Contract Risk Analysis: Data Breach/Incident Response Management - PowerPoint PPT Presentation

Contract Risk Analysis: Data Breach/Incident Response Management Richard Borden White & Williams Debra Bromson AAA Club Alliance Inc. Andrew Serwin DLA Piper Michael Wade Planet Data Solutions

Speaker Debra Bromson Andrew Serwin Richard Borden Michael Wade Assistant General Counsel Partner Counsel & Chief Chief Technology Officer AAA Club Alliance Inc. DLA Piper Privacy Officer Planet Data Solutions White & Williams 2

Agenda Organizations need to know how to efficiently and precisely review and analyze contracts for: • Vendor Risk Analysis and Risk Assessments • Vendor Management • Review and Analysis with Machine Learning • Pre-Breach and Post-Breach Incident Management

Vendor Risk Analysis and Risk Assessment

Vendor Risk Analysis • Many Services For Analyzing Vendors • Not Tied to Specific Company Risk • Risk Groups • Privacy • Information Security • Information Governance • Operational Risk • Risk Triggers

Vendor Assessment • Technical Assessment • Compliance Assessment • Contractual Assessment?? • If the contract was negotiated years ago, how do you know what to track? • If there are hundreds or thousands of contracts, how do you collect the information? • What do you do with information once you get it?

Vendor Management

Requirements Carefully Manage Your Vendors! • Determine which vendors: • Are utilized to process, transmit, or store Personal Information and/or Confidential Information • Are given access to Company IT systems or work on premises and have access to files that contain Personal Information and/or Confidential Information • Vendors must comply with Company policies and applicable laws, rules and regulations • Information Security Assessments/Audits • Develop strong contract language and modify older contracts • Retain contracts to be able to do contract analytics

Contract Provisions • Definition of Confidential Information and Personal Information and what can be accessed, used or stored • Data Privacy Requirements • Data Security/Data Security Breach notification requirements • Determine who is responsible for data incidents/investigations, reporting Compliance with applicable laws, rules and regulations • Company should only have to comply with those that apply to their data but Vendor should comply with those laws as well • Right to annually assess Vendor Information Security and technical details of the systems or services provided • Request vendors to provide applicable audit reports • Indemnification for data privacy and data security claims/breaches • Data privacy and data security issues should not be subject to typical dollar limitations

Review and Analysis and Machine Learning

Challenge-Searching Across Numerous Documents • Key Roadblocks To Effective Risk and Data Privacy Analysis • Finding key clauses across a diverse set of agreements from multiple sources is difficult using traditional tools (keyword search or even conceptual searching). • Analysis should be done at the subject level (clause/paragraph) • Review/Analysis is costly in both time and money.

Technology Solutions • Finding specific language across agreement/contracts • Keyword searching is not very effective. TREC and other studies have shown that even experts using keywords are only about 20%-25% effective in finding all the relevant documents. • Conceptual searching such as Latent Symantec Indexing is an improvement but still not very effective. • Machine Learning is revolutionizing our ability to find similar language based upon Symantec meaning • Important Methodology: Word Embeddings – They are able to predict which words would likely be found in the same context. • Can predict how and which words are likely used in various contexts. 12

Leveraging AI/Machine Learning Technology • Why does it matter? • Finds clauses/sentences based upon a detailed understanding (model) of how words are used in that specific context. • For example, Word Embedding models that have been trained on Legal Language can predict other common words that we might find in and around language discussing “Force Majeure”: • Unavoidable, excusable, excusing, act of god, disruption, excused, unpreventable, triggering, unfavourable, unavailability, outage, delaying, inclement, delays and other terms. These embeddings (or predictions) use this same kind of knowledge about EVERY word in the sentence or clause to allow us to compute how similar any other sentence or clause is to this any other. • This similarity can be used to find like/similar language across thousands of contracts almost instantaneously. 13 13

Value of Clause Level Analysis • Applying this ML based similarity at the clause level allows for an entirely new way to search, compare and contrast (visualize) legal language across many contracts: (e.g. Contrasting different versions of this clause) • Importance of clause segmentation: • Minimize review by only examining dissimilar clauses/language. • Review only the language that we are interested in. • Create reports containing all versions of the language. 14 14

Pre-Breach and Post-Breach Incident Management

What Can Companies Do to Prepare Pre-breach considerations include: Identifying critical systems; Identifying key legal and notice requirements; Creating an incident response plan; Identifying key internal and external stakeholders, including important customers and regulators who may require notice; Identifying professionals to assist in the event of a breach; Conducting a tabletop exercise; Anomaly detection; Establishing relationships with law enforcement and others in your industry to discuss sharing information; and Conducting a security review

What Should Companies Do to Respond When a breach occurs: Containment and recovery; Advising on information sharing strategy ( e.g. , critical partners); Document preservation, including forensic collection, if appropriate, with consideration of the application of the work-product doctrine; Making the facts stand still; Creating a PR plan based upon the nature and scope of the incident; Assessing notice, disclosure, and other legal obligations; Advising on engagement strategy with law enforcement; and Conducting a “lessons learned” review

Resources

Resources AI Contracts Analysis & Risk Reduction: http://www.planetdata.com/contract-analysis-risk-reduction- exego-intelligence-disrupts-expensive-and-inaccurate-manual-methodology/ “Your Vendor, Your Risk”, Maggie Gloeckle and K Royal, ACC Docket October 2019 NIST: Informative References for the Privacy Framework: https://www.nist.gov/sites/default/files/documents/2019/09/06/nist-informative-references-privacy- framework-preliminary-draft.pdf