The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Breach Notification

  • From Vol. 4 No.36 (Oct. 31, 2018)

    How to Comply With Canada’s New Privacy Breach Reporting and Record-Keeping Rules

    As of November 1, 2018, organizations subject to Canadian privacy law must comply with important new rules in relation to breaches. These rules will present new costs, risks and challenges for organizations and additional liability, reputational and regulatory exposures. In this guest article, the chair of Fasken’s privacy and cybersecurity group, Alex Cameron, provides an analysis of the new rules; practical compliance considerations, including a review of key guidance issued on October 29 by the Office of the Privacy Commissioner of Canada; and insight on how the new rules affect organizations based outside of Canada and interact with other laws. See also “Analyzing New and Amended State Breach Notification Laws” (Jun. 6, 2018).

    Read Full Article …
  • From Vol. 4 No.29 (Sep. 12, 2018)

    Colorado’s Revised Cybersecurity Law Clarifies and Strengthens Existing Requirements

    Colorado’s amended and restated consumer data privacy statute, which took effect on September 1, 2018, defines key terms, tightens breach notification requirements and adds security and data disposal requirements. This article details the changes, with insights from David M. Stauss, a partner at Ballard Spahr, who worked as an outside expert with the Colorado Attorney General and the bill sponsors after the bill was introduced in the Colorado Assembly. Colorado “is taking the lead on these types of laws,” he said. See “Synthesizing New York and Colorado’s Trailblazing Data Security Regulations for Financial Firms” (Jul. 12, 2017) and “Analyzing New and Amended State Breach Notification Laws” (Jun. 6, 2018).

    Read Full Article …
  • From Vol. 4 No.15 (Jun. 6, 2018)

    Analyzing New and Amended State Breach Notification Laws

    With the recent adoption of statutes by Alabama and South Dakota this year, all 50 states have breach notification laws integrating notification procedures. Arizona, Colorado and Oregon have also recently revised and strengthened their existing data breach notification laws. This article details the provisions of the new statutes and amendments, with insights from McGuireWoods partner Janet P. Peyton. See “Synthesizing Breach Notification Laws in the U.S. and Across the Globe” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 4 No.8 (Apr. 18, 2018)

    Guidance and Clarification on Asia’s Evolving Cybersecurity and Data Protection Laws

    Cybersecurity and data protection laws are changing rapidly across Asia, and it is imperative for companies operating in that jurisdiction to track and understand these developments. Yet, the existing guidance can be lacking.  In this guest article, DLA Piper attorneys Scott Thiel and Maggie Wong answer critical questions about how the Chinese laws can impact a range of organizations and provide updates on Chinese enforcement and guidance, on which companies are particularly seeking clarification. They also provide top takeaways from Singapore’s new cybersecurity regulations and address developments in Australia, Malaysia and other active enforcement regimes in the Asia Pacific region. See also “The Sword of Damocles in the Information Age: How to Face the New Challenges Under the Chinese Cybersecurity Law” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.6 (Mar. 28, 2018)

    Singapore Focuses on Critical Infrastructure With New Cybersecurity Law

    Singapore recently passed a new cybersecurity law that focuses on critical internet infrastructure and services. Our sister publication, PaRR, spoke with experts regarding the new law, how it compares to Singapore’s other relevant laws as well as to other regulatory regimes in its region and what it means for multinational companies. See also “Understanding Australia’s Strengthened Breach Notification Scheme” (Mar. 18, 2018).

    Read Full Article …
  • From Vol. 4 No.5 (Mar. 14, 2018)

    Understanding Australia’s Strengthened Breach Notification Scheme

    Aside from the GDPR, there is a flurry of cybersecurity and data privacy regulatory activity across the globe. Changes enacted in Australia by the Privacy Amendment (Notifiable Data Breaches) Act 2017 recently came into force, putting in place new data breach investigation and notification obligations. Patrick Fair, a partner in Baker McKenzie’s Sydney office, spoke with The Cybersecurity Law Report about the changes and the impact these obligations will have on both Australian and global companies. See also “Synthesizing Breach Notification Laws in the U.S. and Across the Globe” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    NY AG and HHS Flex Regulatory Muscles in Recent Protected Health Information Breach Settlements

