The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Third Parties

  • From Vol. 4 No.25 (Aug. 15, 2018)

    Checklist Approach to Effective Third-Party Vendor Oversight

    Firms rely heavily on third-party vendors in their day-to-day operations, but these vendors can introduce great risks. To mitigate risk, companies should systematically and thoroughly oversee each relationship. Once a third-party contract is established, companies should assess the vendor relationship for ongoing risk and develop procedures to address issues and risks as they are identified. This guide details risk-assessment considerations and steps to address and mitigate ongoing risk and compliance issues. See also “How to Maintain Effective and Secure Long-Term Vendor Relationships: Understanding the Risks (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).

    Read Full Article …
  • From Vol. 4 No.21 (Jul. 18, 2018)

    GDPR Essentials for the Financial Sector: Compliance Steps (Part Two of Three)

    Can a bank or financial services firm partially comply with the GDPR? Some say it is an all-or-nothing proposition, but others assert that some economical steps can take a U.S.-based entity with limited E.U. contact most of the way. In this article, we discuss some of those compliance steps and how to preserve defenses to a class action that companies may be unwittingly waiving. The first article in the series discussed the current state of compliance in the financial sector, the extraterritorial applicability of the GDPR, its relationship to U.S. laws, enforcement priorities and the risk of collective action. The third installment in the series will examine special considerations of the law – such as determining the identity of controllers and processors and accounting for Member-State specificities – and will provide advice on monitoring ongoing compliance. See “What Are the GDPR’s Implications for Alternative Investment Managers? (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).

    Read Full Article …
  • From Vol. 4 No.20 (Jul. 11, 2018)

    GDPR Essentials for the Financial Sector: Benchmarking and Assessing the Risks (Part One of Three)

    Most banks and financial services firms are certainly aware of the GDPR, but the level of compliance and focus on it varies across the industry. “There are inquiries about GDPR on information-sharing sites, such as ‘Have you done a risk assessment for GDPR?’” Jeff Patterson, executive vice president at ANB Bank, told The Cybersecurity Law Report, “but I don’t think a lot of the professional associations in the industry think it is a big risk at this point.” Is that a mistake? In this article, we discuss the current state of compliance in the financial sector, the extraterritorial applicability of the GDPR, its relationship to U.S. laws, enforcement priorities and the risk of collective action. The second installment in the series will address specific compliance steps and identify common errors. The third article will examine special considerations of the law – such as determining the identity of controllers and processors and accounting for Member-State specificities – and will provide advice on monitoring ongoing compliance. See “Countdown to GDPR Enforcement: Final Steps and Looking Ahead” (May 16, 2018).

    Read Full Article …
  • From Vol. 4 No.19 (Jul. 4, 2018)

    How to Maintain Effective and Secure Long-Term Vendor Relationships

    Once the critical process of vetting and selecting vendors is complete, the third-party oversight work begins. Change is inevitable – whether it be in regulations, data sets, technology, products, or circumstances – and organizations need to follow up with the vendors and ensure the relationship is maintained properly. Following a webinar we hosted on this topic, The Cybersecurity Law Report delved further into these issues with the panelists –  Karen Hornbeck, senior manager at Consilio, Kristina Bergman, founder and CEO of Integris Software, and Aaron Tantleff, partner at Foley & Lardner. Our first installment of this two-part article series discussed the legal and technical third-party risks and what regulators (domestic and international) expect in terms of vendor oversight. Part two explained how to identify and address issues with third-party vendors, including when and how to revise contractual relationships and best practices for internal oversight structure. See also “Developing an Effective Third-Party Management Program” (Mar. 14, 2018); and  “Checklist for an Effective Incident Response Plan” (Jul. 20, 2016).

    Read Full Article …
  • From Vol. 4 No.18 (Jun. 27, 2018)

    How to Maintain Effective and Secure Long-Term Vendor Relationships: Finding and Addressing the Issues (Part Two of Two)

    An effective long-term vendor relationship requires vigilance and communication to weather inevitable changes that come from regulations, data sets, technology, products and circumstances. After hosting a webinar on this topic, The Cybersecurity Law Report delved further into these issues with the panelists – Karen Hornbeck, senior manager at Consilio; Kristina Bergman, founder and CEO of Integris Software; and Aaron Tantleff, partner at Foley & Lardner. This second installment of our two-part article series explains how to identify and address issues with third-party vendors, including when and how to revise contractual relationships and best practices for internal oversight structure. Part one discussed the legal and technical third-party risks and what regulators (domestic and international) expect in terms of vendor oversight. See also “Developing an Effective Third-Party Management Program” (Mar. 14, 2018); and “How to Move Beyond a Checklist Approach to Third-Party Oversight” (Dec. 6, 2017).

