The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Corporate Governance

  • From Vol. 4 No.25 (Aug. 15, 2018)

    How to Build a Cybersecurity Culture Using People, Processes and Technology

    While organizations strive to have strong security technology and effective cybersecurity policies, ultimately, one of the most powerful ways to protect themselves is to create a culture of security. The Cybersecurity Law Report spoke with Pamela Passman, president and CEO of Center for Responsible Enterprise And Trade (CREATe.org) about why creating a culture of cybersecurity from the break room to the boardroom is essential, and how to accomplish that. “Culture matters because it affects the company’s ability to function and get worth out of its innovations,” said Passman. See also “Privacy Leaders Share Key Considerations for Incorporating a Privacy Policy in the Corporate Culture” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 4 No.1 (Jan. 17, 2018)

    NIST Program Manager Explains Pending Changes to Its Cybersecurity Framework

    The NIST Cybersecurity Framework has become a key reference and guide for many organizations’ security efforts, and NIST has published pending revisions that are not an “overhaul” but provide additions, advancements and clarifications. Matthew Barrett, NIST’s cybersecurity framework program manager, recently presented an overview of the original Framework and its companion Roadmap and explained the pending changes to both. Organizations should become familiar with the changes and review their current practices to determine if their own practices require updating. See also “Demystifying the FTC’s Reasonableness Requirement in the Context of the NIST Cybersecurity Framework (Part One of Two)” (Oct. 19, 2016); Part Two (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.22 (Nov. 8, 2017)

    Managing Data Privacy Across Multiple Jurisdictions

    Long gone are the days when acceptable privacy programs consist of a policy in an HR handbook. Building an effective and comprehensive privacy program that addresses wide-ranging data sets and dynamic regulations is a challenge for large and small organizations. To provide guidance on what has worked for them, Ropes & Gray teamed up with privacy professionals from Wyndham Worldwide and Facebook on a recent panel at the Privacy + Security Forum. The panelists offered advice on complying with the patchwork of U.S. laws and the growing number of global regulations and offered behind-the-scenes insight on how Wyndham built its global privacy program as well as how Facebook approaches privacy across its products. See also “Tips From Google, Chase and P&G Privacy Officers on Developing Strong Privacy Leadership and When to Use Outside Counsel” (Aug. 23, 2017).

    Read Full Article …
  • From Vol. 3 No.22 (Nov. 8, 2017)

    How to Mitigate the Risks of Open-Source Software (Part Two of Two)

    Companies may be unaware they are using open-source software in their operations. This can be significant because while OSS is inexpensive and reliable, it does carry with it significant cybersecurity and intellectual property risks that should be addressed. A recent Strafford program offered a comprehensive primer on OSS and insights on designing appropriate compliance controls for its use. The program featured James G. Gatto, a partner at Sheppard Mullin Richter & Hampton and Baker Botts attorneys Luke K. Pedersen and Andrew Wilson. Part two of our coverage discusses where attorneys encounter OSS challenges, how to identify whether a company is using OSS, best practices for OSS governance, and patent issues that OSS presents. Part one explained the key legal issues, common OSS license provisions, and cybersecurity and litigation risks. See also “Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    Deloitte Survey Shows Getting Skilled Cybersecurity Talent and Addressing Cyber Threats Among the Top Challenges for Financial Institutions

    Financial institutions anticipate cybersecurity to be one of the top risks they will face over the next two years, according to a Deloitte survey. Exacerbating the challenge is recruiting skilled cybersecurity talent as well as obtaining near-real-time threat intelligence. The survey also found that some organizations have turned to corporate risk officers to assist them, while others have seen increasingly activist boards of directors. We analyze the results of the survey. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Getting to Know the DPO and How to Adapt Corporate Structure to Comply With GDPR Requirements for the Role (Part Two of Two)

    The GDPR introduces the statutory position of the Data Protection Officer, who will have a key role in ensuring compliance with the regulation. But where and how does the DPO position function within the company? In this second installment in our two-part article series on the role, DPOs and counsel from around the world discuss how the DPO best fits in the corporate structure, and offer considerations for determining whether the role should be fulfilled internally or externally and five steps companies can proactively take to ensure they are prepared to comply with the GDPR’s DPO requirements. Part one examined when appointing a DPO is mandatory, how to select a DPO, and the requisite skillsets and responsibilities of the role, including the difference between the DPO and other privacy compliance roles. See also “Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty” (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    Getting to Know the DPO and Adapting Corporate Structure to Comply With the GDPR (Part One of Two)

    Looking toward the GDPR’s May 25, 2018 implementation date, many organizations preparing for compliance are focused on the DPO role. While the position is not novel, the GDPR introduces new requirements. We spoke with experienced DPOs and counsel from around the world to clarify and shed light on the GDPR provisions and recent Article 29 Working Party guidelines relevant to the DPO role. This first part of our two-part series on the topic examines when appointing a DPO is mandatory, how to select a DPO, and the requisite skillsets and responsibilities of the role, including the difference between the DPO and other privacy compliance roles. Part two will discuss how the DPO best fits in the corporate structure, how to manage the budget for this role and steps companies can proactively take to ensure they are prepared to comply with the GDPR’s DPO requirements. See also “Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty” (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    Triaging Security Projects in the Current Legal Landscape

