The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Incident Response

  • From Vol. 4 No.43 (Dec. 19, 2018)

    Interim Response Lessons From the Marriott Breach

    Though the investigation into the massive Marriott data breach that affected 500 million customers is still ongoing, lessons for companies have already emerged and lawsuits have been filed. The Cybersecurity Law Report spoke with Karen Hornbeck, a senior manager at Consilio, who offered insight on some of the mistakes made by Marriott in its initial communications with its customers along with advice on conducting cyber due diligence, resources for building a mature cybersecurity program, and when and how to involve the board. See also “Lessons From the Equifax Breach on How to Bolster Incident Response Planning (Part One of Two)” (Sep. 27, 2017); Part Two (Oct. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.43 (Dec. 19, 2018)

    Ten Steps for Effective Crisis Communications

    Following a cyber incident, companies face substantial reputational and financial harm, and poorly handled communication can magnify the problem. Controlling the message is essential not just for preserving the brand’s reputation, but also for properly handing the investigation, meeting regulatory obligations and responding to the breach as effectively as possible. The Cybersecurity Law Report has distilled valuable advice into ten specific actions to ensure effective communication. See also “Cyber Crisis Communication Plans: What Works and What to Avoid (Part One of Two)” (Jun. 14, 2017); Part Two (Jun. 28, 2017).

    Read Full Article …
  • From Vol. 4 No.41 (Dec. 5, 2018)

    Tips from EY’s Forensics Team on Recognizing and Preventing BEC Attacks

    While headlines often feature enormous data breaches and large-scale infrastructure attacks through malware such as ransomware, another kind of cyber attack has been on the rise – sophisticated instances of social engineering known as business email compromise. In this article, we cover the trends and preventative measures for BEC attacks that were discussed by three members of EY’s Forensic & Integrity Services team at a recent webinar. “What we’re seeing in general around cyber attacks is that cyber criminals have moved away from targeting infrastructure alone,” said U.K. partner Ryan Rubin. “They’ve been very successful in targeting individuals and people within organizations. We suspect this might be the number one type of attack in 2018 that people will refer back to, rather than very complex cyberattacks that we also do see in the news.” See also “Multimillion-Dollar Scheme Serves As Backdrop for Lessons on Preventing and Mitigating Phishing Attacks” (Apr. 5, 2017).

    Read Full Article …
  • From Vol. 4 No.36 (Oct. 31, 2018)

    How to Comply With Canada’s New Privacy Breach Reporting and Record-Keeping Rules

    As of November 1, 2018, organizations subject to Canadian privacy law must comply with important new rules in relation to breaches. These rules will present new costs, risks and challenges for organizations and additional liability, reputational and regulatory exposures. In this guest article, the chair of Fasken’s privacy and cybersecurity group, Alex Cameron, provides an analysis of the new rules; practical compliance considerations, including a review of key guidance issued on October 29 by the Office of the Privacy Commissioner of Canada; and insight on how the new rules affect organizations based outside of Canada and interact with other laws. See also “Analyzing New and Amended State Breach Notification Laws” (Jun. 6, 2018).

    Read Full Article …
  • From Vol. 4 No.34 (Oct. 17, 2018)

    Using Cyber Insurance to Mitigate Risk: Policy Management and Breach Response

    Cyber liability insurance is designed to cover many of the losses that may result from a cyber attack on a business’ assets, but companies need to understand how to properly navigate the waters pre- and post-breach to maximize the benefits cyber insurance can provide. In this final installation of our three-part series on cyber insurance as a risk-management tool, we cover how to take advantage of an insurers’ pre-incident services and steps to take to achieve the best coverage and breach response results. Part one reviewed the current insurance landscape, addressed how to find the right insurer and included actionable advice on navigating the application process. The second part examined the cost of a policy and how much coverage is necessary, and provided insight on how companies can be more savvy about having the right terms in place. See also “Lessons From the Equifax Breach on How to Bolster Incident Response Planning (Part One of Two)” (Sep. 27, 2017); Part Two (Oct. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.31 (Sep. 26, 2018)

    Five Takeaways From the Fiserv Wake-Up Call

    A software vulnerability recently identified at Fiserv served as another wake-up call for the financial industry that the security practices of third parties handling customer information are just as vital as measures taken in-house. Experts agree that outsourcing certain tasks remains efficient and effective, but have emphasized the importance of using bug bounty programs and effective vendor vetting and oversight. We provide five takeaways from the Fiserv vulnerability discovery with insight from both technical and legal experts. See also “How to Maintain Effective and Secure Long-Term Vendor Relationships: Understanding the Risks (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).

    Read Full Article …
  • From Vol. 4 No.30 (Sep. 19, 2018)

    Evolving Roles of Privacy and Security Professionals: Operationalizing Policies, Incident Response and Vendor Management

    Clear policies and effective collaboration go a long way toward improving security and privacy efforts across an enterprise. In this three-part series, current and former privacy and security leaders share their insights on how the CPO and CISO can effectuate these practices and protect their organizations. This final installment covers policy ownership and ideal implementation, and includes advice on effective collaboration when preparing for and responding to incidents and when assessing and contracting with third parties. Part two discussed effective governance, including reporting structure and the relationship with the board. Part one addressed how the skills necessary for each function have changed, how to combat ongoing challenges and whether companies should consider a convergence of the roles.

    Read Full Article …
  • From Vol. 4 No.22 (Jul. 25, 2018)

    Companies Face Increasing Cost of a Data Breach and an Inability to Detect Incidents Promptly, Surveys Show

    Two recent surveys, one by IBM and the Ponemon Institute showing that the average total cost of a data breach is $3.86 million, and the second by Marsh & McLennan Agency revealing that most organizations do not know how to measure the cyber risk they face, seem to demonstrate a collective corporate sense of false security in an organization’s ability to handle a cyber incident. Seventy-eight percent of respondents to the MMA survey were fairly to highly confident their organization would be able to manage and respond to a cyber attack, but the IBM/Ponemon survey found it takes almost six months to identify an incident. The Cybersecurity Law Report takes a closer look at the results of these surveys and what they reveal about risk awareness and, perhaps, a certain measure of corporate torpor in addressing the likelihood of a data breach. See “Pillars of Effective Breach Detection, Response and Remediation” (Apr. 25, 2018).