    Recent enforcement actions against Aetna Inc. and Fresenius Medical Care Holdings, Inc. resulted in respondents agreeing to pay significant fines and to update their policies, procedure and training. These cases, brought by the Office of the Attorney General of the State of New York and the Office for Civil Rights of the U.S. Department of Health & Human Services, are an important reminder that human error is often a significant factor in data breaches and that physical security is a critical component of data privacy. In addition, the Aetna action is the most recent example of New York's active cybersecurity efforts. "New York has been on the leading edge of data security regulation. . . The Attorney General [] has been proactive," Patterson Belknap partner Craig A. Newman told The Cybersecurity Law Report. "It's fair to say that cyber is at the top of the state's regulatory agenda." We detail the breaches and settlement terms. See also “Takeaways From State AGs’ Record-Breaking Target Data Breach Settlement” (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.1 (Jan. 17, 2018)

    A Practical Look at the GDPR’s Data Breach Notification Provision 

    The E.U. General Data Protection Regulation introduces specific breach notification obligations for data controllers and processors. To help covered entities better understand when notification is required and what processes they should have in place in order to meet their obligations, the Article 29 Working Party issued Guidelines on Personal Data Breach Notification at the end of 2017. In this article, with advice and perspective from a former Special Agent with the FBI’s Cyber Division and current head of Nardello & Co.’s digital investigations and cybersecurity practice, we cover key concepts of the WP29 guidance, processes organizations should have in place to comply with the GDPR’s breach notification provisions, and strategies to balance global notification requirements. We also look at the GDPR’s overall effectiveness in addressing cyber risk. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).  

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    Lessons From the Equifax Breach on How to Bolster Incident Response Planning (Part Two of Two)

    After a vulnerability that allowed hackers to access the sensitive personal data of an estimated 145.5 million individuals, Equifax is now facing numerous class actions along with multiple regulatory actions and investigations. “The facts as we see them raise the question of how well and whether Equifax tested the mega-breach scenario,” Mintz Levin partner Cynthia Larose told The Cybersecurity Law Report. In this second installment of our two-part series on incident response lessons from Equifax’s fallout, we provide experts’ top ten tips on ensuring a plan is efficient and effective. We also address the roles and responsibilities of key incident response stakeholders. In part one, we looked at Equifax’s mistakes and heard from experts on essential components of incident response planning and how to bolster those plans. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    Lessons From the Equifax Breach on How to Bolster Incident Response Planning (Part One of Two)

    While it is now fairly common practice for organizations to have a formalized incident response plan, many organizations fail to test those plans, leaving them susceptible to unanticipated problems. Credit reporting agency Equifax learned this lesson the hard way when it was hit by a cyber attack that exposed the addresses, Social Security numbers and financial information of 143 million customers. The breach has also led to over 20 class actions filed to date, at least one AG action filed thus far (with pending investigations by other AG offices and the FTC), and the departures of the CSO, CIO and the CEO. Other companies can learn from this fallout. In this first installment of our two-part series on incident response lessons from Equifax, we hear from experts on key components of incident response planning and how to bolster those plans by learning from Equifax’s mistakes. Part two will provide expert tips on ensuring an incident response plan is efficient and effective and will address key stakeholders and their roles and responsibilities. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.9 (May 3, 2017)

    Investigative Realities: Working Effectively With Forensic Firms (Part One of Two)

    Lawyers and computer forensic investigators have significantly different skills and perspectives, both of which are essential during cybersecurity incident response. The differences, however, can create friction and even conflict in setting priorities, communicating effectively and interpreting findings. In a two-part guest article series, Stephen Surdu, a senior advisor at Covington, and Jennifer Martin, of counsel at Covington, provide legal counsel with a better understanding of the focus of the forensic team in incident response, the various factors and evidentiary realities that may affect how an investigation is performed, and why response teams cannot always reach definitive conclusions. This first installment addresses investigative realities and how attorneys and forensic investigators can gain an understanding of each other’s perspectives and preemptively discuss any potential issues to be in the best position to address them efficiently during an incident and to provide the greatest value to their clients. See also our three-part series on forensic firms: “Understanding and Leveraging Their Expertise From the Start” (Feb. 22, 2017); “Key Contract Considerations and Terms” (Mar. 8, 2017); and “Effective Vetting and Collaboration” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    Marsh and FireEye Take the Pulse of European Cybersecurity Climate

