Assessing and allocating risk in the contract for the new ‘normal’

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization. By James McPherson, Director & Counsel, Credit Agricole Corporate & Investment Bank

In the context of vendor management, and what seems to be a significant increase in various services, that have some type of “cloud” component, what is one of the most significant challenges presently facing market participants in regards to privacy and data security?

Navigating through and attempting to remain in compliance with the privacy and data security laws of multiple jurisdictions, particularly where certain laws are less than clear, either as drafted or in practical application, due to being out-of-date, or being recently enacted and not yet fully interpreted is one of the most significant and immediately pressing challenges of the financial services industry today. As a threshold matter, privacy, security, and the cloud, are related but separate topics.  However, to discuss privacy in isolation from security, particularly in the context of technology services, would be incomplete.  Furthermore, depending on the purpose of such discussion, such approach may only be of marginal help in identifying and resolving more common day-to-day concerns. Within the U.S., unlike other jurisdictions, there is no general national privacy law or national data protection law that is comparable to what one may see in other jurisdictions – at least, not yet.  Similarly, there is no dedicated national commission, or department tasked with oversight of the subject, nor is there comprehensive regulatory supervision of technology firms that have become the behemoths of our times.  Rather, due in significant part to the manner in which the U.S. Constitution is constructed, and the circumstance under which the Constitution came into existence, applicable law is spread across a panoply of federal and state governing bodies.  While various different laws may address the same or similar risks, often in a similar manner, each jurisdiction’s law is distinct and may have slightly different requirements.

James will be presenting at the Vendor & Third Party Risk USA Congress. This event will be taking place virtually on October 7-8 . Click here to view the full agenda, and find out how you can register for this virtual Congress!