The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Tech Meets Legal

  • From Vol. 4 No.16 (Jun. 13, 2018)

    What Lawyers Need to Know About Security Technologies and Techniques (Part Three of Three)

    The legal team is a crucial part of a company’s cybersecurity program and it is essential for members of that team to understand security technologies and how they are used to mitigate data breach risk. This final installment in our three-part series, featuring advice from legal and technical experts, covers how and when common types of cloud solutions are used and the attorney’s role in mitigating risk in connection with this service. It also addresses what to consider when “hacking back” to secure data. Part one explored the appropriate knowledge base for the different attorney roles, technology’s place in mitigating risk, and certain technologies and techniques, such as pen testing. Part two continued examining other security techniques, including red teaming, vulnerability scanning and social engineering. See also “Negotiating an Effective Cloud Service Agreement” (Sep. 13, 2017).

    Read Full Article …
  • From Vol. 4 No.15 (Jun. 6, 2018)

    What Lawyers Need to Know About Security Technologies and Techniques (Part Two of Three)

    IT’s important role in implementing a cybersecurity strategy is indisputable, but lawyers need to be at the table too given the risks, including regulatory implications of breaches and the growing possibility of ensuing litigation. With input from technical and legal experts, this three-part series addresses what attorneys need to understand about security technologies and what role they should play. This second installment explores these issues within efforts related to red-teaming, vulnerability scanning and social engineering. Part one addressed the knowledge base needed depending on the lawyer’s role, whether security certification is necessary, and the roles of technology and pen testing in mitigating risk. Part three will cover cloud security and the potential value of hacking back. See also our three-part series on when and how legal and information security should engage on cyber strategy: “It Starts With Governance” (Mar. 28, 2018); “Assessments and Incident Response” (Apr. 11, 2018); “Vendors and M&A” (Apr. 18, 2018).

    Read Full Article …
  • From Vol. 4 No.14 (May 30, 2018)

    What Lawyers Need to Know About Security Techniques and Technologies to Mitigate Breach Risk (Part One of Three)

    IT has an indisputably important role in implementing a defense-in-depth cybersecurity strategy, however, the legal team is also a crucial part of a company's cyber program. With input from technical and legal experts, this three-part series addresses what attorneys need to understand about how security technologies are used to mitigate breach risk. This first installment explores the knowledge base needed depending on the lawyer’s role, whether security certification is necessary, technology’s overall role in mitigating risk, and surveys certain technologies and techniques, such as pen testing. Part two will address additional security techniques, including red teaming, vulnerability scanning and social engineering. Part three will cover cloud security and hacking back and its potential value in securing data. See also our three-part series on when and how legal and information security should engage on cyber strategy: “It Starts With Governance” (Mar. 28, 2018); “Assessments and Incident Response” (Apr. 11, 2018); “Vendors and M&A” (Apr. 18, 2018).

    Read Full Article …
  • From Vol. 4 No.14 (May 30, 2018)

    Understanding the Intersection of Law and Artificial Intelligence

    How can lawyers effectively use artificial intelligence and mitigate the myriad risks it poses? During a recent Strafford panel, Robert W. Kantner, a partner at Jones Day; Michael W. Kelly and Huu Nguyen, both partners at Squire Patton Boggs; and Dennis Garcia, an assistant general counsel at Microsoft, provided insight on how to make the most of AI. See “Using Big Data Legally and Ethically While Leveraging Its Value (Part One of Two)” (May 17, 2017) and Part Two (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.8 (Apr. 18, 2018)

    When and How Legal and Information Security Should Engage on Cyber Strategy: Vendors and M&A (Part Three of Three)

    Effective cybersecurity strategy requires the legal and security functions to work together when assessing third parties, either in the context of hiring a vendor or merging with or acquiring a new company. “I don’t think they’re coordinating very well,” Akin partner Michelle Reed told The Cybersecurity Law Report. With insight from Reed and technical experts, this third installment of our three-part series on when and how legal and security professionals should be communicating to build strong working relationships for a robust cybersecurity and data privacy program tackles coordination between the two teams on vendor assessments, M&A due diligence and combatting insider threats. Part two examined how both teams can coordinate on incident response and to assess risk and privacy impact. Part one covered how to structure corporate governance for optimal collaboration between these two groups. See also “Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure” (Dec. 20, 2017) and “Mitigating Cyber Risk in M&A Deals and Third-Party Relationships” (Jul. 6, 2016).