    Read Full Article …
  • From Vol. 4 No.17 (Jun. 20, 2018)

    Managing Cyber Investigations: A CISO and In-House Counsel Discuss Best Practices for Real-Life Scenarios

    Lawyers are increasingly on the front lines of responding to significant cyber incidents. At a recent Georgetown Cybersecurity Law Institute conference, panelists from three global companies discussed best practices and practical tips for attorneys managing a cyber investigation. Moderator Kimberly Peretti, a partner at Alston & Bird, presented three real-life scenarios to Wyndham Worldwide’s chief compliance officer, chief counsel for cybersecurity and privacy at SAIC and the CISO at Cvent, a global meetings and events technology software company. Their recommendations included planning ahead, creating and practicing robust incident response plans and fostering a strong relationship between legal and information security teams. See our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 4 No.15 (Jun. 6, 2018)

    Analyzing New and Amended State Breach Notification Laws

    With the recent adoption of statutes by Alabama and South Dakota this year, all 50 states have breach notification laws integrating notification procedures. Arizona, Colorado and Oregon have also recently revised and strengthened their existing data breach notification laws. This article details the provisions of the new statutes and amendments, with insights from McGuireWoods partner Janet P. Peyton. See “Synthesizing Breach Notification Laws in the U.S. and Across the Globe” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 4 No.9 (Apr. 25, 2018)

    Pillars of Effective Breach Detection, Response and Remediation

    Should board members participate in testing incident responses plans? At Skytop’s recent Cyber Risk Governance conference, panelists were divided on this question and others related to breach detection, response and remediation. The Cybersecurity Law Report’s Senior Editor Jill Abitbol moderated the panel, “Detection, Response and Remediation: The Pillars of Effective Cyber Breach Response,” which featured Richard Buchband, senior vice president, general counsel and secretary of ManpowerGroup Inc.; Mark Clancy, CTO of Emergynt and founder of Cyber Risk Research; Karen Morris, an independent consultant; and Justin Fier, director for cyber intel and analysis at DarkTrace. See also “Goodbye to the Blame Game: Forging the Connection Between Companies and Law Enforcement in Incident Response” (Apr. 19, 2017).

    Read Full Article …
  • From Vol. 4 No.8 (Apr. 18, 2018)

    When and How Legal and Information Security Should Engage on Cyber Strategy: Vendors and M&A (Part Three of Three)

    Effective cybersecurity strategy requires the legal and security functions to work together when assessing third parties, either in the context of hiring a vendor or merging with or acquiring a new company. “I don’t think they’re coordinating very well,” Akin partner Michelle Reed told The Cybersecurity Law Report. With insight from Reed and technical experts, this third installment of our three-part series on when and how legal and security professionals should be communicating to build strong working relationships for a robust cybersecurity and data privacy program tackles coordination between the two teams on vendor assessments, M&A due diligence and combatting insider threats. Part two examined how both teams can coordinate on incident response and to assess risk and privacy impact. Part one covered how to structure corporate governance for optimal collaboration between these two groups. See also “Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure” (Dec. 20, 2017) and “Mitigating Cyber Risk in M&A Deals and Third-Party Relationships” (Jul. 6, 2016).

    Read Full Article …
  • From Vol. 4 No.8 (Apr. 18, 2018)

    Ten Common Post-Breach Public Relations Failures and How to Avoid Them

    In the heated aftermath of a breach, organizations are susceptible to making PR mistakes that can have substantial and lasting negative impacts on the company’s reputation and customer relations. At IAPP’s Global Privacy Summit 2018, Tanya Forsheit, a partner at Frankfurt Kurnit Klein & Selz, and Siobhan Gorman, a partner at the Brunswick Group, highlighted ten common and specific post-breach PR mistakes and lessons that can be learned from them. For more from Forsheit, see “The GDPR’s Data Subject Rights and Why They Matter” (Feb. 28, 2018). For more from Gorman, see “Cyber Crisis Communication Plans: What Works and What to Avoid (Part One of Two)” (Jun. 14, 2017); Part Two (Jun. 28, 2017).

    Read Full Article …
  • From Vol. 4 No.7 (Apr. 11, 2018)

    When and How Legal and Information Security Should Engage on Cyber Strategy: Assessments and Incident Response (Part Two of Three)

    As regulators increasingly blend privacy and security issues, privacy officers and CISOs need to interact frequently to develop a healthy relationship for effective protection of key data. Our three-part series offers legal and technical expert advice on when and how these professionals should be communicating to build a strong working relationship for robust cybersecurity and data privacy programs. This second part examines how both teams can coordinate on incident response and for risk and privacy impact assessments. Part one covered how to structure corporate governance for optimal collaboration between these two groups. Part three will tackle coordination between legal and security on vendor assessments and in the M&A context. See “How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.5 (Mar. 14, 2018)

    Identifying and Preparing for Ransomware Threats (Part Two of Two)

    Ransomware response will depend on the risk tolerance of an organization, and companies should have comprehensive yet flexible response plans in place suited to their needs. This second installment of our two-part series on ransomware offers insights from technical and legal experts on effective response measures, including bringing in the experts to understand what happened and why, and whether to pay a ransom. It will also look at how cryptocurrency is changing the ransomware landscape. Part one covered the current methods of attack and their risks as well as prevention techniques and advance planning. See “Defending Against the Rising Threat of Ransomware in the Wake of WannaCry” (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.4 (Feb. 28, 2018)

    Identifying and Preparing for Ransomware Threats (Part One of Two)

    With easy-to-use ransomware toolkits hitting the cybercrime market and more sophisticated hackers using novel attack strategies, companies should have a firm grasp of the current risks of ransomware and the measures they can take to proactively mitigate those risks. They also need to create an effective, comprehensive response plan if attacked. In this two-part article series, legal and technical experts share their insights on how to prepare for ransomware threats with effective cyber hygiene and planning. This first part covers the current methods of attack and their risks as well as prevention techniques and how to be prepared for the inevitability of one of these attacks. Part two will address effective response measures including bringing in the experts to understand what happened and why, and whether to pay a ransom. It will also look at how cryptocurrency is changing the landscape. See “Defending Against the Rising Threat of Ransomware in the Wake of WannaCry” (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.4 (Feb. 28, 2018)

    Financial Firms Must Supervise Their IT Providers to Avoid CFTC Enforcement Action

    The CFTC recently announced a settlement with futures firm AMP Global Clearing LLC (AMP), which had tens of thousands of client records compromised after its IT vendor unknowingly installed a backup drive on AMP’s network that included an unsecured port. The settlement order requires AMP to cease and desist from future violations, pay a civil penalty of $100,000 and report to the CFTC for the next year on its efforts to improve its digital security. “As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system,” said CFTC Director of Enforcement James McDonald. In particular, it is a reminder of the importance of monitoring third-party service providers. In this article, we analyze the case and relevant remedial steps AMP agreed to take. For more from the CFTC, see “Virtual Currencies Present Significant Risk and Opportunity, Demanding Focus From Regulators, According to CFTC Chair” (Feb. 14, 2018).