    FireEye, Inc. and Marsh & McLennan Companies recently released their joint 2017 European cyber risk report, which is based in part on data collected by Marsh in a survey of 750 of its European clients. It analyzes the current European threat environment, benchmarks companies’ cyber perceptions, discusses coming regulations that should provide increased transparency on cyber attacks and provides best practices for cybersecurity preparedness. For more insight from FireEye, see “How the Financial Services Industry Can Manage Cyber Risk” (Jul. 20, 2016). For more from Marsh, see our two-part series: “Building a Strong Cyber Insurance Policy to Weather the Potential Storm (Part One of Two)” (Nov. 25, 2015) and Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Lessons From the Continued Uptick in HIPAA Enforcements 

    The U.S. Department of Health and Human Services’ Office for Civil Rights has had an active start to 2017. The agency announced resolution agreements with MAPFRE Life Insurance of Puerto Rico and Presence Health as well as a final determination against Children’s Medical Center of Dallas that includes a $3.2 million civil monetary penalty. The actions highlight the need for companies to issue timely breach notifications, complete promised actions, and take swift remedial action to address known vulnerabilities. This article explains the three actions, provides advice on working with HHS, and examines 2017 regulatory expectations. “One thing that’s evident from these and other settlements is that once OCR is doing an investigation, it is not going to look only at the issue in question. It will open the door to a wider assessment of your HIPAA policies and procedures and practices. Once you’re in the spotlight, expect the spotlight to shine more broadly.” Lisa Sotto, a partner at Hunton & Williams, told The Cybersecurity Law Report. See also “Year-End HIPAA Settlements May Signal More Aggressive Enforcement by HHS” (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Key Strategies to Manage the First 72 Hours Following an Incident

    As soon as a company has identified an incident, things suddenly start to move fast and the situation can spiral out of control. Questions need to be answered. Is it a breach? What is the next step? Mishandling that first 72 hours after an incident is detected may have significant ramifications for the company’s bottom line. At the recent IAPP Practical Privacy Series conference, Seth Harrington, a partner at Ropes & Gray, and Brian Lapidus, Kroll’s managing director of identity theft and breach notification, covered the most important actions to take and the mistakes that could be made during this crucial time period. See also “How to Avoid Common Mistakes and Manage the First 48 Hours Post-Breach” (Jun. 22, 2016).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Vendor Cyber Risk Management: 14 Key Contract Terms (Part Two of Two)

    Actions by third-party vendors with access to a company’s data are the cause of some of the most damaging breaches. Carefully vetting and monitoring those vendors is crucial to a strong cybersecurity program. At a recent panel at IAPP’s Global Privacy Summit, counsel from Under Armour, AOL and Unisys provided practical guidance on how to implement a comprehensive vendor management program. This article, the second installment in our coverage of the panel, includes fourteen key cybersecurity provisions to include in vendor contracts and the panelists’ strategies for monitoring the vendor relationship and for effective breach response. The first article in our series includes the panelists’ discussion of nine questions to ask vendors during the due diligence process and factors to consider before contract negotiations. See also “Learning From the Target Data Breach About Effective Third-Party Risk Management”: Part One (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Synthesizing Breach Notification Laws in the U.S. and Across the Globe

    Does your company have a comprehensive breach disclosure plan that complies with regulatory and legal obligations across the globe? In a recent panel held at Georgetown Law School, Harriet Pearson and Allison Bender, a partner and associate, respectively, at Hogan Lovells, discussed the changing legal landscape of breach notification obligations, including the proliferation of disclosure obligations at the state, national and transnational level, as well as disclosure obligations among organizations. See “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.15 (Oct. 28, 2015)

    Orrick Attorneys Explain California’s New Specific Standards for Breach Notification