    Read Full Article …
  • From Vol. 4 No.7 (Apr. 11, 2018)

    When and How Legal and Information Security Should Engage on Cyber Strategy: Assessments and Incident Response (Part Two of Three)

    As regulators increasingly blend privacy and security issues, privacy officers and CISOs need to interact frequently to develop a healthy relationship for effective protection of key data. Our three-part series offers legal and technical expert advice on when and how these professionals should be communicating to build a strong working relationship for robust cybersecurity and data privacy programs. This second part examines how both teams can coordinate on incident response and for risk and privacy impact assessments. Part one covered how to structure corporate governance for optimal collaboration between these two groups. Part three will tackle coordination between legal and security on vendor assessments and in the M&A context. See “How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.6 (Mar. 28, 2018)

    When and How Legal and Information Security Should Engage on Cyber Strategy: It Starts With Governance (Part One of Three)

    Effective protection of key data requires a healthy relationship and frequent interaction between the legal and security functions. As regulators increasingly blend privacy and security subject matter, privacy officers and CISOs need to work together to stay compliant. This three-part series addresses when and how legal and security professionals should be communicating to build strong working relationships for a robust cybersecurity and data privacy program. Part one covers how to structure corporate governance for optimal collaboration between these two groups. Part two will look at how both teams can come together to assess risk and privacy impact. Part three will tackle coordination between legal and security on vendor assessments and in the M&A context. See “How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    Using Technology to Comply With the GDPR

    Organizations preparing for the GDPR’s upcoming effective date know that they need make compliance effective, sustainable and feasible without draining human and financial resources. We spoke to Theresa Beaumont, a legal data governance and technology expert at Groupe Beaumont; Kenneth N. Rashbaum, a partner at Barton; and Matthew Nelson, vice president of data liaison services and associate general counsel at DiscoverReady, regarding the benefits of using technology for six specific areas of GDPR compliance and how to choose the right technologies. These experts also addressed the topic at a recent Legaltech panel where they discussed how technology can assist companies wrestle with sprawling stored data to meet the ongoing requirements. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.2 (Jan. 31, 2018)

    Five Strategies a Privacy Attorney Uses to Bridge the Gap With Tech Teams

    Building positive relationships between attorneys and technologists is a key way to avoid communication failures that can lead to costly results and delays. With insight from attorney and Aleada Consulting partner Kenesa Ahmad, this article provides guidance on how to successfully implement five specific strategies to improve collaboration among teams. See also “Tech Meets Legal Spotlight: Advice on Working With Information Security” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.22 (Nov. 8, 2017)

    How to Mitigate the Risks of Open-Source Software (Part Two of Two)

    Companies may be unaware they are using open-source software in their operations. This can be significant because while OSS is inexpensive and reliable, it does carry with it significant cybersecurity and intellectual property risks that should be addressed. A recent Strafford program offered a comprehensive primer on OSS and insights on designing appropriate compliance controls for its use. The program featured James G. Gatto, a partner at Sheppard Mullin Richter & Hampton and Baker Botts attorneys Luke K. Pedersen and Andrew Wilson. Part two of our coverage discusses where attorneys encounter OSS challenges, how to identify whether a company is using OSS, best practices for OSS governance, and patent issues that OSS presents. Part one explained the key legal issues, common OSS license provisions, and cybersecurity and litigation risks. See also “Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.21 (Oct. 25, 2017)

