The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Cloud-Based Technology

  • From Vol. 4 No.38 (Nov. 14, 2018)

    Negotiating SaaS Agreements

    Software-as-a-service, or SaaS, contracts are superseding the traditional licenses that customers received when purchasing other types of software. This article provides insight from a recent Strafford program on negotiating key provisions of SaaS contracts, including data ownership, controls over data, data security, indemnification, reps and warranties and levels of service. The program featured counsel from Microsoft, Culhane Meadows and Sycamore Legal. See also “Essential Cyber, Tech and Privacy M&A Due Diligence Considerations” (Aug. 8, 2018); and “What Lawyers Need to Know About Security Technologies and Techniques (Part Three of Three)” (Jun. 13, 2018).

    Read Full Article …
  • From Vol. 4 No.24 (Aug. 8, 2018)

    Essential Cyber, Tech and Privacy M&A Due Diligence Considerations

    Evolving threats, regulatory focus and innovation require every transaction to now include some technology, privacy and cybersecurity due diligence. A target’s problems in these areas can manifest themselves in painful ways, whereas a robust infrastructure can dramatically improve value. This article covers a recent ACA Aponix program that detailed key issues to consider when reviewing cybersecurity, information technology and regulatory compliance at target and portfolio companies. See also “Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.21 (Jul. 18, 2018)

    Overcoming Barriers to Cross-Border Data Flows, Contract Provisions and Other Digital Transformation Issues

    “Cross-border data matters because every industry is now data-driven,” Ambassador Robert Holleyman, a partner at Crowell & Moring, observed at a recent program presented by the firm. The panelists explored issues relating to the use and exchange of data in an increasingly interconnected world, including barriers to data flows, five key contract provisions for cross-border agreements and digital advertising and tracking. Along with Holleyman, the program featured Crowell & Moring partners Bryan Brewer and Amy B. Comer, as well as senior counsel Maarten Stassen. See “Reconciling Data Localization Laws and the Global Flow of Information” (Oct. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.16 (Jun. 13, 2018)

    What Lawyers Need to Know About Security Technologies and Techniques (Part Three of Three)

    The legal team is a crucial part of a company’s cybersecurity program and it is essential for members of that team to understand security technologies and how they are used to mitigate data breach risk. This final installment in our three-part series, featuring advice from legal and technical experts, covers how and when common types of cloud solutions are used and the attorney’s role in mitigating risk in connection with this service. It also addresses what to consider when “hacking back” to secure data. Part one explored the appropriate knowledge base for the different attorney roles, technology’s place in mitigating risk, and certain technologies and techniques, such as pen testing. Part two continued examining other security techniques, including red teaming, vulnerability scanning and social engineering. See also “Negotiating an Effective Cloud Service Agreement” (Sep. 13, 2017).

    Read Full Article …
  • From Vol. 4 No.7 (Apr. 11, 2018)

    Breaking the Cloud: CLOUD Act Brings Data Held Overseas Under U.S. Jurisdiction

    On the heels of Supreme Court oral arguments in a case that brought the data issues of international law enforcement front and center, Congress passed the CLOUD Act, a major step by the U.S. in extending the reach of law enforcement where electronic content is concerned. The law is controversial, but its significance is not in dispute – “it purports to resolve the question of whether and how the federal government can compel service providers that are within the jurisdiction of the U.S. courts to produce data stored abroad,” Paul Hastings partner Behnam Dayanim told The Cybersecurity Law Report. In this article, we analyze the law and its implications. See “Managing Data Privacy Across Multiple Jurisdictions” (Nov. 8, 2017); and “Navigating Data Privacy Laws in Cross-Border Investigations” (Dec. 14, 2016).

    Read Full Article …
  • From Vol. 3 No.18 (Sep. 13, 2017)

    Negotiating an Effective Cloud Service Agreement

    As attractive, economically viable and convenient as the cloud is, companies must be cognizant of the potential cybersecurity risks associated with any cloud-services arrangement. A well-drafted contract between the corporate customer and cloud-service provider is an essential tool for managing that risk on both sides. This article, based on insights offered at a recent PLI event, covers what a prospective business customer should and should not expect from a cloud-service provider, and why some provisions that look good in writing might not be quite so helpful in practice. See also “The Advantages of Sending Data Up to the Cloud” (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    FINRA Lays Out Cyber Expectations in Action Against Broker-Dealer

    A recent FINRA action against Lincoln Financial Securities Corporation, a general securities business, involving the firm’s alleged failure to safeguard customer data, preserve customer records and implement an appropriate supervisory system sheds light on regulatory expectations for a range of sectors. This article explains the alleged misconduct, the terms of the settlement, the remedial measures the firm is implementing, and the cybersecurity measures FINRA expects firms to take. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    How the Financial Services Industry Can Manage Cyber Risk

    Financial services providers and financial institutions are prime targets for hackers, and have also been targets of SEC scrutiny – the agency has recently brought actions against Morgan Stanley, Craig Scott Capital, and RT Jones for cybersecurity violations, even in the absence of a breach. How can firms in those industries ensure their cybersecurity programs are robust and mitigate risk? At a recent symposium held by the Hedge Fund Association, panelists with various cybersecurity perspectives and expertise shared their insight on preparedness, incident response plans, vendor management, cyber insurance (including recommendations for carriers) and whether to use cloud services. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    How Law Firms Should Strengthen Cybersecurity to Protect Themselves and Their Clients