    Escalating cyber threats, liability risks and the numerous legal and regulatory standards make it difficult for a company to know how to plan and prioritize security projects. During a recent webcast, ZwillGen attorneys Amy Mushahwar and Marci Rozen offered their advice on top-priority security projects for mitigating corporate risk, and discussed how to determine and understand applicable data security regulations and guidelines, as well as the potential liabilities and business harms that can arise from inadequate security. See also “Demystifying the FTC’s Reasonableness Requirement in the Context of the NIST Cybersecurity Framework (Part One of Two)” (Oct. 19, 2016); Part Two (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Study Analyzes How Companies Can Overcome Cybersecurity Challenges and Create Business Value

    Many executives tasked with combatting cybersecurity threats lack necessary awareness and readiness, according to a survey commissioned by security firm Tanium and the NASDAQ. The Accountability Gap: Cybersecurity & Building a Culture of Responsibility (the Survey Report) includes findings of an extensive study involving 1,530 non-executive directors, CEOs, CISOs and CIOs of major corporations around the globe. Using information from a combination of one-on-one interviews and a quantitative survey, the Survey Report highlighted seven key cybersecurity challenges facing boards and executives and provided actionable advice in these areas. We examine these findings, with input from Lance Hayden, managing director of Berkley Research Group, and author of People-Centric Security. See also “Protecting the Crown Jewels Using People, Processes and Technology” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Implementing a Privacy by Design Program to Protect Corporate and Consumer Information

    One way for companies to integrate their internal and external commitment to data protection and privacy is by implementing a “privacy by design” mechanism, Sachin Kothari, director of online privacy and compliance at AT&T, Inc., explained during a recent ALM cyberSecure Conference. Kothari highlighted specific steps companies can take to effectively integrate such a program into their corporate governance structures. He was joined by Andrea Arias, an attorney in the Division of Privacy and Identity Protection at the FTC and Chaim Levin, chief U.S. legal officer at Tradition Group. This article examines Levin and Kothari’s insights on data security and privacy governance and best practices to meet the potentially competing demands of in-house, consumer and regulatory cybersecurity expectations. A future article will address Arias’ perspective on recent FTC guidance and cyber enforcement actions. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Building a Strong Cyber Insurance Policy to Weather the Potential Storm (Part Two of Two)

    The enormous liability and costs that cyber incidents generate make cyber insurance a new reality in corporate risk management plans across industries.  This article, the second article in the series, explores policy exclusions and pitfalls to watch out for, including lessons from recent cyber insurance coverage litigation and steps companies can take to increase the likelihood of insurance coverage under their cyber policy.  Part one in the series covered navigating the placement proces –  having the proper individuals involved, finding the right insurer and securing the best policy for your company.  See also “Analyzing the Cyber Insurance Market, Choosing the Right Policy and Avoiding Policy Traps,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Building a Strong Cyber Insurance Policy to Weather the Potential Storm (Part One of Two)

    With cyber attacks continuing to strike companies of all sizes, cyber insurance has become an important component of corporate risk management strategies.  While cyber risk insurance can provide coverage for the litany of potential damages that a company may suffer in the wake of a data breach, it is wildly different from the usual insurance marketplace – it is nascent, changing and varied.  This, the first article in our two-part series on getting the right cyber coverage in place, provides guidance on navigating the insurance placement process, selecting the individuals who should be involved, finding the right insurer and securing the best policy for your company.  Part two will explore lessons from recent cyber insurance coverage litigation, including steps companies can take to increase the likelihood of insurance coverage under their cyber policy and what policy exclusions and pitfalls to watch out for.  See also “Transferring Risk Through the Right Cyber Insurance Policy,” The Cybersecurity Law Report, Vol. 1, No. 15 (Oct. 28, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part One of Two)

    In addition to the direct consequences of a data security incident, many companies that suffer data breaches must face lawsuits.  In a recent webinar, Mintz Levin members Meredith Leary, Kevin McGinty and Mark Robinson discussed the various types of data security litigation and gave advice on how companies can best prepare for the likelihood of a lawsuit after a data breach.  This article, the first in a two-part series, features their insight on how companies can put themselves in the best position now to defend their actions later.  The panelists also identified threshold questions that companies can ask themselves during an internal investigation following a data breach.  In the second article, they further explore best practices for internal investigations and common defenses in data breach class actions.  See also “Liability Lessons from Data Breach Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 16 (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    Analyzing and Complying with Cyber Law from Different Vantage Points (Part Two of Two)

    As breaches proliferate, civil litigations related to breaches have too – and some of them can become “bet the company” cases.  In our continued coverage of a recent conference hosted by Georgetown Law’s Cybersecurity Law Institute, panelists discuss the compliance lessons from shareholder derivative suits and class actions that have followed breaches, as well as how companies should use government cybersecurity guidance in their programs.  The moderator and panelists come to cybersecurity and data privacy with different perspectives – the panel included plaintiffs’ counsel from Edelson PC; principal for reliability and cybersecurity for Southern California Edison; in-house counsel at IT company CACI International; and defense counsel from Alston & Bird.  The first article of this two-part series contained the panelists’ insights on the sources of liability for companies, best practices when collecting personal data and takeaways from government enforcement actions.

    Read Full Article …