Oct. 14, 2020

Vulnerability Management: What You Don’t Know From Your External Scans Can Be Used Against You

Vulnerability management has raised cost and risk issues not just for the CISO and CIO but also the general counsel, other C-suite members and the board. In this first installment of a two-part guest article series, Alston & Bird attorneys discuss recent legal actions focused on a company’s vulnerability management program, with the potential for significant fines and penalties, and offer practical takeaways to help legal and risk professionals shore up their administrative controls and aid security. Part two will take a deeper dive into third-party scanning tools and the ways in which they may be used by unauthorized or unsolicited third parties to identify vulnerabilities. See also “Using Red-Teaming to Test and Improve Cyber Defenses” (Sep. 11, 2019).

H&M’s $41M GDPR Fine Underscores Importance of Employee Data Handling

Hamburg’s Data Protection Authority has levied Germany’s largest GDPR fine so far in a case relating to H&M’s mishandling of sensitive employee data. The €35.3‑million (about $41.4‑million) fine came after full cooperation by the company and an investigation completed in under a year. Geraldine Scali, a partner at Bryan Cave Leighton Paisner in London, and Dominik Weiss, a partner in the firm’s Hamburg office, shared their insights on the enforcement and compliance implications of the case with us and offered some key lessons. See “GDPR Enforcement Lessons and New ICO Guidance on COVID‑19” (Apr. 22, 2020).

Top Priorities for Compliance With Brazil’s New Personal Data Protection Law

Brazil’s General Data Protection law finally became effective on September 18, 2020, after several changes regarding enforcement since its publication on August 14, 2018. In this guest article, Rio de Janeiro-based Demarest attorneys Tatiana Campello and Vanessa Ferro discuss what the law covers, the path to enforcement, recent litigation already filed under the law and compliance steps that companies should take now. See also our two-part series: “GDPR Provides Model for Privacy and Security Laws”: Latin America (Jan. 9, 2019), and Asia (Jan. 16, 2019).

Choate Deepens Government Enforcement Bench

Choate has announced its hire of former Assistant U.S. Attorney for the District of Massachusetts Adam Bookbinder, who will join the firm’s government enforcement and compliance group as a partner. For insight from Bookbinder, see “Identifying and Preparing for Ransomware Threats (Part One of Two)” (Feb. 28, 2018); Part Two (Mar. 14, 2018).

Orrick Expands Tech Transactions Practice in San Francisco

Sarah Schaedler has joined Orrick as a partner in San Francisco in the firm’s tech transactions practice, where she focuses on IP and data privacy aspects of complex corporate transactions, including mergers, acquisitions, cross-border investments, joint ventures and commercial transactions. For insight from Orrick, see “Should Victims of State-Sponsored Hacking Be Liable for Personal Data Breaches?” (Sep. 30, 2020).