Archives: Information security contracts

Subscribe to Information security contracts RSS Feed

InfoLawGroup Launches CPO on Demand™ Service

InfoLawGroup announces the launch of CPO on Demand™, a service through which we serve as outside Chief Privacy Officers, Privacy Counsel, and DPOs as required under EU regulation. CPO on Demand™ brings the depth and breadth of our privacy and security focused attorneys to support your business’s legal, compliance, and privacy teams. Please click here … Continue Reading

Do Your Due Diligence-is the Forecast Cloudy or Clear?

Dave and I recently spoke with BNA's Daily Report for Executives about the importance of due diligence and planning for organizations entering into (or considering) enterprise cloud computing arrangements. You can find the article, "'Cloud' Customers Facing Contracts With Huge Liability Risks, Attorneys Say," here. … Continue Reading

European Reservations?

German state data protection authorities have recently criticized both cloud computing and the EU-US Safe Harbor Framework. From some of the reactions, you would think that both are in imminent danger of a European crackdown. That's not likely, but the comments reflect some concerns with recent trends in outsourcing and transborder data flows that multinationals would be well advised to address in their planning and operations. … Continue Reading

Do the New EU Processing Clauses Apply to You?

A new set of EU standard contract clauses ("SCCs" or "model contracts") for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU "Article 29" working group on the concepts of "controller" and "processor" under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations. … Continue Reading

Information Security Standards and Certifications in Contracting

It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data. … Continue Reading

Contracting for Cloud Computing Services

Nearly every day, businesses are entering into arrangements to save the enterprise what appear to be significant sums on information technology infrastructure by placing corporate data ''in the cloud.'' Win-win, right? Not so fast. If it seems too good to be true, it probably is. Many of these deals are negotiated quickly, or not negotiated at all, due to the perceived cost savings. Indeed, many are closed not in a conference room with signature blocks, ceremony, and champagne, but in a basement office with the click of a mouse. Unfortunately, with that single click, organizations may be putting the security of their sensitive data (personal information, trade secrets, intellectual property, and more) at risk, and may be overlooking critical compliance requirements of privacy and data security law (not to mention additional regulations). My article "Contracting for Cloud Computing Services: Privacy and Data Security Considerations," published this week in BNA's Privacy & Security Law Report, explores a number of contractual provisions that organizations should consider in purchasing cloud services. You can read the full article here, reprinted with the permission of BNA. … Continue Reading

Information Governance

Security governance is often well established in large organizations, but privacy governance typically lags. It is time for a broader approach to "information governance" that focusses on the kinds of sensitive data handled by the enterprise and establishes policies to assure compliance and effective risk management, as well as better customer, employee, government, and business relations. … Continue Reading

My Notes from the IAPP Global Privacy Summit 2010

As some of you know, I tweeted my notes from the IAPP Global Privacy Summit 2010 yesterday and today (@Forsheit for those of you on Twitter). Since many of our readers are not on Twitter, I thought I would provide you with those notes here (minus the usual Twitter hashtags and abbreviations). Please note that there were multiple sessions, and this reflects only those I was able to attend, and only the information I could quickly record, putting virtual pen to paper. These are not direct quotes, unless specifically designated as such. Overall, I think it was a great conference, a wonderful opportunity to reconnect with other lawyers and privacy professionals, and to meet students, lawyers, and others looking to learn more about this constantly evolving legal and compliance space. For me, the conference highlight was Viktor Mayer-Schonberger's keynote this morning on The Virtue of Forgetting in the Digital Age. Without further ado, here are my notes. Would love to hear your thoughts/reactions. … Continue Reading

Live from the IAPP Global Privacy Summit in Washington, DC, It’s Monday Afternoon

This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days. … Continue Reading

Thoughts from the RSA Conference

As the partners of InfoLawGroup make our way through the sensory overload of the RSA Conference this week, I am reminded (and feel guilty) that it has been a while since I posted here. I have good excuses - have simply been too busy with work - but after spending several days in the thought-provoking environment that is RSA, I had to break down and write something. A few observations, from a lawyer's perspective, based on some pervasive themes. … Continue Reading

Developing an Information Security and Privacy Schedule for Service Provider Transactions (Part Two)

In Part One of this blog series, we looked at the proactive nature of a data security and privacy schedule ("Schedule"), and considered the compliance function of a Schedule.  Part Two of this series discusses security incident response contract terms that should be considered for a Schedule.  In addition, we look at more traditional "risk … Continue Reading

Developing an Information Security and Privacy Schedule for Service Provider Transactions

It is a very interesting time for information security and privacy lawyers. Information technology and the processing, storage and transmitting of sensitive and personal information is ubiquitous. At the same time (and likely as a result of this ubiquity) the legal risk and regulatory compliance environment poses increased threats and potential for significant liability. Finally, … Continue Reading
LexBlog