The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Information Sharing

  • From Vol. 4 No.29 (Sep. 12, 2018)

    Information Sharing in the Private Sector: Lessons From the Financial Services Industry

    Sharing cyber intelligence has become a vital best practice for organizations in fending off cyber attacks. The financial services industry formed the first formal information sharing and analysis center (FS-ISAC) in 1999 and has helped other industries launch their own information sharing and analysis organizations (ISAOs). Alfred Saikali, a partner at Shook, Hardy & Bacon, spoke to The Cybersecurity Law Report about why FS‑ISAC is so effective, and what organizations should look for before joining an ISAO. See also “ISAO Organization Releases a Roadmap to Cyber Threat Information Sharing” (Oct. 5, 2016); and “Using Information Sharing to Combat Cyber Crime While Protecting Privacy” (Sep. 7, 2016).

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    FTC Launches Stick With Security Series, Adding Detail and Guidance to Its Start With Security Guide (Part Two of Two)

    Companies continue to seek more detailed guidance on data-security expectations from regulators such as the FTC. As a follow-up to its 2015 Start With Security Guide, which contained 10 fundamentals, the FTC launched its Stick With Security blog series. It builds on those 10 principles using hypotheticals to take “a deeper dive” into proactive data-protection steps. The first article in our two-part series examined the blog posts analyzing the first five principles of Start With, and this second article continues with the remaining five. The “examples in the posts help companies with line drawing and balancing risk,” Kelley Drye partner Dana Rosenfeld told The Cybersecurity Law Report. See “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017); and “A Behind-the-Curtains View of FTC Security and Privacy Expectations” (Mar. 16, 2016).  

    Read Full Article …
  • From Vol. 3 No.11 (May 31, 2017)

    Defending Against the Rising Threat of Ransomware in the Wake of WannaCry

    The recent WannaCry attack that affected 150 countries and hundreds of thousands of victims served as a wake-up call for many about the potential devastation of ransomware – malevolent software that extorts payments from people and organizations after infecting and encrypting their systems. “Whether it’s WannaCry or the whole host of other cybersecurity attacks that we’ve seen in recent times, these kinds of cyber attacks will continue in different scales,” Paul Rosen, a partner at Crowell & Moring, told The Cybersecurity Law Report. Companies and governments are increasingly trying to use information sharing and other collaboration to confront threats like WannaCry, and regulatory agencies such as the SEC have chimed in to emphasize what companies should be doing to mitigate the damage of future attacks. See also “Technology Leader Discusses How to Deal With the Growing Threat of Ransomware” (Jul. 6, 2016); and “Preparing For Ransomware Attacks As Part of the Board’s Fiduciary Duty” (Mar. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.9 (May 3, 2017)

    Infrastructure Cybersecurity Challenges: A View Through the Oil and Gas Pipeline Lens

    In 1997, the ad hoc Presidential Commission on Critical Infrastructure Protection issued an ominous warning that “the capability to do harm” by “cyberattack” to America’s critical infrastructures “is growing at an alarming rate, and we have little defense against it.” Jones Walker partner Andrew R. Lee argues in this guest article that since then, we have accepted the reality that the threat of critical infrastructure terror attacks is now pervasive, and has also grown increasingly complex and diffuse. He dissects the cybersecurity landscape in the energy industry, explains the effects of regulations and industry initiatives, and shares insights on what is coming from the Trump Administration. See “WilmerHale Attorneys Explain the Evolving Cybersecurity Environment of the Energy Sector” (Nov. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    Ten Cybersecurity Priorities for 2017

    Even companies that have mature information security practices in place must exercise constant vigilance by reevaluating their needs and improving their approaches. The Cybersecurity Law Report spoke with several experts to find out what companies should be focusing on and how they should allocate time and resources when setting cybersecurity priorities for 2017. In this article, we outline the resulting top ten cybersecurity action items for companies to tackle to ensure a more secure new year. See also “Cybersecurity Preparedness Is Now a Business Requirement” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Presidential Commission Recommends Ways For Public and Private Sectors to Improve Cybersecurity 

    Cybersecurity has been a focus of the current administration. To look beyond the current term, however, a nonpartisan commission appointed by President Obama recently issued an extensive report recommending short- and medium-term actions for the Trump administration and the private sector to take over the next five years to improve cybersecurity, while protecting privacy, fostering innovation and ensuring economic and national security. See also “White House Lays Out Its Broad Cybersecurity Initiatives” (Feb. 17, 2016) and “Gibson Dunn Attorneys Discuss the Impact of Obama’s Executive Order Creating New Tools to Fight Cyber Attacks” (May 6, 2015).

