card issuers and millions of consumers worldwide. First Data is the first payment processor to have achieved BCR approval. Time will tell, but while it maintains this distinction, this may give it a significant advantage over its competitors at a time when data privacy issues, including some recent high profile data breaches and regulatory settlements, are never far from the news and the handling of personally identifiable data continues to be subject to a high level of scrutiny by regulators across the globe.

According to First Data’s Chief Executive Officer Jonathan J. Judge: “Data privacy is fundamental to the success of our business, and we’re deeply committed to protecting the information entrusted to us by our clients and employees alike. We have high standards for data privacy, and this recognition from exacting European regulators demonstrates our global leadership in data protection compliance.”

The holiday shopping season in the U.S. started in earnest on Black Friday (or even Thursday for some stores) and online shopping celebrates today with “Cyber Monday.”

Contrary to popular belief that Black Friday is the day that retailers go from being in the “red” to being in the “black” for the year, according to Snopes.com the name Black Friday was actually coined to be a derisive term applied by police and retail workers to the day’s plethora of traffic jams and badly-behaved customers. The popularity of Cyber Monday shows that the problems of high traffic and bad behavior aren’t limited to the brick and mortar environment any more.

According to this article from eweek.com,

Do you transfer personal data from Europe to the US? Do you use cookies on a website aimed at European customers? Do you send marketing emails to Europe? Do you otherwise “process” data in Europe? Do you really have consent to process personal data? If any of these questions strike a chord with you, then you should certainly note recent trends in the EU regarding the concept of “consent,” not least the news from Germany that Facebook is to be prosecuted (and potentially fined up to $400,000) over its facial recognition software feature and for failure to properly obtain consents.

This issue of what constitutes proper consent has been coming to the boil in 2011.

A recent Opinion published by the Article 29 Working Party (the grouping of data protection authorities from each EU state – the “Working Party”), looked again at the concept of “consent,” which, subject to certain exceptions, is required from individuals before such activities are carried out. Adopted 13 July 2011, it was aimed to provide a thorough analysis on the concept of consent as currently used in the European Data Protection Directive 95/46/EC and the e-Privacy Directive 2002/58/EC.

In Part One of this article, we looked at the Securities and Exchange Commission (SEC) Division of Corporation Finance’s recent release – CF Disclosure Guidance: Topic No. 2 – Cybersecurity (the “Guidance”), which is intended to provide guidance to companies on whether and how to disclose the impact of the risk and cost of cybersecurity incidents (both malicious and accidental) on a company.

In Part Two we’ll look at the specific advice provided by the Guidance regarding specific reporting regulations and how it might apply to some recent cyber-incidents.

Management’s Discussion and Analysis of Financial Condition and Results of Operations

On October 13 the Securities and Exchange Commission (SEC) Division of Corporation Finance released CF Disclosure Guidance: Topic No. 2 – Cybersecurity (the “Guidance”), which is intended to provide guidance to companies on whether and how to disclose the impact of the risk and cost of cybersecurity incidents (both malicious and accidental) on a company.

This represents a reminder that companies should think about cybersecurity and data breach incidents when deciding how to fulfill their obligations under the SEC’s existing disclosure requirements. Up to this point, the market’s focus has been on how US law requires disclosure of data breaches affecting personal information of specific types. Other security incidents only became public knowledge because of unofficial disclosures or because of their effect (e.g., a denial of service attack). Now, the SEC has made it clear that the risks associated with cyber incidents, the costs of mitigating those risks, and the consequences of a cyber incident may rise to the level of materiality that would require disclosure to investors and regulatory authorities.

Although the Guidance is not, in itself, a rule or regulation, companies who ignore such guidance may do so at their peril.