The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: NIST Resources

  • From Vol. 4 No.1 (Jan. 17, 2018)

    NIST Program Manager Explains Pending Changes to Its Cybersecurity Framework

    The NIST Cybersecurity Framework has become a key reference and guide for many organizations’ security efforts, and NIST has published pending revisions that are not an “overhaul” but provide additions, advancements and clarifications. Matthew Barrett, NIST’s cybersecurity framework program manager, recently presented an overview of the original Framework and its companion Roadmap and explained the pending changes to both. Organizations should become familiar with the changes and review their current practices to determine if their own practices require updating. See also “Demystifying the FTC’s Reasonableness Requirement in the Context of the NIST Cybersecurity Framework (Part One of Two)” (Oct. 19, 2016); Part Two (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.22 (Nov. 8, 2017)

    IBM Cybersecurity Counsel Offers Techniques for Speaking the Same Language as the C-Suite When Managing Cyber Risk

    Given the grave potential repercussions of data breaches, the C-suite needs to be aware of how the company is managing its cyber risk. Andrew Tannenbaum, chief cybersecurity counsel at IBM Corporation, spoke with The Cybersecurity Law Report about what to discuss with the C-suite during an evaluation of the company’s cyber risk programs. He also offered strategies for setting responsibility at various levels across the organization and for establishing a common language between internal stakeholders to effectively discuss and mitigate these risks. Tannenbaum will be a panelist at ALM’s cyberSecure conference on December 4 and 5, 2017, at the New York Hilton. A discount code for CSLR subscribers is inside this article. See also "How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.16 (Aug. 9, 2017)

    Identifying and Managing Third-Party Cybersecurity Risks for Asset Managers

    As connectivity grows, the risk that data entrusted to vendors could be compromised or that a company’s own system may be breached through one of its vendors continues to increase. A recent Advise Technologies program focused on how private fund managers can understand and mitigate third-party risks. A panel of attorneys and compliance and regulatory consultants discussed the regulatory emphasis on third-party risk, ways to assess this risk, and common errors and best practices for managing vendors, including due diligence questionnaires. While certain regulatory considerations are specific to fund managers, the due diligence concerns and best practices provide important advice to all companies working with third-party vendors.  See our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    Assessing Regulatory Responsibility When Reporting Postmarket Cybersecurity “Corrections” to the FDA

    Whether you are a technology company venturing into FDA-regulated territory for the first time, or a longstanding member of the FDA-regulated medical device community, recent regulatory developments around cybersecurity may require a shift in your perspective in order to meet FDA expectations. In this guest article, DLA Piper attorneys analyze the FDA’s Postmarket Management of Cybersecurity in Medical Devices guidance, including important definitions, and advise on what postmarket cybersecurity-related product changes may or may not be reportable to the agency. See also “Securing Connected Medical Devices to Ensure Regulatory Compliance and Customer Safety (Part One of Two)” (Mar. 30, 2016); Part Two (Apr. 13, 2016).

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    FTC Data Security Enforcement Year-In-Review: Do We Know What “Reasonable” Security Is Yet?

    In 2016 alone, more than 35 million records were reported as compromised in more than 980 data breaches, which made consumers wary of trusting companies to handle their data. This leaves companies wondering what they can do to amplify their data security practices to help avoid consumer distrust and the scrutiny of regulators. The FTC expects “reasonable” security, but what does that mean? In this guest article, Kelley Drye & Warren attorneys Alysa Z. Hutnik and Crystal N. Skelton shed light on the answer to this question by detailing illustrative data security enforcement actions over the past year and the security practices the agency has indicated should be implemented as well as those it has warned should be avoided. See also “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Presidential Commission Recommends Ways For Public and Private Sectors to Improve Cybersecurity 

    Cybersecurity has been a focus of the current administration. To look beyond the current term, however, a nonpartisan commission appointed by President Obama recently issued an extensive report recommending short- and medium-term actions for the Trump administration and the private sector to take over the next five years to improve cybersecurity, while protecting privacy, fostering innovation and ensuring economic and national security. See also “White House Lays Out Its Broad Cybersecurity Initiatives” (Feb. 17, 2016) and “Gibson Dunn Attorneys Discuss the Impact of Obama’s Executive Order Creating New Tools to Fight Cyber Attacks” (May 6, 2015).

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    New NIST and DHS IoT Guidance Signal Regulatory Growth 

    The marketplace is flooding with connected devices and innovation is outpacing regulation and security measures. A recent widespread denial-of-service attack illustrated that connected devices present risks not only to the individual users but to interconnected networks on a massive scale. In an effort to address these risks, the Department of Homeland Security recently issued written security guidance for developers, manufacturers, service providers and users. Adding to the growth of risk-based guidance in this area, the National Institute of Standards and Technology has also recently published detailed engineering standards. To best implement the advice from these various sources, Covington partner Jennifer Martin told The Cybersecurity Law Report that companies that make, use or provide services for connected devices should (1) understand the basic building blocks and principles of a good security program; (2) identify specific regulatory expectations for their particular industry; and (3) identify what role they play in the supply chain or device life cycle. See also “Managing Risk for the Internet of Things in the Current Regulatory Landscape” (May 11, 2016).

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    Demystifying the FTC’s Reasonableness Requirement in the Context of the NIST Cybersecurity Framework (Part Two of Two)

    Many companies are still wondering how to develop and implement a data security program that meets the FTC’s reasonableness requirement. “There is a hunger for a checklist,” Kelley Drye partner Alysa Hutnik told The Cybersecurity Law Report. Although not necessarily applicable across the board, the NIST Cybersecurity Framework, along with the FTC’s comments on it and its release of a new breach response guide, serve as useful resources. In this second part of our two-part series on the FTC’s data security expectations in the context of the NIST Cybersecurity Framework, in-house and outside counsel discuss how the Framework’s core functions align with the FTC’s requirements. They also provide steps companies of all types and sizes can take to incorporate these functions into their own security practices. Part one explored the implications of the FTC’s recent communication and detailed three initial steps companies should take to meet the FTC’s reasonableness standard. See also “A Behind-the-Curtains View of FTC Security and Privacy Expectations” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    Advice From Blackstone and Tiffany CISOs on Fighting Cybercrime

    Information security is “the hottest industry of all time” according to Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice. At a recent PLI panel, Sotto and fellow panelists Jay Leek, managing director and CISO for The Blackstone Group L.P.; Anthony Longo, CISO for Tiffany & Co. and Matthew F. Fitzsimmons, an Assistant Attorney General in Connecticut and head of the office’s Privacy and Data Security Department discussed the ballooning issue of cybercrime and how to both prevent and respond to attacks. See also “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer” Part One (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    Demystifying the FTC’s Reasonableness Requirement in the Context of the NIST Cybersecurity Framework (Part One of Two)

    The NIST Cybersecurity Framework, while useful, is not a panacea, the FTC recently said, leaving many companies still wondering how to develop and implement a data security program that meets the regulator’s reasonableness requirement. With input from in-house and outside counsel, we examine the FTC’s data security expectations in the context of the NIST Cybersecurity Framework. Part one of this two-part series explores the implications of the FTC’s recent communication, how and when practitioners use the Framework and details three initial steps companies should take to meet the FTC’s reasonableness standard. Part two will cover the Framework’s core functions, how they align with the FTC’s requirements and steps companies can take to incorporate these functions into their own security practices. See also “A Behind-the-Curtains View of FTC Security and Privacy Expectations” (Mar. 16, 2016).

    Read Full Article …