    Read Full Article …
  • From Vol. 2 No.23 (Nov. 16, 2016)

    WilmerHale Attorneys Explain the Evolving Cybersecurity Environment of the Energy Sector

    Congress and federal agencies have dramatically strengthened cybersecurity requirements and authorities in the energy sector in recent years, with additional efforts underway. WilmerHale attorneys Jonathan Cedarbaum, Jason Chipman and Nathaniel Custer detailed these governmental efforts in an interview with The Cybersecurity Law Report, and discussed how the energy sector is responding to the changes. See also “How the American Energy Industry Approaches Security and Emphasizes Information Sharing” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    FBI Veteran Discusses Using Law Enforcement’s Cyber Resources to Improve Security and Obtain Board Buy-In

    One key to smooth relations with law enforcement after a breach is establishing a connection before there is any trouble, John Riggi, now a managing director at BDO and the former Chief of the FBI’s Cyber Division Outreach Section, told The Cybersecurity Law Report. One way to develop that relationship is to invite the FBI to give a threat brief to the board of directors, he said. Riggi is a 30-year FBI veteran who worked on the government’s partnerships with the private sector for the investigation and exchange of information related to national security and criminal cyber threats. In our interview, he addressed how the FBI views its relationship with the private sector, the various ways companies of different sizes can take advantage of the FBI’s resources, the concerns companies may have when working with the FBI and the government’s role in the Yahoo breach. See also “Law Enforcement on Cybersecurity Matters: Corporate Friend or Foe?” Part One (Jun. 22, 2016); Part Two (Jul. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    Taking Action to Refocus on Security: Conversation With a CIO 

    Each sector faces both industry-specific as well as general data security risks. One challenge is implementing general cybersecurity best practices while also addressing the company's unique vulnerabilities. Ken Kurz, vice president of information technology and chief information officer at Corporate Office Properties Trust, a real estate investment trust focused on government and defense contractors, spoke with The Cybersecurity Law Report about evaluating current security efforts and taking substantial proactive steps involving people and technology to address the company’s priorities. See also “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)” (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    Examining Newly Released Privacy and Security Guidance for the Fast-Driving Development of Autonomous Cars

    Auto manufacturers and technology companies are moving closer to making driverless cars a reality, much to the excitement and fear of consumers. While autonomous cars have the potential to provide enormous safety and environmental benefits, this unchartered territory also presents an array of unknowns for companies and consumers.  As a first step to address the risks of this new technology, and signal possible regulations, the government has released voluntary guidance for manufacturers that addresses safety, privacy and security. “The 15-point Safety Assessment may be a safe harbor that provides a benchmark for car manufacturers to meet,” Alma Murray, senior counsel for privacy at Hyundai Motor America, explained to The Cybersecurity Law Report. “This standard-setting is also good for the consumer/driver in that it sets a standard of care that must be met by manufacturers which, if not met, can subject the manufacturers to lawsuits.”  See also “Managing Risk for the Internet of Things in the Current Regulatory Landscape” (May 11, 2016); and “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    ISAO Organization Releases a Roadmap to Cyber Threat Information Sharing 

    Sharing critical information regarding cyber threats is a valuable way to combat attacks, public and private sector entities agree. However, there are substantial obstacles to the growth of sharing platforms, including creating trust among the parties and planning the logistics of setting up a system. In an effort to help overcome these obstacles, encourage more sharing networks and ensure effective sharing across them, the Information Sharing and Analysis Organizations Standards Organization has released an initial voluntary set of guidelines. “Hackers typically target multiple companies, often in the same industries; companies or other entities with similar missions often have similar cyber risk profiles,” Jeremy Feigelson, a partner at Debevoise, told The Cybersecurity Law Report. “The more we know about the risks our peers face and the solutions they are employing, the safer we all are.” See “Using Information Sharing to Combat Cyber Crime While Protecting Privacy” (Sep. 7, 2016).