    Read Full Article …
  • From Vol. 4 No.17 (Jun. 20, 2018)

    How to Maintain Effective and Secure Long-Term Vendor Relationships: Understanding the Risks (Part One of Two)

    Once the critical process of vetting and selecting vendors is complete, the third-party oversight work begins. Change is inevitable – whether it be in regulations, data sets, technology, products, or circumstances – and organizations need to follow up with the vendors and ensure the relationship is maintained properly. Following a webinar we hosted on this topic, The Cybersecurity Law Report delved further into these issues with the panelists –  Karen Hornbeck, senior manager at Consilio; Kristina Bergman, founder and CEO of Integris Software, and Aaron Tantleff, partner at Foley & Lardner. Our first installment of this two-part article series discusses the legal and technical third-party risks and what regulators (domestic and international) expect in terms of vendor oversight. Part two will provide advice on how to identify and address issues with third-party vendors, including when and how to revise contractual relationships and best practices for internal oversight structure. Vendor due diligence and oversight “doesn’t stop after you contract . . . you have to follow up on a regular basis to make sure they are complying with the terms,” Tantleff said. See also “Developing an Effective Third-Party Management Program” (Mar. 14, 2018); and “How to Move Beyond a Checklist Approach to Third-Party Oversight” (Dec. 6, 2017).

    Read Full Article …
  • From Vol. 4 No.14 (May 30, 2018)

    Understanding the Intersection of Law and Artificial Intelligence

    How can lawyers effectively use artificial intelligence and mitigate the myriad risks it poses? During a recent Strafford panel, Robert W. Kantner, a partner at Jones Day; Michael W. Kelly and Huu Nguyen, both partners at Squire Patton Boggs; and Dennis Garcia, an assistant general counsel at Microsoft, provided insight on how to make the most of AI. See “Using Big Data Legally and Ethically While Leveraging Its Value (Part One of Two)” (May 17, 2017) and Part Two (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.12 (May 16, 2018)

    Countdown to GDPR Enforcement: Final Steps and Looking Ahead

    In the short time before the GDPR goes into effect, what are the last-minute steps that companies should be taking to prepare themselves for this sea change in privacy rules? In this guest article, O’Melveny & Meyers attorneys Scott Pink, Mallory Jensen and Amanda Bradley discuss these steps and ongoing obligations for companies subject to the GDPR, including measures companies may not have thought to take, and how companies can remain vigilant and continue improving their privacy procedures after the GDPR takes effect. See also CSLR’s two-part interview with the Irish Data Commissioner: “Supervising Facebook” (April. 25, 2018); and “GDPR Enforcement Priorities” (May 2, 2018); and “A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)” (Mar. 22, 2017); Part Two (Apr. 5, 2017).

    Read Full Article …
  • From Vol. 4 No.12 (May 16, 2018)

    How to Ensure GDPR-Compliant Third-Party Relationships

    The GDPR is changing how organizations manage third-party relationships, including how third-parties are onboarded and monitored. For example, controllers may only use processors that provide sufficient guarantees of GDPR compliance and the relationship must be documented by contract. During a recent Bristows webinar, Robert Bond, a partner at Bristows, and Allan Matheson, CEO of Blue Umbrella, a compliance research firm, spoke about best practices for third-party relationships in the context of GDPR and other laws, and how technology can be used to make monitoring third parties more effective. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.9 (Apr. 25, 2018)

    Eight Steps for Protecting Trade Secrets Across Global Enterprises

    Along with customer and employee information, companies must focus on protecting trade secrets and other company crown jewels. The overwhelming challenge of identifying those jewels and where they are located can prevent some companies from even starting this critical process, said Pamela Passman, president and CEO of the Center for Responsible Enterprise and Trade (CREATe.org), during a recent PLI program. She detailed eight steps companies should take to prevent trade secrets from falling into the wrong hands. For more from Passman, see “How to Protect Intellectual Property and Confidential Information in the Supply Chain” (Nov. 25, 2015).

    Read Full Article …
  • From Vol. 4 No.8 (Apr. 18, 2018)

    When and How Legal and Information Security Should Engage on Cyber Strategy: Vendors and M&A (Part Three of Three)

    Effective cybersecurity strategy requires the legal and security functions to work together when assessing third parties, either in the context of hiring a vendor or merging with or acquiring a new company. “I don’t think they’re coordinating very well,” Akin partner Michelle Reed told The Cybersecurity Law Report. With insight from Reed and technical experts, this third installment of our three-part series on when and how legal and security professionals should be communicating to build strong working relationships for a robust cybersecurity and data privacy program tackles coordination between the two teams on vendor assessments, M&A due diligence and combatting insider threats. Part two examined how both teams can coordinate on incident response and to assess risk and privacy impact. Part one covered how to structure corporate governance for optimal collaboration between these two groups. See also “Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure” (Dec. 20, 2017) and “Mitigating Cyber Risk in M&A Deals and Third-Party Relationships” (Jul. 6, 2016).

    Read Full Article …
  • From Vol. 4 No.5 (Mar. 14, 2018)

    How Will the GDPR Affect Due Diligence?