    Read Full Article …
  • From Vol. 4 No.1 (Jan. 17, 2018)

    A Practical Look at the GDPR’s Data Breach Notification Provision 

    The E.U. General Data Protection Regulation introduces specific breach notification obligations for data controllers and processors. To help covered entities better understand when notification is required and what processes they should have in place in order to meet their obligations, the Article 29 Working Party issued Guidelines on Personal Data Breach Notification at the end of 2017. In this article, with advice and perspective from a former Special Agent with the FBI’s Cyber Division and current head of Nardello & Co.’s digital investigations and cybersecurity practice, we cover key concepts of the WP29 guidance, processes organizations should have in place to comply with the GDPR’s breach notification provisions, and strategies to balance global notification requirements. We also look at the GDPR’s overall effectiveness in addressing cyber risk. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).  

    Read Full Article …
  • From Vol. 4 No.1 (Jan. 17, 2018)

    NIST Program Manager Explains Pending Changes to Its Cybersecurity Framework

    The NIST Cybersecurity Framework has become a key reference and guide for many organizations’ security efforts, and NIST has published pending revisions that are not an “overhaul” but provide additions, advancements and clarifications. Matthew Barrett, NIST’s cybersecurity framework program manager, recently presented an overview of the original Framework and its companion Roadmap and explained the pending changes to both. Organizations should become familiar with the changes and review their current practices to determine if their own practices require updating. See also “Demystifying the FTC’s Reasonableness Requirement in the Context of the NIST Cybersecurity Framework (Part One of Two)” (Oct. 19, 2016); Part Two (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    Lessons From the Equifax Breach on How to Bolster Incident Response Planning (Part Two of Two)

    After a vulnerability that allowed hackers to access the sensitive personal data of an estimated 145.5 million individuals, Equifax is now facing numerous class actions along with multiple regulatory actions and investigations. “The facts as we see them raise the question of how well and whether Equifax tested the mega-breach scenario,” Mintz Levin partner Cynthia Larose told The Cybersecurity Law Report. In this second installment of our two-part series on incident response lessons from Equifax’s fallout, we provide experts’ top ten tips on ensuring a plan is efficient and effective. We also address the roles and responsibilities of key incident response stakeholders. In part one, we looked at Equifax’s mistakes and heard from experts on essential components of incident response planning and how to bolster those plans. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    Lessons From the Equifax Breach on How to Bolster Incident Response Planning (Part One of Two)

    While it is now fairly common practice for organizations to have a formalized incident response plan, many organizations fail to test those plans, leaving them susceptible to unanticipated problems. Credit reporting agency Equifax learned this lesson the hard way when it was hit by a cyber attack that exposed the addresses, Social Security numbers and financial information of 143 million customers. The breach has also led to over 20 class actions filed to date, at least one AG action filed thus far (with pending investigations by other AG offices and the FTC), and the departures of the CSO, CIO and the CEO. Other companies can learn from this fallout. In this first installment of our two-part series on incident response lessons from Equifax, we hear from experts on key components of incident response planning and how to bolster those plans by learning from Equifax’s mistakes. Part two will provide expert tips on ensuring an incident response plan is efficient and effective and will address key stakeholders and their roles and responsibilities. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.14 (Jul. 12, 2017)

    A Discussion With eHarmony’s GC About the Role of In-House Counsel in Cybersecurity

    The general counsel plays a critical role in a company’s cybersecurity, especially in high-profile events, as the blame the Yahoo GC shouldered in the 2014 breach revealed. The GC must have the necessary authority to ensure the company develops appropriate proactive measures and must be able to take a leadership position after an event has occurred. Ronald Sarian, vice president and general counsel of eHarmony, spoke with The Cybersecurity Law Report about how the GC can obtain and exercise his or her authority, and his own efforts to develop incident response plans, training, communication and escalation protocols. He also discussed how he built a strong relationship with the company’s technical teams, what he learned from the 2012 cyber attack on eHarmony and what in-house counsel can learn from the DLA Piper breach. See also “Strategies for In-House Counsel Responsible for Privacy and Data Security” (Feb. 22, 2017) and “Increasing Role of Counsel Among Operational Shifts Highlighted by Cyber Risk Management Survey” (Nov. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.14 (Jul. 12, 2017)

    How Small Businesses Can Maximize Cybersecurity Protections and Prioritize Their Spending

    While surviving as a small or medium-sized business is challenging enough, the realization that the company could fail if it suffers a cyber attack adds another measure of stress. Knowing where to start and obtaining and allocating the right resources are key to ensuring adequate cybersecurity. Panelists at the recent Georgetown Cybersecurity Law Institute discussed ways that small and medium-sized businesses can take meaningful cybersecurity steps given their limited budgets and, in some cases, expertise. See “Using a Risk Assessment as a Critical Component of a Robust Cybersecurity Program (Part One of Two)” (Nov. 16, 2016); Part Two (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    Cyber Crisis Communication Plans: What Works and What to Avoid (Part Two of Two)

    Even a small cyber incident can erupt into a major high-profile event depending on whether and how it becomes public. Because of the damaging effects press coverage can have, companies should be prepared with a thorough communications plan that contemplates more than just technical answers. In this second installment of our two-part article series on cyber crisis communication plans, experts offer advice on strategies for handling external communications to the media, regulators and other stakeholders, including specific questions companies might face; how to control and coordinate with a third-party vendor; and how to overcome common pitfalls and challenges. Part one covered key stakeholders and their roles, crucial playbook components and the benefits of planning ahead, and how to approach internal communications during a cyber crisis event. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.12 (Jun. 14, 2017)

    Cyber Crisis Communication Plans: What Works and What to Avoid (Part One of Two)

    Every cyber incident does not result in a far-reaching compromise or disclosure of personal or confidential information, but even a small incident can erupt into a major high-profile cyber event depending on whether and how it becomes public. The publicity surrounding these events can render them more serious than just the technical problem itself and raises the stakes on how companies respond. Because of the damaging effects press coverage can have, companies should be prepared with a thorough communications plan that contemplates more than just technical answers, experts told us. This first installment of our two-part series on breach communication plans discusses identifying key stakeholders and their roles, key playbook components and the benefits of advance planning, and offers advice on how to approach internal communications during a cyber crisis event. Part two will cover how to control and coordinate with a third-party vendor, strategies for handling external communications to the media, regulators and other stakeholders, and how to overcome common pitfalls and challenges. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.11 (May 31, 2017)

    Reacting Quickly With a Nimble Incident Response Plan

    With constantly evolving cyber threats, a flexible response plan is crucial to direct the quick action that should follow a data security incident. Kim Peretti, co-chair of Alston & Bird’s cybersecurity preparedness and response team, discussed with The Cybersecurity Law Report ways to ensure a company is ready to effectively react in real time to whatever attack it is facing. This includes recognizing various plan triggers and clearly outlining responsibilities. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.10 (May 17, 2017)