    How to Outsource Vulnerability Assessments to Hackers

    Outsourcing certain cyber problems to the very individuals who are capable of exploiting them might be the most cost-effective way for an organization to protect its network. Hiring hackers can be a delicate process, however, and determining whether their intentions are good even more so. Crowdsourcing platforms can set up bug bounties for clients and provide various levels of screening and oversight to make sure these sorts of sensitive projects proceed smoothly. The Cybersecurity Law Report spoke to Lisa Wiswell, an advisor to San Francisco crowdsourcing platform, HackerOne, about using hackers in this way and about her experience leading the Hack the Pentagon project. See also “How to Establish and Manage a Successful Bug Bounty Program” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.21 (Oct. 25, 2017)

    How to Mitigate the Risks of Open-Source Software (Part One of Two)

    Organizations frequently use open-source software for both internal operations as well as in commercial software and other products. While OSS can be inexpensive, efficient and reliable, it also comes with significant risks including cybersecurity and intellectual property concerns. A recent Strafford program offered a comprehensive primer on the uses and risks of OSS, and insights on designing appropriate compliance controls for its use. The program featured Sheppard Mullin attorney James G. Gatto and Baker Botts attorneys Luke K. Pedersen and Andrew Wilson. Part one of this two-article series explains the key legal issues, common OSS license provisions, and cybersecurity and litigation risks. Part two will addresses where attorneys encounter OSS challenges, identifying OSS, best practices for OSS guidance, and patent issues that OSS presents. See our two-part series on vendor risk management: “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016).

    Read Full Article …
  • From Vol. 3 No.18 (Sep. 13, 2017)

    Unlocking Encryption: An Attorney Weighs in on Balancing Security and Practicality (Part Three of Three)

    Encryption is an important part of an overall data security program to protect sensitive information. It is not only used to protect companies from liability under state and federal laws, but also from exposure of sensitive business information, embarrassment and contract claims in certain situations. In an interview with The Cybersecurity Law Report, Proskauer partner Jeff Neuburger pointed out that encryption is no “silver bullet,” however, it should be used for certain information. He explained what information needs to be encrypted based on relevant laws, offered best practices to prevent reputational damage and discussed risks, obstacles and future trends. See also the first two installments of our series on unlocking encryption: “A Consultant’s View on Navigating Encryption Options and Persuading Reluctant Organizations” (Aug. 9, 2017); and “Unlocking Encryption: A CISO’s Perspective on Encryption As Only One Strategy” (Aug. 23, 2017).

    Read Full Article …
  • From Vol. 3 No.18 (Sep. 13, 2017)

    Negotiating an Effective Cloud Service Agreement

    As attractive, economically viable and convenient as the cloud is, companies must be cognizant of the potential cybersecurity risks associated with any cloud-services arrangement. A well-drafted contract between the corporate customer and cloud-service provider is an essential tool for managing that risk on both sides. This article, based on insights offered at a recent PLI event, covers what a prospective business customer should and should not expect from a cloud-service provider, and why some provisions that look good in writing might not be quite so helpful in practice. See also “The Advantages of Sending Data Up to the Cloud” (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 3 No.16 (Aug. 9, 2017)

    Unlocking Encryption: A Consultant’s View on Navigating Encryption Options and Persuading Reluctant Organizations (Part One of Three)

    No matter how many steps are taken to prevent cyber intrusions, data can still be compromised. Encryption can mitigate the consequences – captured data that is encrypted may not be able to be read, utilized or sold. However, encryption is not as widely used as many would expect. Charles Carmakal, a vice president at cybersecurity consulting firm Mandiant, spoke to The Cybersecurity Law Report about pragmatic approaches to encryption, why entities still resist it or fail to use it enough and whether and how they can be persuaded to change. See “Conflicting Views of Safety, Vulnerability and Privacy Fuel Encryption Debate (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    How Financial Service Providers Can Use Blockchain to Improve Operations and Compliance (Part Two of Three)