    Read Full Article …
  • From Vol. 2 No.18 (Sep. 7, 2016)

    Using Information Sharing to Combat Cyber Crime While Protecting Privacy 

    Sharing cyber intelligence information across respective industries is becoming an increasingly important way to predict and possibly prevent cyber attacks. Many companies, however, are not sharing data efficiently or at all. Alfred Saikali, Shook Hardy & Bacon partner, and Andrew Moir, a partner in the London office of Herbert Smith Freehills, shared their insights with The Cybersecurity Law Report on the importance of and best approaches to information sharing. They also highlighted issues companies should consider to protect themselves when engaging in the process, both from U.S. and U.K. perspectives. See also “How the Legal Industry Is Sharing Information to Combat Cyber Threats” (Sep. 16, 2015).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    How the Financial Services Industry Can Manage Cyber Risk

    Financial services providers and financial institutions are prime targets for hackers, and have also been targets of SEC scrutiny – the agency has recently brought actions against Morgan Stanley, Craig Scott Capital, and RT Jones for cybersecurity violations, even in the absence of a breach. How can firms in those industries ensure their cybersecurity programs are robust and mitigate risk? At a recent symposium held by the Hedge Fund Association, panelists with various cybersecurity perspectives and expertise shared their insight on preparedness, incident response plans, vendor management, cyber insurance (including recommendations for carriers) and whether to use cloud services. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.14 (Jul. 6, 2016)

    Law Enforcement on Cybersecurity Matters: Corporate Friend or Foe? (Part Two of Two)

    With a mission to identify the perpetrator and to build a prosecutable case, law enforcement can help a company facing a cybersecurity incident. Working with law enforcement, however, often presents challenges for the company and its counsel. Preparation prior to the interaction can offer a smoother road. This second article in our two-part series provides expert insight on interacting with law enforcement when there has been a breach, including advice regarding the first call, the controls companies should have in place and the type of information law enforcement really needs. Part one covered concerns that arise when dealing with law enforcement officials, benefits of coordination and recommendations for when and how to establish a successful relationship with them. See also “Google, CVS and the FBI Share Advice on Interacting With Law Enforcement After a Breach” (May 11, 2016).

    Read Full Article …
  • From Vol. 2 No.13 (Jun. 22, 2016)

    Law Enforcement on Cybersecurity Matters: Corporate Friend or Foe? (Part One of Two)

    Countless corporate cyber crime victims have avoided contacting law enforcement, fearing reputational, regulatory, litigation or operational consequences. Given the increased number and sophistication of cyber attacks, more corporations will consider the merits of integrating law enforcement agencies into their incident response strategies. In the first article of this two-part series, in-house and outside counsel along with government officials share insight on the risks and benefits of coordinating with these agencies, and recommendations for when and how to establish a successful relationship with them. Part two will address interacting with law enforcement when there is a breach, including expert advice regarding the first call, the controls companies should have in place and the type of information the agencies really need. See also “Google, CVS and the FBI Share Advice on Interacting With Law Enforcement After a Breach” (May 11, 2016).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Minimizing Class Action Risk in Breach Response

    Cybersecurity programs today must take into consideration the risk of class action litigation and include measures to mitigate those risks. David Lashway, a partner and global cybersecurity practice lead at Baker & McKenzie, spoke with The Cybersecurity Law Report in advance of ALM’s Mid-Year Cybersecurity and Data Protection Legal Summit on June 15, 2016, at the Harvard Club in New York City, where he will participate as a panelist. An event discount code is available to CSLR readers inside the article. In our interview, Lashway addresses mitigating litigation risk following a data security incident, takeaways from recent cases such as Target and Sony and class action litigation trends. See also “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation”: Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    Google, CVS and the FBI Share Advice on Interacting With Law Enforcement After a Breach

    Among the many decisions companies must make following a cyber incident are whether, when and how to engage with law enforcement. At the recent FT Cyber Security Summit USA, experts from Google, CVS Health, the FBI and the Center for Strategic and International Studies gave their advice on interacting with the government, and discussed the responsibilities and priorities of the compliance and legal teams in the wake of an attack. See also “Picking up the Pieces After a Cyber Attack and Understanding Sources of Liability” (Apr. 13, 2016).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Regulators Speak Candidly About Cybersecurity Trends, Priorities and Coordination