    Investigative Realities: Working Effectively With Forensic Firms (Part Two of Two)

    Lawyers and forensic investigators must work together when investigating breaches, but the differences in their outlook and approach can sometimes make that difficult. In a two-part guest article series, Stephen Surdu, a senior advisor at Covington, and Jennifer Martin, of counsel at Covington, provide insight into how forensic teams work during the investigative process and how to make the process smoother and more effective. This second part addresses how to work with forensic teams when documenting and otherwise communicating findings, and during the remediation process. The first installment addressed investigative realities and how attorneys and forensic investigators can gain an understanding of each other’s perspectives and preemptively discuss any potential issues to be in the best position to address them efficiently during an investigation. See also our three-part series on forensic firms: “Understanding and Leveraging Their Expertise From the Start” (Feb. 22, 2017); “Key Contract Considerations and Terms” (Mar. 8, 2017); and “Effective Vetting and Collaboration” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.7 (Apr. 5, 2017)

    Data Preservation and Collection During a Government Data Breach Investigation 

    When a government is investigating a data breach, the affected company must trigger its incident response plan – and it must know when and how to preserve and collect relevant data. A recent PLI program offered insights on incident response plans as well as best practices for the legal hold process, data collection and communicating with regulators. The panel featured outside attorneys and accountants as well as in-house experts from Hilltop Securities Inc., JPMorgan Chase & Co. and UBS AG. See also “Top Private Practitioners and Public Officials Detail Hot Topics in Cybersecurity and Best Practices for Government Investigations” (May 6, 2015).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    Forensic Firms: Effective Vetting and Collaboration (Part Three of Three)

    Because a forensic investigation by a security firm often drives the critical path of incident response, companies are best positioned to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an incident arises. With a myriad of firms from which to choose, not only must a company carefully select the right one, but both sides must communicate effectively to build a trusting relationship. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these and other considerations. This third installment provides advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. Part two examined contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. See also “Key Strategies to Manage the First 72 Hours Following an Incident“ (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Forensic Firms: Key Contract Considerations and Terms (Part Two of Three)

    Companies are increasingly turning to outside forensic firms for assistance with both proactive cybersecurity measures as well as incident response. To optimize the relationship, companies must carefully choose a firm, negotiate the right contract terms, and effectively collaborate with the chosen forensic service provider. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these considerations. This second part examines contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. Part three will provide advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. See also “Key Strategies to Manage the First 72 Hours Following an Incident” (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    A Real-Life Scenario Offers Lessons on How to Handle a Breach From the Inside

    Picture this data breach scenario: A company’s customers discover that their online account details have changed. They later realize that their bank account details had also been changed, and refunds due to them were fraudulently transferred to another bank account. What is the best way to proceed with the investigation, especially after law enforcement’s trail has gone cold? How can the company enhance its cybersecurity going forward? This scenario, which involved an employee stealing data, was analyzed in the 2017 Verizon Data Breach Report. We discuss how the company handled the scenario and the lessons it learned, with input from BDO managing director Eric Chuang. See “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Defense and Plaintiff Perspectives on How to Survive Data Privacy Collateral Litigation

    While the risks of data privacy and data breach litigation are substantial, the legal standards are in flux and may depend on the court and jurisdiction in which the case lies. Lawyers are struggling to keep up, with courts issuing potentially disruptive decisions on a near-monthly basis. During a recent PLI panel, plaintiffs’ lawyer Daniel Girard of Girard Gibbs, discussed the evolving landscape and its strategic implications with Robert Herrington, a Greenberg Traurig shareholder. The types of successful data privacy cases are shifting and each stage of litigation presents companies with strategic choices. The contrasting perspectives provide guidance to both plaintiffs and defendants as they weigh such choices throughout collateral data breach litigation. See also  “Minimizing Class Action Risk in Breach Response” (Jun. 8, 2016). 

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    Forensic Firms: Understanding and Leveraging Their Expertise From the Start (Part One of Three)

    After a company discovers a cybersecurity incident, it must understand exactly what happened and how it happened. That means bringing in the experts. The number of forensic firms from which companies can choose has grown along with the number and size of cyber breaches. How can companies evaluate the firms? What should be included in the contract? What should companies expect from these firms? How can they best collaborate with them for an effective and efficient investigation? With input from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series provides answers to these vital questions and others. This first part explains the expertise of forensic firms, why they are used, and their role before and after an incident. Part two will examine contract considerations, key terms and what companies can and should expect in deliverables. Part three will provide advice on how to evaluate the forensic firm to determine if it has the right expertise and how to communicate and work with these experts once they are brought on board. See also “Key Strategies to Manage the First 72 Hours Following an Incident” (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Key Strategies to Manage the First 72 Hours Following an Incident

    As soon as a company has identified an incident, things suddenly start to move fast and the situation can spiral out of control. Questions need to be answered. Is it a breach? What is the next step? Mishandling that first 72 hours after an incident is detected may have significant ramifications for the company’s bottom line. At the recent IAPP Practical Privacy Series conference, Seth Harrington, a partner at Ropes & Gray, and Brian Lapidus, Kroll’s managing director of identity theft and breach notification, covered the most important actions to take and the mistakes that could be made during this crucial time period. See also “How to Avoid Common Mistakes and Manage the First 48 Hours Post-Breach” (Jun. 22, 2016).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    Ten Cybersecurity Priorities for 2017

    Even companies that have mature information security practices in place must exercise constant vigilance by reevaluating their needs and improving their approaches. The Cybersecurity Law Report spoke with several experts to find out what companies should be focusing on and how they should allocate time and resources when setting cybersecurity priorities for 2017. In this article, we outline the resulting top ten cybersecurity action items for companies to tackle to ensure a more secure new year. See also “Cybersecurity Preparedness Is Now a Business Requirement” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.23 (Nov. 16, 2016)

    Increasing Role of Counsel Among Operational Shifts Highlighted by Cyber Risk Management Survey

    As companies become more aware of the complexities of cyber risk, they are approaching not only preventative measures more collaboratively, but also risk management and insurance selection. A recent survey conducted by Advisen and Zurich North America shows operational shifts, including the increasing cooperation between IT and risk management, a heightened role for counsel and boards, as well as more reliance on external resources for post-breach efforts. The survey also reveals that the process of determining the right insurance coverage is also becoming part of this collaborative security effort. “Insurance in the cyber realm is not merely an instrument for transferring risk. Even the process of obtaining the insurance is viewed as a catalyst for driving and elevating enterprise-wide cybersecurity risk management,” Roberta Anderson, K&L Gates partner, told The Cybersecurity Law Report. See also “Building a Strong Cyber Insurance Policy to Weather the Potential Storm” Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    Learning From Experience: Five Actions to Take and Five Mistakes to Avoid When Testing a Breach Response Plan 