    Blockchain technology – a distributed database used to immutably timestamp and record transactions – is most commonly thought of in the single context of digital currencies, yet its applications are varied and limited only by the objectives of the adopting users. There are many more practical applications of the technology that could greatly enhance the efficacy of the financial sector while also dramatically reducing its overhead expenses. In particular, the technology could help private funds streamline their operations in various ways while simultaneously improving their compliance protocols. This second article in our three-part series about blockchain in the financial sector discusses various potential uses of blockchain technology, such as reconciling trades and onboarding investors, to improve private fund operational efficiencies and compliance efforts. The first article explained how blockchain functions and provided examples of how major elements of the financial industry (e.g., derivatives trading and repurchase agreements) are already incorporating the technology. The third article will explore how and when the private funds industry will adopt the technology, while presenting issues related to that implementation. See also “Are New York’s Cyber Regulations a “Game Changer” for Hedge Fund Managers?” (Jun. 14, 2017). 

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    The Arc of the Deal: Tips for Cybersecurity Due Diligence Advisors in Mergers & Acquisitions From Beginning to End

    For cybersecurity advisors, whether legal or technical, knowing the structural and business characteristics of a mergers and acquisitions target is just the beginning of an intense due diligence process. Operating somewhat furtively on a “need-to-know” basis within the limitations of any transaction, advisors need to gather information quickly and thoroughly so that they can provide input on whether and how a deal should move forward. It is an intense and exciting process fraught with responsibility and pressure. In a session at the recent Georgetown Cybersecurity Law Institute moderated by Jennifer Archie, a partner at Latham & Watkins, panelists Jay Brudz, a partner at Drinker Biddle, Christopher Hale, senior counsel for cybersecurity at Raytheon Company and David McCue, president of boutique advisory service McCue, Inc., provided their suggestions on work flow and processes along with a few war stories from the field. See “Cybersecurity Due Diligence in M&A Is No Longer Optional” (Aug. 24, 2016).

    Read Full Article …
  • From Vol. 3 No.12 (Jun. 14, 2017)

    Basics of the Blockchain Technology and How the Financial Sector Is Currently Employing It (Part One of Three)

    “Blockchain” is frequently mentioned at financial services industry conferences as a transformative technology with the potential to “disrupt” the private funds industry, but uncertainty about it persists. This three-part series serves as a primer about the technology and its interplay with the financial services industry going forward. This first article provides an overview of how blockchain functions and examines how the finance industry is already using it. The second article will describe potential ways private funds and service providers can adopt blockchain technology to enhance fund operations and compliance practices. The third article will explore some of the risks impeding the growth of blockchain and address the most plausible timing and manner for it to be eventually adopted in the industry. See “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.11 (May 31, 2017)

    Advice on Incorporating Cybersecurity in eDiscovery

    A litigation will often involve an organization’s most sensitive data, and the protection of that data must not be an afterthought, panelists, including eBay’s director of eDiscovery and a law firm CIO and CISO, said at an EY program on eDiscovery. They shared best practices that are often forgotten when managing documents before, during and after litigation. See “The Wisdom of Planning Ahead: The Duty to Preserve Backup Tapes, Mobile Devices and Instant Messages” (Apr. 19, 2017).

    Read Full Article …
  • From Vol. 3 No.10 (May 17, 2017)

    Investigative Realities: Working Effectively With Forensic Firms (Part Two of Two)

    Lawyers and forensic investigators must work together when investigating breaches, but the differences in their outlook and approach can sometimes make that difficult. In a two-part guest article series, Stephen Surdu, a senior advisor at Covington, and Jennifer Martin, of counsel at Covington, provide insight into how forensic teams work during the investigative process and how to make the process smoother and more effective. This second part addresses how to work with forensic teams when documenting and otherwise communicating findings, and during the remediation process. The first installment addressed investigative realities and how attorneys and forensic investigators can gain an understanding of each other’s perspectives and preemptively discuss any potential issues to be in the best position to address them efficiently during an investigation. See also our three-part series on forensic firms: “Understanding and Leveraging Their Expertise From the Start” (Feb. 22, 2017); “Key Contract Considerations and Terms” (Mar. 8, 2017); and “Effective Vetting and Collaboration” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.10 (May 17, 2017)