    Law firms store a wealth of sensitive and confidential information electronically, making them prime targets for hackers. Not only does weak data security affect business development and client retention for firms, but can result in legal and ethical violations as well. How can firms meet clients' increasing data expectations? How can clients determine how robust their current and potential firms’ systems are? What mistakes are law firms making? John Simek, vice president and co-founder of cybersecurity and digital forensics firm Sensei Enterprises, Inc., answered these and other questions about law firm data security in a conversation with The Cybersecurity Law Report. See also “Sample Questions for Companies to Ask to Assess Their Law Firms’ Cybersecurity Environment” (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Implementing an Effective Cloud Service Provider Compliance Program

    The ubiquity of cloud computing platforms as a tool for companies to share, store and back up critical and sensitive data has catapulted the implementation of a comprehensive third-party cloud service provider program to the top of compliance officers’ ever growing to-do lists.  During a recent seminar held by the Society of Corporate Compliance & Ethics, Web Hull, a privacy, data protection and compliance advisor provided a practical framework for engaging, managing, auditing and monitoring third-party cloud computing providers.  This article summarizes those insights, including key risks, and compiles the resources compliance officers can use to meet the relevant state and federal cybersecurity regulatory requirements.  See also “Examining Evolving Legal Ethics in the Age of the Cloud, Mobile Devices and Social Media (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 11 (Aug. 26, 2015); Part Two,” Vol. 1, No. 12 (Sep. 16, 2015); and “The Advantages of Sending Data Up to the Cloud,” The Cybersecurity Law Report, Vol. 1, No. 6 (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    Examining Evolving Legal Ethics in the Age of the Cloud, Mobile Devices and Social Media (Part One of Two)

    Lawyers often don’t think about the ethics rules as applied to their conduct online or through the use of technology, panelists said at a recent conference hosted by PLI’s TechLaw Institute.  But as technology advances and continues changing the way lawyers practice, the ethical obligations of lawyers have also evolved in light of the new ways that practitioners communicate with clients, and store and use sensitive information.  Addressing technology issues through a legal ethics prism, panelists David J. Elkanich, a partner at Holland & Knight, and Pamela A. Bresnahan, a senior partner at Vorys, Sater, Seymour and Pease, discussed the ethical issues that lawyers face when using technology in their practices, and the practical steps lawyers can take to prevent or mitigate these risks.  This article, the first of our two-part series, covers ethical rules as they apply to technology and the proper use of cloud technology and mobile devices. The second part will cover ethical guidance for attorneys in the realm of social media.  See also Understanding and Addressing Cybersecurity Vulnerabilities at Law Firms: Strategies for Vendors, Lawyers and Clients,” The Cybersecurity Law Report, Vol. 1, No. 5 (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    FTC Weighs In on the Security of Health Care Data on the Cloud

    Like many industries, the health care sector is relying more heavily on new technology to provide digital medical records that are often stored on cloud-based servers and transmitted electronically.  With the technological advances come privacy and security concerns that the FTC is watching closely.  Cora Han, a senior attorney in the Division of Privacy and Identity Protection at the FTC, recently spoke at a meeting of the Health Care Cloud Coalition, a not-for-profit representing cloud computing, telecommunication, digital health, and healthcare companies in the health care sector.  Han addressed the FTC’s expectations and enforcement efforts for privacy and security related to cloud-based mobile technology companies in the health care industry.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    The Advantages of Sending Data Up to the Cloud 

    As their data storage and security requirements grow, companies are increasingly turning to cloud service providers.  Cloud storage offers a valuable and efficient option for companies as long as companies thoughtfully manage what data to store remotely and where to send it.  In this interview with The Cybersecurity Law Report, Paul Ferrillo, counsel at Weil, Gotshal & Manges in its Cybersecurity, Data Privacy and Information Management group, discussed the advantages of cloud services, how to select a secure cloud vendor, and data classification questions to ask to determine what to store in the cloud and what to keep on the ground.  See also “Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats

    How to handle five data privacy danger zones; the board’s role in cybersecurity; public relations strategies after a breach; and clauses to include in cloud vendor contracts were among the hot topics Weil, Gotshal & Manges attorneys discussed at a recent conference.  Partners Carrie Mahan Anderson, Jeffrey S. Klein, P.J. Himelfarb, Jeffrey D. Osterman and Michael A. Epstein shared their advice in the panel discussion.

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    Top Private Practitioners and Public Officials Detail Hot Topics in Cybersecurity and Best Practices for Government Investigations

    A former federal judge, officials at the Consumer Financial Protection Bureau and the DOJ as well as attorneys from Crowell Moring and Document Technologies Inc. were among the panelists at a recent program hosted by the Practising Law Institute.  The panel covered a broad range of topics including public awareness of data security issues; the scope and operation of government investigations regarding data breaches; practical advice for companies developing data security programs; and recent legal issues and developments related to data security.

    Read Full Article …