    Cybersecurity has been an increasing corporate concern for years now and, as a result, most sophisticated entities have at least some form of an incident response plan in place. However, plans are unlikely to be worth the paper they are printed on (or the space they take up on a hard drive) if companies do not test those plans so that key incident response personnel understand the roles they will play, and the decisions they will face, in responding to an actual security incident. In a guest article, experienced tabletop exercise faciltiators Kim Peretti and Lou Denning, Alston & Bird partner and associate respectively, explain why it is critical for companies to test their plans using a simulated incident in a comfortable environment to see where improvements can be made before a real breach hits. They detail five key elements to consider and five pitfalls to avoid when testing a response plan. See also The Cybersecurity Law Report’s three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    Seven Overlooked Business Costs of a Cyber Breach and Strategies for Avoiding Them

    It is no surprise that a breach can have substantial repercussions for a company. However, Deloitte has found that the extent and the duration of those impacts are greater than even experts anticipated. Its recent study highlights both well-known and less expected breach impacts, such as an increased cost to raise debt in capital markets and devaluation of trade names. Some of these effects can linger for years. We examine seven subtle but significant breach impacts – painting a complete picture of where companies “actually feel pain,” a Deloitte principal told us – and how to lessen those impacts. See also “Picking up the Pieces After a Cyber Attack and Understanding Sources of Liability” (Apr. 13, 2016).

    Read Full Article …
  • From Vol. 2 No.18 (Sep. 7, 2016)

    Survey Reveals What Keeps Consumers Away From Connectivity and How to Address Their Concerns 

    For companies that collect personal information, a breach may cause already wary consumers to choose other options for those products and services. The results of the KPMG Barometer Report illustrate these realities, and, focusing on the technology, retail, financial services and automotive industries, the Report suggests ways companies can improve cybersecurity preparedness. The Report also cites specific actions companies should take following an incident to raise consumer confidence and retain their customers. These actions are all the more important as consumers become “less forgiving. They have expectations that companies will take due care to provide robust security and privacy protections and are becoming more likely to vote with their wallet when those expectations are not met,” Greg Bell, the U.S. leader of KPMG Cyber, told The Cybersecurity Law Report. See also “How to Avoid Common Mistakes and Manage the First 48 Hours Post-Breach” (Jun. 22, 2016).

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    How Cyber Stakeholders Can Speak the Same Language (Part Two of Two)

    The way cybersecurity terminology is used can significantly affect how a cyber event is handled. Differences in the training and background of certain cybersecurity stakeholders, particularly technical and legal teams, however, may lead to inconsistent use of important terms in the context of security breaches and protocols. This second article of a two-part series highlights ten of the most frequently misunderstood cybersecurity terms, and provides insight on their meanings and implications from both legal and security experts. Part one of the series examined how to overcome cybersecurity stakeholder communication challenges and detailed six strategies for better interaction. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    How Cyber Stakeholders Can Speak the Same Language (Part One of Two)

    In the areas of cybersecurity and data privacy, a company’s attorneys and technical teams must work together closely. The two groups often have different approaches, however, and may not speak the same language when it comes to handling security breaches and protocols. Commonly used terms can be used inconsistently, and their implications misunderstood. In this first article of a two-part series, attorneys and consultants with different perspectives share advice with The Cybersecurity Law Report on the importance of clear communication between key stakeholders. They also examine the different approaches to cybersecurity and detail six strategies for overcoming communication challenges. Part two of the series will explore frequently misunderstood cybersecurity terms and their meanings. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.14 (Jul. 6, 2016)

    Law Enforcement on Cybersecurity Matters: Corporate Friend or Foe? (Part Two of Two)

    With a mission to identify the perpetrator and to build a prosecutable case, law enforcement can help a company facing a cybersecurity incident. Working with law enforcement, however, often presents challenges for the company and its counsel. Preparation prior to the interaction can offer a smoother road. This second article in our two-part series provides expert insight on interacting with law enforcement when there has been a breach, including advice regarding the first call, the controls companies should have in place and the type of information law enforcement really needs. Part one covered concerns that arise when dealing with law enforcement officials, benefits of coordination and recommendations for when and how to establish a successful relationship with them. See also “Google, CVS and the FBI Share Advice on Interacting With Law Enforcement After a Breach” (May 11, 2016).

    Read Full Article …
  • From Vol. 2 No.13 (Jun. 22, 2016)

    How to Avoid Common Mistakes and Manage the First 48 Hours Post-Breach

    Companies must make a myriad of decisions in the first 48 hours after a breach that will impact the rest of the breach investigation. At the recent Georgetown Cybersecurity Law Institute, a panel of outside and in-house counsel and a forensic investigator shared their advice about breach response, including a “quick start” guide, the common mistakes they see companies make during the initial response, what outside counsel will ask when they are contacted about a breach, what to look for (and what to beware of) when choosing a forensic team, how to preserve privilege throughout the investigation, and how to know when to stop looking for the hacker. See also “A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: From Data Mapping to Evaluation”: Part One (Apr. 27, 2016), Part Two (May 11, 2016), Part Three (May 26, 2016).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Minimizing Class Action Risk in Breach Response

    Cybersecurity programs today must take into consideration the risk of class action litigation and include measures to mitigate those risks. David Lashway, a partner and global cybersecurity practice lead at Baker & McKenzie, spoke with The Cybersecurity Law Report in advance of ALM’s Mid-Year Cybersecurity and Data Protection Legal Summit on June 15, 2016, at the Harvard Club in New York City, where he will participate as a panelist. An event discount code is available to CSLR readers inside the article. In our interview, Lashway addresses mitigating litigation risk following a data security incident, takeaways from recent cases such as Target and Sony and class action litigation trends. See also “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation”: Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Vendor Cyber Risk Management: 14 Key Contract Terms (Part Two of Two)

    Actions by third-party vendors with access to a company’s data are the cause of some of the most damaging breaches. Carefully vetting and monitoring those vendors is crucial to a strong cybersecurity program. At a recent panel at IAPP’s Global Privacy Summit, counsel from Under Armour, AOL and Unisys provided practical guidance on how to implement a comprehensive vendor management program. This article, the second installment in our coverage of the panel, includes fourteen key cybersecurity provisions to include in vendor contracts and the panelists’ strategies for monitoring the vendor relationship and for effective breach response. The first article in our series includes the panelists’ discussion of nine questions to ask vendors during the due diligence process and factors to consider before contract negotiations. See also “Learning From the Target Data Breach About Effective Third-Party Risk Management”: Part One (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: Does Your Plan Work? (Part Three of Three)