    Understanding the regulators’ priorities and concerns can help a company work effectively with them to investigate and respond to cybersecurity incidents. In a recent panel at the ABA National Institute on Cybersecurity Litigation, authorities from the DOJ, the SEC, the FCC and the Connecticut Attorney General’s office weighed in about the cyber threat landscape, their agencies’ enforcement priorities, strategies for collaboration (including when and how information shared with the government will remain confidential) and effective incident response. See also “Private and Public Sector Perspectives on Producing Data to the Government” (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    A Look Inside the Cybersecurity and Privacy Law Department of a Top Defense Company

    The “bad guys” seeking to hack into systems of defense companies want sensitive information not for commercial success, but to do our nation and our allies harm, and that changes the cybersecurity equation, Raytheon’s John Smith told The Cybersecurity Law Report. In a Q &A, Smith, the vice president, cybersecurity and privacy, and general counsel of the global business services group at Raytheon, discusses how the Raytheon cybersecurity and privacy department is structured, when outside counsel is called in, how Raytheon approaches information sharing, why the new Department of Defense cybersecurity guidance is flawed, and more. See also “How the American Energy Industry Approaches Security and Emphasizes Information Sharing” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    CSIS’ James Lewis Discusses Balancing Law Enforcement and Privacy

    “Surveillance to keep me safe from crime and terrorism is bad, but surveillance to sell me deodorant is good?” James Lewis, director and senior fellow at the Center for Strategic and International Studies, and author of Securing Cyberspace for the 44th Presidency, posed this and other questions in a conversation with The Cybersecurity Law Report about the tension between law enforcement and privacy concerns. He also shared his candid and colorful views on, among other things, the ongoing dispute about law enforcement’s access to the San Bernardino shooter’s iPhone, and how the public and private sectors can coordinate cybersecurity efforts. See also “White House Lays Out Its Broad Cybersecurity Initiatives” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    How the American Energy Industry Approaches Security and Emphasizes Information Sharing

    The North American bulk power system, a large, complex machine consisting of thousands of generation plants and thousands of miles of transmission lines, has become a model for cybersecurity, according to Marcus Sachs, senior vice president and chief security officer of North American Electric Reliability Corporation, a not-for-profit regulatory authority. In this guest article, Sachs discusses how the industry has avoided loss-of-load events due to a cyber or physical attack on a power plant, and steps the industry is taking to address cyber threats, including its continued focus on information sharing, where it has been a leader for other sectors. Sachs will be a panelist at the Financial Times Cyber Security Summit on March 16, 2016 in Washington, D.C. See also “Energy Industry Demonstrates Public-Private Cybersecurity Coordination” (Oct. 14, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    Opportunities and Challenges of the Long-Awaited Cybersecurity Act of 2015

    After years of discussions, numerous draft bills and extended debates about the privacy and liability risks associated with information sharing, on December 18, 2015, President Obama signed into law the Cybersecurity Act of 2015 as part of the omnibus spending bill.  Title I of the Act, Cybersecurity Information Sharing (CISA), establishes a framework for sharing and receiving cyber threat information among the private sector and federal government entities.  It shields companies from liability for sharing cyber threat information in accordance with certain procedures, as well as for specific actions undertaken to defend or monitor corporate networks.  Saxby Chambliss, DLA Piper partner and former U.S. Senator who served on the Senate Select Committee on Intelligence and sponsored an earlier cybersecurity bill, told The Cybersecurity Law Report that this Act “is going to be beneficial to both big and small companies.  It is another tool in the toolbox that allows companies to protect their systems and the information that is on them.”  However, Shahryar Shaghaghi, BDO Consulting’s managing director and technology advisory leader, cautioned that CISA will also pose “potential challenges” to companies in terms of the resources required to share cyber threat information and perceived privacy risk.  See also “How the Legal Industry Is Sharing Information to Combat Cyber Threats” (Sep. 16, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part One of Two)

    In addition to the direct consequences of a data security incident, many companies that suffer data breaches must face lawsuits.  In a recent webinar, Mintz Levin members Meredith Leary, Kevin McGinty and Mark Robinson discussed the various types of data security litigation and gave advice on how companies can best prepare for the likelihood of a lawsuit after a data breach.  This article, the first in a two-part series, features their insight on how companies can put themselves in the best position now to defend their actions later.  The panelists also identified threshold questions that companies can ask themselves during an internal investigation following a data breach.  In the second article, they further explore best practices for internal investigations and common defenses in data breach class actions.  See also “Liability Lessons from Data Breach Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 16 (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    What Companies Can Learn from Cybersecurity Resources in Pittsburgh