    California, a state that has been a leader in strong data security laws, has amended those laws to make their breach notification requirements more specific.  Aravind Swaminathan and Rishad Patel, Orrick partner and associate, respectively, spoke with The Cybersecurity Law Report about what companies need to know about the changes made by the amendments and how companies can approach the different notice requirements of 47 states.  The California changes take effect January 1, 2016 and include SB 570, which requires specific breach notice formatting; SB 34, which expands the definition of personal information and clarifies the substitute notice process; and AB 964, which clarifies the meaning of encryption.  See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two)

    The SEC has made clear that material cybersecurity risks and incidents should be disclosed to investors.  However, determining what is material, as well as when and how to disclose, is less clear.  This article, the first in a two-part series, provides guidance on how to make appropriate disclosures that will meet the expectations of the SEC and investors regarding form, substance and timing.  The second article will provide suggestions and examples for language to use in disclosures.  See also “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments,” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    How to Prevent and Manage Ransomware Attacks (Part Two of Two)

    Even when companies take each recommended step to prevent a ransomware attack (such as properly training employees, backing up files, segregating data and limiting network access), a ransomware attack can still sneak through, and without a rapid proper response, cause widespread damage.  This article, the second of a two-part series, addresses how to handle a ransomware attack, when and how to report the incident, and strategies for working with law enforcement.  The first article in the series explained the threat and provided steps that companies can take to prevent ransomware attacks and mitigate the impact if one does occur.  See also “Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    Canada’s Digital Privacy Act: What Businesses Need to Know

    Companies that conduct business in Canada or collect data from Canada will need to make significant changes going forward to comply with the recently enacted Digital Privacy Act.  As Kirsten Thompson, Daniel G.C. Glover and Marissa Caldwell of McCarthy Tétrault explain, the substantial regulation mandates breach notification, imposes new consent requirements and significant fines, and changes the confidentiality requirements within government investigations.  In addition, it gives the Office of the Privacy Commission of Canada an enforcement role.  Even companies with no Canadian presence are looking closely at this legislation as the U.S., Europe and other countries debate legislative proposals of their own.  

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    The Challenge of Coordinating the Legal and Security Teams in the Current Cyber Landscape (Part Two of Two)

    Legal and security teams each play a crucial role in cybersecurity and data protection, but working together to understand the most pressing threats and shifting regulatory landscape can be challenging.  In this second article of our two-part series covering a recent panel at Practising Law Institute’s Sixteenth Annual Institute on Privacy and Data Security Law, Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice, and Vincent Liu, a security expert and partner at security consulting firm Bishop Fox, give advice on how to prepare for and respond to a cyber incident and how security and legal teams can effectively work together throughout the process.  The first article in this series discussed the current cyber threat landscape and the relevant laws and rules.

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)

    As cybersecurity concerns permeate every industry, it becomes increasingly urgent for lawyers across disciplines to understand the most pressing threats and shifting regulatory landscape; help shape and direct the responses; and be able to effectively communicate and collaborate with technical security efforts.  In this first article in our two-part coverage of a recent panel at PLI’s Sixteenth Annual Institute on Privacy and Data Security Law, Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice, discusses the current cyber threat landscape and the relevant laws and rules.  See “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).  The second part will detail her advice on preparing for and responding to a cyber incident and will include insight from her co-panelist Vincent Liu, a partner at security consulting firm Bishop Fox, on how security and legal teams can effectively work together throughout the process. 

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Steps to Take Following a Healthcare Data Breach

    The prevalence, size and cost of healthcare breaches is skyrocketing, with hackers gaining sophistication and regulators becoming more active.  It is a rare covered entity that has not had to report a data breach to patients/members and the U.S. Department of Health & Human Services Office for Civil Rights since the Health Information Technology and Economic Clinical Health Act became effective in 2009.  To assist healthcare companies in understanding and responding to data breaches in this regulatory environment, in a guest article, BakerHostetler partner Lynn Sessions discusses: the enforcement climate; the legal definition of a healthcare breach; strategies for handling unsecured personal health information; notification requirements and best notification procedures; activating a breach response team; mitigating the impact of a breach; and what’s next in cybersecurity for the healthcare industry.

    Read Full Article …