The Future of Service Provider Due Diligence for Cybersecurity and Privacy Data Processing

Monday, October 14, 2024

1:45pm – 2:45pm PT

Location: Roman II

CPE Credits 1

Speaker(s)

Jack L. Hobaugh, Jr., JD, AIGP, CISSP, FIP, CIPP, CIPT

Shareholder
Brownstein Hyatt Farber Schreck, LLP, United States

Most companies collect data and use service providers to process that data. New state privacy laws require companies to contractually obligate their service providers to reasonable security practices. The company’s legal team and InfoSec team combine to vet the service provider. This presentation discusses that process. The InfoSec team reviews the service provider’s SOC 2 reports, relevant certifications, and policies and the attorney negotiates a data processing/protection agreement (DPA). The DPA covers data ownership, scope and purpose of processing, permitted uses of de-identified data, data residency, data disposition, data security, incident response, audit rights, data subject requests, and DPIAs. This presentation will step through the vetting process and how to negotiate each section of the DPA for a win-win partnership with the vendor.

Learning Objectives:

At the end of this session participants will understand the importance of vetting service providers that process data and the steps to vetting service providers.
At the end of this session participants will be able to identify the parts of a data processing agreement that are important to protecting a company's data that is being processed by a service provider.
At the end of this session participants will be able to understand how the InfoSec team and privacy/cybersecurity attorney work together to protect a company's data that is processed by a service provider.