    Cyber crime is a serious threat – it cripples companies, damages economies, funds terrorism, launders drug money and bleeds the assets of individuals, according to the DOJ.  Often this cyber war is waged from shadows overseas (and often in the form of corporate cyber espionage).  Companies should be using a broad array of tools to prevent and mitigate the effect of international and domestic cyber crime, such as information sharing, sufficient cyber insurance as well as a thorough breach response plan that includes proper notification and preservation of evidence for future actions.  As K&L Gates attorneys Mark A. Rush and Joseph A. Valenti describe in a guest article, one place where law enforcement and the private sector have come together is Pittsburgh, where a string of major cyber crime cases has recently been prosecuted.  Developments there can serve as a model for cybersecurity measures across the country and across industries.  Rush and Valenti describe cybersecurity best practices before, during and after a breach, as well as some unique ways government officials as well as companies in Pittsburgh specifically are handling cyber crime.  See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.15 (Oct. 28, 2015)

    MasterCard and U.S. Bancorp Execs Share Tips for Awareness and Prevention of Mushrooming Cyber Risk (Part Two of Two)

    With threat vectors increasing at least as rapidly as new technology, companies need to be well-versed in how to recognize and prevent cyber attacks.  In the second installment of our coverage of PLI’s recent Cybersecurity 2015: Managing the Risk program, two top-level executives and leaders in cybersecurity, Jenny Menna, U.S. Bank’s cybersecurity partnership executive, and Greg Temm, vice president for information security and cyber intelligence at MasterCard, tackle mitigating cyber risk.  They discuss, among other things: information sharing efforts; eight important components of an information technology ecosystem; and how to prevent cyber attacks at home and in the office.  In the first article in the series, they addressed the current cyber landscape, prevalent threats, and responses to those threats that are being implemented by the government, regulators and private companies.  See also “Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    Energy Industry Demonstrates Public-Private Cybersecurity Coordination

    Through presidential proclamation, October has been named the twelfth National Cyber Security Awareness Month (NCSAM).  Throughout the month, many governmental agencies and private enterprises will participate in panels, conferences and other events throughout the country to emphasize cyber risks and best practices.  For example, speakers at the U.S. Chamber of Commerce’s Fourth Annual Cybersecurity Summit included top officials at the U.S. Department of Homeland Security and in the Department of Energy and private sector leaders such as the CEO of Southern Company.  They emphasized the NCSAM theme this year – “Our Shared Responsibility” – by focusing on how the private and public sector can work together to strengthen cybersecurity and diffuse cyber threats.  See also our series featuring FBI Director James Comey's discussion of the “‘Evil Layer Cake’ of Cybersecurity Threats,” The Cybersecurity Law Report, Vol. 1, No. 5 (Jun. 3, 2015); and “Cooperation among Domestic and International Cybersecurity Law Enforcement Communities,” Vol. 1, No. 6 (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 1 No.12 (Sep. 16, 2015)

    How the Legal Industry Is Sharing Information to Combat Cyber Threats

    “There’s only one way to defend America from these cyber threats, and that is through government and industry working together, sharing appropriate information as true partners,” President Obama said earlier this year.  Private efforts and proposed legislation are promoting increased information-sharing within industries, across sectors and between industry and government, and assuaging fears companies may have about participating.  The legal industry is working with Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit organization founded in 1999, to establish its own group, the Legal Services Information Sharing and Analysis Organization.  Cindy Donaldson, FS-ISAC’s vice president of products and services, discussed with The Cybersecurity Law Report how the organization, which is also working with the real estate and retail sectors, operates.  See also “Understanding and Addressing Cybersecurity Vulnerabilities at Law Firms: Strategies for Vendors, Lawyers and Clients,” The Cybersecurity Law Report, Vol. 1, No. 5 (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    How to Prevent and Manage Ransomware Attacks (Part Two of Two)