    Many companies recognize that an effective incident response plan can go a long way towards mitigating the consequences of cybersecurity incidents. However, they often make simple mistakes in implementing these plans, largely because they lack a comprehensive strategy to combat persistent cyber threats. In this final segment of our three-part series on the topic, we explore common deficiencies in response plans, challenges companies face when implementing a plan, how to use metrics to troubleshoot and advocate for plan resources, and estimated costs associated with investigating and remediating the inevitable breach. The article features exclusive and in-depth advice from a range of top experts, including consultants, in-house and outside counsel. Part two set forth seven key components of a robust incident response plan. Part one covered the types of incidents the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: Seven Key Components (Part Two of Three)

    Organizations today face an overwhelming volume, variety and complexity of cyber attacks. Regardless of the size of an enterprise or its industry, organizations must create and implement an incident response plan to effectively and confidently respond to the current and emerging cyber threats. In this second part of our three-part series on the topic, we examine the seven key components of a robust incident response plan, with exclusive and in-depth advice from a range of top experts, including consultants, in-house and outside counsel. Part one covered the types of incidents the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. Part three will explore implementation of the plan, evaluating its efficacy, pitfalls, challenges and costs. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    Google, CVS and the FBI Share Advice on Interacting With Law Enforcement After a Breach

    Among the many decisions companies must make following a cyber incident are whether, when and how to engage with law enforcement. At the recent FT Cyber Security Summit USA, experts from Google, CVS Health, the FBI and the Center for Strategic and International Studies gave their advice on interacting with the government, and discussed the responsibilities and priorities of the compliance and legal teams in the wake of an attack. See also “Picking up the Pieces After a Cyber Attack and Understanding Sources of Liability” (Apr. 13, 2016).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: From Data Mapping to Evaluation (Part One of Three)

    Many organizations are coming to terms with the troubling fact that they will fall victim to a cyber attack at some point, if they have not already. An effective incident response plan can be one of the best tools to mitigate the impact of an attack – it can limit damage, increase the confidence of external stakeholders and reduce recovery time and costs. The Cybersecurity Law Report spoke with a range of top experts, including consultants, in-house and outside counsel, who answered some of the tougher practical questions that are typically left unanswered in this area. They shared in-depth advice on the subject based on their own challenges and successes. In the first article of this three-part series, we cover what type of incident the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. Parts two and three will examine key components of the plan, implementation, evaluating its efficacy, pitfalls, challenges and costs. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Ten Steps to Minimize Data Privacy and Security Risk and Maximize Compliance

    Increasingly, general counsel, privacy officers and even CEOs are taking on more and more data privacy and security compliance burdens because of the significant legal implications of not just breaches, but failure to comply with a range of privacy and cybersecurity regulations. That applies to international transfers of data as well. In a guest article, Aaron Charfoos, Jonathan Feld and Stephen Tupper, members of Dykema, discuss recent global developments and ten ways companies can ensure compliance with new regulations to increase data security and minimize the risk of enforcement actions. See also “Liability Lessons From Data Breach Enforcement Actions” (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Picking up the Pieces After a Cyber Attack and Understanding Sources of Liability

    The expanding range of cyber threats companies face are forcing them to consider how best to anticipate, prevent and manage cyber attacks. In a recent PLI program, Brian E. Finch, a partner at Pillsbury Winthrop Shaw Pittman, discussed the changing landscape of cyber threats, sources of liability for a company and strategies to manage cybersecurity risk and related litigation, including a list of post-breach do’s and don’ts. See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    In-House and Outside Counsel Offer Strategies for Navigating the TCPA, Avoiding Litigation and Responding to Breaches

    How can in-house counsel better position their companies to prevent and manage class action lawsuits resulting from Telephone Consumer Protection Act (TCPA) violations and cybersecurity incidents? At a recent PLI program, Hilary E. Ware, vice president and associate general counsel, litigation and regulatory affairs, at Netflix, Inc.; Renée T. Lawson, vice president and deputy general counsel at Zynga, Inc.; and Monica S. Desai, a partner at Squire Patton Boggs, discussed TCPA best practices and potential pitfalls; how to get ahead of litigation risks; and strategies for managing privacy, security and TCPA class litigation. See also “What Companies Need to Know About the FCC’s Actions Against Unwanted Calls and Texts” (Jul. 1, 2015).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part Two of Three)

    Cyber threats, commonly attributed to outside malfeasance, often originate from within – employees’ negligence or lack of awareness can open the door for cyber criminals. Establishing an effective employee cybersecurity training program can go a long way in combating that threat. The process can be distilled into three phases: (1) designing the relevant policies and planning the best training approach, considering the type of company and universe of employees; (2) ensuring the necessary topics are covered effectively during the actual training sessions; and (3) following up after the training, including certification and evaluating the efficacy of the training. This three-part series will cover each of those phases, respectively. In this second part, outside counsel, consultants, and in-house experts provide insight on ten important topics to cover during training, as well as strategies for engaging employees and getting the message across. Part one provided advice for developing the proper program based on the company’s industry and types of employees. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 2 No.4 (Feb. 17, 2016)

    Cybersecurity Preparedness Is Now a Business Requirement

    How can companies make cybersecurity preparedness an integral part of their business practices? During a recent panel at ALM’s cyberSecure event, JoAnn Carlton, general counsel and corporate secretary at Bank of America Merchant Services, Edward J. McAndrew, Assistant U.S. Attorney and Cybercrime Coordinator at the U.S. Attorney’s Office, and Mercedes Tunstall, a partner at Pillsbury, gave their perspectives on steps companies can take to enhance cybersecurity. They discussed how the evolving nature of cyber attacks requires evolving business models. Simply establishing an incident response plan is not enough: companies must build privacy preparedness across the organization and engage in a continuous cycle of planning and response to stay ahead of cyber threats. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); “The Challenge of Coordinating the Legal and Security Teams in the Current Cyber Landscape (Part Two)” (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part Two of Two) 

    Through engagement, risk assessment, and continual review of cybersecurity risks and solutions, directors can both mitigate their own liability as well as the data security and litigation risks threatening the company. Part two of our two-part series on the board’s critical role in cybersecurity and data privacy issues addresses: how the board can follow up on management presentations; steps it should take after a breach; recent post-breach derivative suit caselaw; and how the board, in-house counsel and management can ensure a strong defense to such derivative actions. Part one provided best practices for management and in-house counsel to educate the board and keep the directors updated on cyber-related issues. See also “The Multifaceted Role of In-House Counsel in Cybersecurity” (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    Minimizing Breach Damage When the Rubber Hits the Road

