Contract Risk Analysis: Data Breach/Incident Response Management - - PowerPoint PPT Presentation

contract risk analysis data breach incident response
SMART_READER_LITE
LIVE PREVIEW

Contract Risk Analysis: Data Breach/Incident Response Management - - PowerPoint PPT Presentation

Jan 18, 2024 10 likes •204 views

Contract Risk Analysis: Data Breach/Incident Response Management Richard Borden White & Williams Debra Bromson AAA Club Alliance Inc. Andrew Serwin DLA Piper Michael Wade Planet Data Solutions Speaker Debra Bromson Andrew Serwin

slide-1
SLIDE 1

Contract Risk Analysis: Data Breach/Incident Response Management

Richard Borden White & Williams Debra Bromson AAA Club Alliance Inc. Andrew Serwin DLA Piper Michael Wade Planet Data Solutions

slide-2
SLIDE 2

Speaker

Richard Borden

Counsel & Chief Privacy Officer White & Williams

2

Debra Bromson

Assistant General Counsel AAA Club Alliance Inc.

Andrew Serwin

Partner DLA Piper

Michael Wade

Chief Technology Officer Planet Data Solutions

slide-3
SLIDE 3

Agenda

Organizations need to know how to efficiently and precisely review and analyze contracts for:

  • Vendor Risk Analysis and Risk Assessments
  • Vendor Management
  • Review and Analysis with Machine Learning
  • Pre-Breach and Post-Breach Incident Management
slide-4
SLIDE 4

Vendor Risk Analysis and Risk Assessment

slide-5
SLIDE 5

Vendor Risk Analysis

  • Many Services For Analyzing Vendors
  • Not Tied to Specific Company Risk
  • Risk Groups
  • Privacy
  • Information Security
  • Information Governance
  • Operational Risk
  • Risk Triggers
slide-6
SLIDE 6

Vendor Assessment

  • Technical Assessment
  • Compliance Assessment
  • Contractual Assessment??
  • If the contract was negotiated years ago, how do you know what to

track?

  • If there are hundreds or thousands of contracts, how do you collect the

information?

  • What do you do with information once you get it?
slide-7
SLIDE 7

Vendor Management

slide-8
SLIDE 8

Requirements

Carefully Manage Your Vendors!

  • Determine which vendors:
  • Are utilized to process, transmit, or store Personal Information and/or

Confidential Information

  • Are given access to Company IT systems or work on premises and have

access to files that contain Personal Information and/or Confidential Information

  • Vendors must comply with Company policies and applicable laws, rules and

regulations

  • Information Security Assessments/Audits
  • Develop strong contract language and modify older contracts
  • Retain contracts to be able to do contract analytics
slide-9
SLIDE 9

Contract Provisions

  • Definition of Confidential Information and Personal Information and what

can be accessed, used or stored

  • Data Privacy Requirements
  • Data Security/Data Security Breach notification requirements
  • Determine who is responsible for data incidents/investigations, reporting

Compliance with applicable laws, rules and regulations

  • Company should only have to comply with those that apply to their data but

Vendor should comply with those laws as well

  • Right to annually assess Vendor Information Security and technical details of

the systems or services provided

  • Request vendors to provide applicable audit reports
  • Indemnification for data privacy and data security claims/breaches
  • Data privacy and data security issues should not be subject to typical dollar

limitations

slide-10
SLIDE 10

Review and Analysis and Machine Learning

slide-11
SLIDE 11

Challenge-Searching Across Numerous Documents

  • Key Roadblocks To Effective Risk and Data Privacy

Analysis

  • Finding key clauses across a diverse set of agreements from multiple

sources is difficult using traditional tools (keyword search or even conceptual searching).

  • Analysis should be done at the subject level (clause/paragraph)
  • Review/Analysis is costly in both time and money.
slide-12
SLIDE 12

12

Technology Solutions

  • Finding specific language across agreement/contracts
  • Keyword searching is not very effective. TREC and other studies have

shown that even experts using keywords are only about 20%-25% effective in finding all the relevant documents.

  • Conceptual searching such as Latent Symantec Indexing is an

improvement but still not very effective.

  • Machine Learning is revolutionizing our ability to find similar language

based upon Symantec meaning

  • Important Methodology: Word Embeddings – They are able to

predict which words would likely be found in the same context.

  • Can predict how and which words are likely used in various

contexts.

slide-13
SLIDE 13

13 13

Leveraging AI/Machine Learning Technology

  • Why does it matter?
  • Finds clauses/sentences based upon a detailed understanding (model) of how

words are used in that specific context.

  • For example, Word Embedding models that have been trained on Legal

Language can predict other common words that we might find in and around language discussing “Force Majeure”:

  • Unavoidable, excusable, excusing, act of god, disruption, excused, unpreventable,

triggering, unfavourable, unavailability, outage, delaying, inclement, delays and other terms. These embeddings (or predictions) use this same kind of knowledge about EVERY word in the sentence or clause to allow us to compute how similar any other sentence

  • r clause is to this any other.
  • This similarity can be used to find like/similar language across thousands of

contracts almost instantaneously.

slide-14
SLIDE 14

14 14

Value of Clause Level Analysis

  • Applying this ML based similarity at the clause level allows for an entirely

new way to search, compare and contrast (visualize) legal language across many contracts: (e.g. Contrasting different versions of this clause)

  • Importance of clause segmentation:
  • Minimize review by only examining dissimilar clauses/language.
  • Review only the language that we are interested in.
  • Create reports containing all versions of the language.
slide-15
SLIDE 15

Pre-Breach and Post-Breach Incident Management

slide-16
SLIDE 16

What Can Companies Do to Prepare

Pre-breach considerations include: Identifying critical systems; Identifying key legal and notice requirements; Creating an incident response plan; Identifying key internal and external stakeholders, including important customers and regulators who may require notice; Identifying professionals to assist in the event of a breach; Conducting a tabletop exercise; Anomaly detection; Establishing relationships with law enforcement and others in your industry to discuss sharing information; and Conducting a security review

slide-17
SLIDE 17

What Should Companies Do to Respond

When a breach occurs: Containment and recovery; Advising on information sharing strategy (e.g., critical partners); Document preservation, including forensic collection, if appropriate, with consideration of the application of the work-product doctrine; Making the facts stand still; Creating a PR plan based upon the nature and scope of the incident; Assessing notice, disclosure, and other legal obligations; Advising on engagement strategy with law enforcement; and Conducting a “lessons learned” review

slide-18
SLIDE 18

Resources

slide-19
SLIDE 19

Resources

AI Contracts Analysis & Risk Reduction: http://www.planetdata.com/contract-analysis-risk-reduction- exego-intelligence-disrupts-expensive-and-inaccurate-manual-methodology/ “Your Vendor, Your Risk”, Maggie Gloeckle and K Royal, ACC Docket October 2019 NIST: Informative References for the Privacy Framework: https://www.nist.gov/sites/default/files/documents/2019/09/06/nist-informative-references-privacy- framework-preliminary-draft.pdf