    Even when companies take each recommended step to prevent a ransomware attack (such as properly training employees, backing up files, segregating data and limiting network access), a ransomware attack can still sneak through, and without a rapid proper response, cause widespread damage.  This article, the second of a two-part series, addresses how to handle a ransomware attack, when and how to report the incident, and strategies for working with law enforcement.  The first article in the series explained the threat and provided steps that companies can take to prevent ransomware attacks and mitigate the impact if one does occur.  See also “Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    SEC Commissioner Says Public-Private Partnership Is Key to Effective Cybersecurity

    In a speech at this year’s SINET Innovation Summit, SEC Commissioner Luis Aguilar emphasized the “scope and urgency” of cybersecurity threats and the ineffectiveness of many network security programs, citing a multitude of studies.  He also called for more formalized information-sharing between private sector companies and the government.  See also “In a Candid Conversation, FBI Director James Comey Talks About the ‘Evil Layer Cake’ of Cybersecurity Threats,” The Cybersecurity Law Report, Vol. 1, No. 5 (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    In a Candid Conversation, FBI Director James Comey Discusses Cooperation among Domestic and International Cybersecurity Law Enforcement Communities (Part Two of Two)

    The FBI’s understanding of cybersecurity has advanced from the youth league to college-level in the past decade, FBI Director James Comey told WilmerHale partner Ben Powell at the annual Georgetown Cybersecurity Law Institute.  Much of that improvement has to do with growing cooperation between governments, and within our own, along with increased efforts by the private sector.  But, he said, the FBI needs to get to World Cup play.  This article, the second part of the CSLR’s two-part series, covers Comey’s frank comments about: the role of the FBI in relation to other law enforcement agencies; international cybersecurity developments; international cooperation in a post-Snowden world; pending information-sharing legislation in Congress; misperceptions about the FBI that he hears from the private sector; and how the FBI competes with the private sector for talent.  The first article discussed how the FBI has adapted its techniques in the face of cyber threats; the FBI’s relationship with local law enforcement agencies and the private sector; his concerns about the encryption of data; and how the FBI has expanded its information-sharing programs with the private sector. 

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    In a Candid Conversation, FBI Director James Comey Talks About the “Evil Layer Cake” of Cybersecurity Threats (Part One of Two)

    In a wide-ranging and frank conversation with WilmerHale partner Ben Powell at the annual Georgetown Cybersecurity Law Institute, FBI Director James Comey likened the cybersecurity dangers the country faces to an “evil layer cake” and called general counsels (including himself in his former role) “obstructionist weenies.”  This article, the first part of the CSLR’s two-part series, covers Comey’s remarks about: how the FBI has adapted its techniques in the face of cyber threats; the FBI’s relationship with local law enforcement agencies and the private sector; his concerns about the encryption of data; and how the FBI has expanded its information-sharing programs with the private sector.  In the second part, we will cover Comey’s views on: the role of the FBI in relation to other law enforcement agencies; international cybersecurity developments; international cooperation in a post-Snowden world; misperceptions about the FBI that he hears from the private sector; information-sharing legislation; and how the FBI competes with the private sector for talent.  See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    Private and Public Sector Perspectives on Producing Data to the Government

    Document requests from the government during a breach investigation can be overwhelming, even for large companies.  During a panel at Practising Law Institute’s 2015 Government Investigations event, officials from the DOJ, CFTC and SEC, along with private practitioners, shared their insight on the first steps companies should take after receiving a subpoena or other request, how to effectively negotiate with the government about the scope of the request, whether and how the government takes the burden of document productions on companies into account, and more.  See also “Top Private Practitioners and Public Officials Detail Hot Topics in Cybersecurity and Best Practices for Government Investigations,” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    DOJ Encourages Cyber Incident Reporting and Advance Planning with Best Practices Guidance

    Following other government agencies who have weighed in on cybersecurity, the DOJ’s Cybersecurity Unit has published guidance titled “Best Practices for Victim Response and Reporting of Cyber Incidents,” outlining its recommendations for steps to take prior to a cyber incident; how to respond to an incident, including mistakes often made in the chaos following an incident; and effective follow-up actions.  Experts say that while it is nothing new, the document does emphasize the government’s expectations.  The Guidance “reinforces the notion that a ‘check-the-box’ approach to cybersecurity does not suffice.  Companies must implement a thoughtful, robust and effective plan that is tailored to the company’s particular business, risks and operations,” Richard Tarlowe, counsel at Paul, Weiss told The Cybersecurity Law Report.

    Read Full Article …