    When a cybersecurity incident is discovered, a company’s first steps are crucial to minimize the damage. Kirk Nahra, a partner at Wiley Rein, gave candid, practical advice for breach response at the recent IAPP conference. He discussed, among other things, the importance of training employees about breach reporting; how the terms a company uses for a breach may come back to haunt them; when privilege should not be preserved; and how getting all of the healthcare providers and vendors in the country into the Dallas Cowboys’ stadium to streamline their contracts could save billions of dollars. See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    The Multifaceted Role of In-House Counsel in Cybersecurity 

    To effectively advise corporations on cybersecurity issues, in-house counsel must navigate myriad issues that can vary across industries, state and international jurisdictions as well as privacy and information security contexts.  A recent PLI program brought together privacy and information security counsel from various industries to share insights on the role of in-house counsel charged with securing business-critical and confidential data and technology.  They discussed the different responsibilities for data privacy and cybersecurity professionals, international data privacy and protection laws, and offered strategies for in-house counsel to prevent internal cybersecurity threats, develop breach prevention and response policies and handle vendors.  The panel was moderated by Lori E. Lesser, a partner at Simpson Thacher, and included top practitioners Rick Borden, chief privacy officer at the Depository Trust & Clearing Corporation; Nur-ul-Haq, U.S. privacy counsel at NBCUniversal Media; Michelle Ifill, senior vice president at Verizon and general counsel of Verizon Corporate Services; and Michelle Perez, assistant general counsel of privacy for Interpublic Group.  See “Analyzing and Complying with Cyber Law from Different Vantage Points (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 8 (Jul. 15, 2015); and Part Two, Vol. 1, No. 9 (Jul. 29, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part Two of Two)

    There are several steps companies can take before and after a data breach to best position themselves for the litigation likely to follow.  In this second installment of our coverage of a recent Mintz Levin webinar, partners Kevin McGinty and Mark Robinson explore best practices for internal investigations and common defenses in data breach class actions.  The first article featured insight from partner Meredith Leary on how companies can put themselves in the best position now to defend their actions post-breach and Robinson’s list of threshold questions that companies can ask themselves at the outset of a data breach internal investigation.

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part One of Two)

    In addition to the direct consequences of a data security incident, many companies that suffer data breaches must face lawsuits.  In a recent webinar, Mintz Levin members Meredith Leary, Kevin McGinty and Mark Robinson discussed the various types of data security litigation and gave advice on how companies can best prepare for the likelihood of a lawsuit after a data breach.  This article, the first in a two-part series, features their insight on how companies can put themselves in the best position now to defend their actions later.  The panelists also identified threshold questions that companies can ask themselves during an internal investigation following a data breach.  In the second article, they further explore best practices for internal investigations and common defenses in data breach class actions.  See also “Liability Lessons from Data Breach Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 16 (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    Target Privilege Decision Delivers Guidance for Post-Data Breach Internal Investigations

    In a ruling that may clarify how companies should conduct breach responses to preserve privilege, on October 23, 2015, a federal district court in Minnesota found that certain documents created during Target’s internal investigation of its 2013 payment card breach were protected by the attorney-client privilege and work product doctrine.  The Target case “is one of the first cases we are seeing in the data breach context where the privilege issue has been tested,” Michelle A. Kisloff, a partner at Hogan Lovells, said.  The Court’s denial of class plaintiffs’ motion to compel production of these documents recognized “that data breach victims have a legitimate need to perform an investigation in the aftermath of a breach in which communications are protected by the attorney-client privilege,” Michael Gottlieb, a partner at Bois, Schiller & Flexner, told The Cybersecurity Law Report.  See also “Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 6 (Jun. 17, 2015); Part Two, Vol. 1, No. 7 (Jul. 1, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    What Companies Can Learn from Cybersecurity Resources in Pittsburgh

    Cyber crime is a serious threat – it cripples companies, damages economies, funds terrorism, launders drug money and bleeds the assets of individuals, according to the DOJ.  Often this cyber war is waged from shadows overseas (and often in the form of corporate cyber espionage).  Companies should be using a broad array of tools to prevent and mitigate the effect of international and domestic cyber crime, such as information sharing, sufficient cyber insurance as well as a thorough breach response plan that includes proper notification and preservation of evidence for future actions.  As K&L Gates attorneys Mark A. Rush and Joseph A. Valenti describe in a guest article, one place where law enforcement and the private sector have come together is Pittsburgh, where a string of major cyber crime cases has recently been prosecuted.  Developments there can serve as a model for cybersecurity measures across the country and across industries.  Rush and Valenti describe cybersecurity best practices before, during and after a breach, as well as some unique ways government officials as well as companies in Pittsburgh specifically are handling cyber crime.  See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part Two of Two)

    Public companies grapple with when and how to disclose the various cybersecurity risks they face and the incidents they experience in their SEC filings.  How much is enough to disclose to satisfy regulators and how much is too much – both to preserve reputations and avoid giving would-be hackers ammunition?  The first part of this two-part article series provided guidance on making appropriate disclosures to meet SEC and investor expectations.  This second part provides suggestions on risk themes to include in risk disclosures as well as examples of relevant disclosures made in the 10-K filings for The New York Times, Home Depot, Morgan Stanley and Target.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Cybersecurity 2.0: The Role of Counsel in Addressing Destructive Cyberattacks

    Companies rightly pay attention to data exfiltration threats, but sometimes overlook the more serious threats of destructive attacks, David Fagan and Ashden Fein, partner and associate, respectively, at Covington & Burling, argue in this guest article.  They explain that the difference between data loss or theft (which may be viewed as “Cybersecurity 1.0”) and data and property destruction (“Cybersecurity 2.0”) is the difference between having your house robbed and having your house burned to the ground.  They detail the evolution of cyber threats and how counsel can help protect against these destructive cyberattacks that are aimed at harming a business, rather than directly benefiting the attacker.  See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 7 (Jul. 1, 2015); Part Two of Two, Vol. 1, No. 8 (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    How to Prevent and Manage Ransomware Attacks (Part Two of Two)

    Even when companies take each recommended step to prevent a ransomware attack (such as properly training employees, backing up files, segregating data and limiting network access), a ransomware attack can still sneak through, and without a rapid proper response, cause widespread damage.  This article, the second of a two-part series, addresses how to handle a ransomware attack, when and how to report the incident, and strategies for working with law enforcement.  The first article in the series explained the threat and provided steps that companies can take to prevent ransomware attacks and mitigate the impact if one does occur.  See also “Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    The Challenge of Coordinating the Legal and Security Teams in the Current Cyber Landscape (Part Two of Two)

    Legal and security teams each play a crucial role in cybersecurity and data protection, but working together to understand the most pressing threats and shifting regulatory landscape can be challenging.  In this second article of our two-part series covering a recent panel at Practising Law Institute’s Sixteenth Annual Institute on Privacy and Data Security Law, Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice, and Vincent Liu, a security expert and partner at security consulting firm Bishop Fox, give advice on how to prepare for and respond to a cyber incident and how security and legal teams can effectively work together throughout the process.  The first article in this series discussed the current cyber threat landscape and the relevant laws and rules.