    Tracking Data and Maximizing Its Potential

    How companies use and store data can be in conflict with regulations, notably the GDPR. Kristina Bergman, CEO and founder of Integris Software, and David Ray, Integris vice president, privacy, product and services, recently spoke to The Cybersecurity Law Report about using new technological tools to gain critical knowledge about companies’ data. That understanding not only facililates compliance, but can also provide evidence for regulators, output concrete illustrations for a board or executive presentation, and assist in identifying the best data sets for marketing efforts. See “A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: From Data Mapping to Evaluation (Part One of Three)” (Apr. 27, 2016).

    Read Full Article …
  • From Vol. 3 No.9 (May 3, 2017)

    Investigative Realities: Working Effectively With Forensic Firms (Part One of Two)

    Lawyers and computer forensic investigators have significantly different skills and perspectives, both of which are essential during cybersecurity incident response. The differences, however, can create friction and even conflict in setting priorities, communicating effectively and interpreting findings. In a two-part guest article series, Stephen Surdu, a senior advisor at Covington, and Jennifer Martin, of counsel at Covington, provide legal counsel with a better understanding of the focus of the forensic team in incident response, the various factors and evidentiary realities that may affect how an investigation is performed, and why response teams cannot always reach definitive conclusions. This first installment addresses investigative realities and how attorneys and forensic investigators can gain an understanding of each other’s perspectives and preemptively discuss any potential issues to be in the best position to address them efficiently during an incident and to provide the greatest value to their clients. See also our three-part series on forensic firms: “Understanding and Leveraging Their Expertise From the Start” (Feb. 22, 2017); “Key Contract Considerations and Terms” (Mar. 8, 2017); and “Effective Vetting and Collaboration” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.7 (Apr. 5, 2017)

    Proactive Steps to Prevent Legal Pitfalls in Bug Bounty Programs 

    Bug bounty programs that use crowdsourcing methods can help companies identify vulnerabilities that their internal teams may not catch. These programs, however, can also open companies up to a range of legal and business risks, such as publicly exposing user problems and other flaws identified by researchers before they are fixed. Michael Yaeger, special counsel at Schulte Roth & Zabel, spoke to The Cybersecurity Law Report about how companies can develop programs to minimize those risks, including setting clear terms covering issues such as confidentiality, payments, unauthorized actions and scope. We provide specific examples of program terms to illustrate Yaeger’s advice. See also “How to Establish and Manage a Successful Bug Bounty Program” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    How to Establish and Manage a Successful Bug Bounty Program 

    Bug bounty programs – paying a researcher who has found a “bug” in a company’s system – can be effective at mitigating cybersecurity risk, but they must be implemented and managed carefully lest they be abused and backfire. Cassio Goldschmidt, vice president in Stroz Friedberg’s cyber resilience practice, spoke to The Cybersecurity Law Report about the steps to take to establish a bug bounty program, including the measures that should be in place prior to launching it, and how to best manage a successful program. See also “Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    Tech Meets Legal Spotlight: Advice on Working With Information Security

    Although most companies recognize that legal and technology teams need to collaborate closely to address cybersecurity challenges, they often fail to overcome barriers to effective coordination. In this interview, Holland & Knight partner Scott Lashway offers advice on how to bring legal and security teams together, such as by establishing a risk committee. See also “What CISOs Want Lawyers to Understand About Cybersecurity” (Jun. 8, 2016).

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor

    When an organization hires a third-party vendor that needs access to its network systems, a failure of legal and IT to coordinate the implementation of that access can cause costly delays. The Cybersecurity Law Report discussed the problem with David Cass, the CISO of IBM’s cloud and SaaS operational services, using a fact pattern familiar to many companies: A company is seeking to hire a third-party vendor that needs access to its network systems to perform its duties, but legal and IT have different ideas about the process, and the project stalls. Cass offered advice to bridge the gap between technology and legal teams. See also our two-part series on vendor risk management: “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    How Cyber Stakeholders Can Speak the Same Language (Part Two of Two)

    The way cybersecurity terminology is used can significantly affect how a cyber event is handled. Differences in the training and background of certain cybersecurity stakeholders, particularly technical and legal teams, however, may lead to inconsistent use of important terms in the context of security breaches and protocols. This second article of a two-part series highlights ten of the most frequently misunderstood cybersecurity terms, and provides insight on their meanings and implications from both legal and security experts. Part one of the series examined how to overcome cybersecurity stakeholder communication challenges and detailed six strategies for better interaction. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    How Cyber Stakeholders Can Speak the Same Language (Part One of Two)

    In the areas of cybersecurity and data privacy, a company’s attorneys and technical teams must work together closely. The two groups often have different approaches, however, and may not speak the same language when it comes to handling security breaches and protocols. Commonly used terms can be used inconsistently, and their implications misunderstood. In this first article of a two-part series, attorneys and consultants with different perspectives share advice with The Cybersecurity Law Report on the importance of clear communication between key stakeholders. They also examine the different approaches to cybersecurity and detail six strategies for overcoming communication challenges. Part two of the series will explore frequently misunderstood cybersecurity terms and their meanings. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    What CISOs Want Lawyers to Understand About Cybersecurity

    As security and privacy threats and regulations proliferate, it is more important than ever for in-house counsel to collaborate with a company’s information security team to mitigate risks and protect their organization’s confidential information. At a recent panel at Georgetown Law’s Cybersecurity Law Institute, CISOs from Deloitte, BDP and Northrop Grumman shared advice about how lawyers and information security professionals can achieve that goal. The panelists addressed fostering a collaborative relationship, areas of tension between legal and IT, and how counsel can more effectively act as advocates for mitigating data security and privacy risk. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape”: Part One (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    The Challenge of Coordinating the Legal and Security Teams in the Current Cyber Landscape (Part Two of Two)

    Legal and security teams each play a crucial role in cybersecurity and data protection, but working together to understand the most pressing threats and shifting regulatory landscape can be challenging.  In this second article of our two-part series covering a recent panel at Practising Law Institute’s Sixteenth Annual Institute on Privacy and Data Security Law, Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice, and Vincent Liu, a security expert and partner at security consulting firm Bishop Fox, give advice on how to prepare for and respond to a cyber incident and how security and legal teams can effectively work together throughout the process.  The first article in this series discussed the current cyber threat landscape and the relevant laws and rules.

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    The Advantages of Sending Data Up to the Cloud 

    As their data storage and security requirements grow, companies are increasingly turning to cloud service providers.  Cloud storage offers a valuable and efficient option for companies as long as companies thoughtfully manage what data to store remotely and where to send it.  In this interview with The Cybersecurity Law Report, Paul Ferrillo, counsel at Weil, Gotshal & Manges in its Cybersecurity, Data Privacy and Information Management group, discussed the advantages of cloud services, how to select a secure cloud vendor, and data classification questions to ask to determine what to store in the cloud and what to keep on the ground.  See also “Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    How Companies Are Preparing for the Imminent Liability Shift for Counterfeit Credit Cards

    Traditionally, credit card companies have taken the hit when a counterfeit card is used for a point-of-sale transaction, but as of October 1, 2015, MasterCard and Visa are shifting the risk onto the issuers and merchants for counterfeit card transactions if the issuers and merchants have not switched to chip card technology.  This change, while an improvement, still will not bring the U.S. current with the international marketplace, which uses the more secure “chip-and-PIN” method.  This article explores the chip technology involved in the liability shift and its strengths and weaknesses, as well as how affected companies are preparing for the liability shift, and for improved technology that may follow soon.

    Read Full Article …