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Preserving Privilege Before and After a Cybersecurity Incident (Part Two of Two)

    With the looming threats of post-breach litigation and regulatory enforcement actions, preserving privilege in connection with a company’s cybersecurity efforts – both before and after an incident – is critical to encouraging openness in assessing and addressing a company’s vulnerabilities.  Unless companies take the proper steps, however, communications and other documentation that could have been protected by the attorney-client and work product privileges will be open to discovery.  The first part of The Cybersecurity Law Report’s series on preserving privilege addressed pre-incident response planning and testing activities.  This article, the second part of the series, addresses how to retain privilege during post-incident response efforts. 

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    In a Candid Conversation, FBI Director James Comey Discusses Cooperation among Domestic and International Cybersecurity Law Enforcement Communities (Part Two of Two)

    The FBI’s understanding of cybersecurity has advanced from the youth league to college-level in the past decade, FBI Director James Comey told WilmerHale partner Ben Powell at the annual Georgetown Cybersecurity Law Institute.  Much of that improvement has to do with growing cooperation between governments, and within our own, along with increased efforts by the private sector.  But, he said, the FBI needs to get to World Cup play.  This article, the second part of the CSLR’s two-part series, covers Comey’s frank comments about: the role of the FBI in relation to other law enforcement agencies; international cybersecurity developments; international cooperation in a post-Snowden world; pending information-sharing legislation in Congress; misperceptions about the FBI that he hears from the private sector; and how the FBI competes with the private sector for talent.  The first article discussed how the FBI has adapted its techniques in the face of cyber threats; the FBI’s relationship with local law enforcement agencies and the private sector; his concerns about the encryption of data; and how the FBI has expanded its information-sharing programs with the private sector. 

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    In a Candid Conversation, FBI Director James Comey Talks About the “Evil Layer Cake” of Cybersecurity Threats (Part One of Two)

    In a wide-ranging and frank conversation with WilmerHale partner Ben Powell at the annual Georgetown Cybersecurity Law Institute, FBI Director James Comey likened the cybersecurity dangers the country faces to an “evil layer cake” and called general counsels (including himself in his former role) “obstructionist weenies.”  This article, the first part of the CSLR’s two-part series, covers Comey’s remarks about: how the FBI has adapted its techniques in the face of cyber threats; the FBI’s relationship with local law enforcement agencies and the private sector; his concerns about the encryption of data; and how the FBI has expanded its information-sharing programs with the private sector.  In the second part, we will cover Comey’s views on: the role of the FBI in relation to other law enforcement agencies; international cybersecurity developments; international cooperation in a post-Snowden world; misperceptions about the FBI that he hears from the private sector; information-sharing legislation; and how the FBI competes with the private sector for talent.  See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    Navigating Data Breaches and Regulatory Compliance for Employee Benefit Plans

    Employee benefit plans, including health and pension plans, are prime targets of hackers, as evident from the most recent Anthem and Premera crises, and the proper proactive and reactive steps are key to mitigating breach risk and breach fallout.  In a recent Strafford webinar, Ogletree Deakins attorneys Vance E. Drawdy, Timothy G. Verrall and Stephen A. Riga shared their insights on best practices for fiduciaries and sponsors to navigate the complex state and federal regulations on data breaches that are applicable to ERISA benefit plans.  This article details some of their advice on preventing, assessing and responding to a plan data breach.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    Ponemon Study Finds Increasing Data Breach Costs and Analyzes Causes

    The average cost of a data breach increased from $3.52 million last year to $3.79 million this year, according to a recently-released Report by IBM and the Ponemon Institute.  The Report analyzes trends that have contributed to the overall cost increase of data breaches as well as factors that can reduce or increase the cost of individual data breaches.  The Report also breaks down types of breaches and compares data across 11 nations, several industries and results from the previous two years.  And, the Report predicts the likelihood an organization will experience a breach of various sizes over a 24-month period.

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?

    Recent reports detail a breathtaking and unrelenting rise in cyber breaches, with five malware events occurring every second, and 60% of successful attackers able to compromise an organization within minutes.  But the law has not kept pace with technological innovation.  There is no single uniform law protecting individual privacy, nor one that governs all of a company’s obligations or liabilities regarding data security and privacy.  As Jenny Durkan and Alicia Cobb, a partner and associate, respectively, at Quinn Emanuel Urquhart & Sullivan, detail in a guest post, any business that suffers a significant cyber breach almost certainly will face not only multiple civil suits, but multiple investigations by federal and state authorities.  The authors provide a roadmap to the key authorities and the patchwork of relevant rules and regulations.

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    DOJ Encourages Cyber Incident Reporting and Advance Planning with Best Practices Guidance

    Following other government agencies who have weighed in on cybersecurity, the DOJ’s Cybersecurity Unit has published guidance titled “Best Practices for Victim Response and Reporting of Cyber Incidents,” outlining its recommendations for steps to take prior to a cyber incident; how to respond to an incident, including mistakes often made in the chaos following an incident; and effective follow-up actions.  Experts say that while it is nothing new, the document does emphasize the government’s expectations.  The Guidance “reinforces the notion that a ‘check-the-box’ approach to cybersecurity does not suffice.  Companies must implement a thoughtful, robust and effective plan that is tailored to the company’s particular business, risks and operations,” Richard Tarlowe, counsel at Paul, Weiss told The Cybersecurity Law Report.

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Steps to Take Following a Healthcare Data Breach

    The prevalence, size and cost of healthcare breaches is skyrocketing, with hackers gaining sophistication and regulators becoming more active.  It is a rare covered entity that has not had to report a data breach to patients/members and the U.S. Department of Health & Human Services Office for Civil Rights since the Health Information Technology and Economic Clinical Health Act became effective in 2009.  To assist healthcare companies in understanding and responding to data breaches in this regulatory environment, in a guest article, BakerHostetler partner Lynn Sessions discusses: the enforcement climate; the legal definition of a healthcare breach; strategies for handling unsecured personal health information; notification requirements and best notification procedures; activating a breach response team; mitigating the impact of a breach; and what’s next in cybersecurity for the healthcare industry.

    Read Full Article …