    Among the many provisions of the GDPR with which companies are grappling is Article 10, which affects the processing of personal data relating to criminal activity. This kind of data collection is a core part of many different types of diligence and investigations. Article 10 “will basically put companies subject to both the GDPR and non-E.U. laws between a rock and a hard place,” potentially subjecting them to “the wrath of the U.S. Department of Justice,” for example, Alja Poler De Zwart, counsel at Morrison Foerster in Brussels, told The Cybersecurity Law Report. This article discusses how companies can approach Article 10 and the patchwork of applicable member-state laws. See “The GDPR’s Data Subject Rights and Why They Matter” (Feb. 28, 2018).

    Read Full Article …
  • From Vol. 4 No.5 (Mar. 14, 2018)

    Developing an Effective Third-Party Management Program

    Companies rely on third parties for a variety of critical services. Identifying and managing those relationships in a systematic way is essential to minimizing enterprise risk and ensuring compliance with regulatory requirements. A MyComplianceOffice (MCO) presentation, “4 Principles of a Strong Third-Party Management Program,” provided a framework for developing a program for managing third-party relationships. Although the primary focus of the program was on the financial services industry, the principles discussed are relevant to outsourcing decisions made by a wide range of organizations and their dealings with administrators, technology vendors, research firms and other key third parties. The program was hosted by Joe Boyhan of MCO and featured Linda Tuck Chapman, president of Ontala, a virtual organization of seasoned professionals in strategic sourcing and procurement. This article summarizes the key takeaways from the presentation. See our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). Also see “Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 4 No.4 (Feb. 28, 2018)

    Financial Firms Must Supervise Their IT Providers to Avoid CFTC Enforcement Action

    The CFTC recently announced a settlement with futures firm AMP Global Clearing LLC (AMP), which had tens of thousands of client records compromised after its IT vendor unknowingly installed a backup drive on AMP’s network that included an unsecured port. The settlement order requires AMP to cease and desist from future violations, pay a civil penalty of $100,000 and report to the CFTC for the next year on its efforts to improve its digital security. “As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system,” said CFTC Director of Enforcement James McDonald. In particular, it is a reminder of the importance of monitoring third-party service providers. In this article, we analyze the case and relevant remedial steps AMP agreed to take. For more from the CFTC, see “Virtual Currencies Present Significant Risk and Opportunity, Demanding Focus From Regulators, According to CFTC Chair” (Feb. 14, 2018).

    Read Full Article …
  • From Vol. 3 No.25 (Dec. 20, 2017)

    Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure

    Following cyber due diligence, acquiring companies should focus on carefully drafting M&A transaction documents, as many boilerplate reps and warranties regarding cybersecurity and privacy lack sufficient specificity. In addition, companies should develop a process governing internal due diligence and how and when to disclose cyber risks and events to the SEC. Proskauer partners Lauren Boglivi and Julie Allen provided guidance on these critical issues of documentation and disclosure at a recent event. In a companion article, we covered Boglivi and Allen’s remarks, in addition to those of Proskauer partners Kristen Mathews and Jeff Neuburger, about strategies for conducting cyber diligence on a target. See also “The Arc of the Deal: Tips for Cybersecurity Due Diligence Advisors in Mergers & Acquisitions From Beginning to End” (Jun. 28, 2017).

    Read Full Article …
  • From Vol. 3 No.24 (Dec. 6, 2017)

    How to Move Beyond a Checklist Approach to Third-Party Oversight

    While those responsible for third-party oversight must conduct adequate pre-contract due diligence and actively monitor their third parties, they must also think about whether they “want to be a business inhibitor,” suggested Christopher Pierson, EVP, chief security officer and general counsel for Viewpost, a FinTech payments company. Speaking at the International Association of Privacy Professionals Privacy.Security.Risk. 2017 conference, Pierson and other panelists talked about practical and efficient ways to oversee third parties. See our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016).

    Read Full Article …
  • From Vol. 3 No.22 (Nov. 8, 2017)

    How to Mitigate the Risks of Open-Source Software (Part Two of Two)

    Companies may be unaware they are using open-source software in their operations. This can be significant because while OSS is inexpensive and reliable, it does carry with it significant cybersecurity and intellectual property risks that should be addressed. A recent Strafford program offered a comprehensive primer on OSS and insights on designing appropriate compliance controls for its use. The program featured James G. Gatto, a partner at Sheppard Mullin Richter & Hampton and Baker Botts attorneys Luke K. Pedersen and Andrew Wilson. Part two of our coverage discusses where attorneys encounter OSS challenges, how to identify whether a company is using OSS, best practices for OSS governance, and patent issues that OSS presents. Part one explained the key legal issues, common OSS license provisions, and cybersecurity and litigation risks. See also “Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.21 (Oct. 25, 2017)

    How to Mitigate the Risks of Open-Source Software (Part One of Two)

    Organizations frequently use open-source software for both internal operations as well as in commercial software and other products. While OSS can be inexpensive, efficient and reliable, it also comes with significant risks including cybersecurity and intellectual property concerns. A recent Strafford program offered a comprehensive primer on the uses and risks of OSS, and insights on designing appropriate compliance controls for its use. The program featured Sheppard Mullin attorney James G. Gatto and Baker Botts attorneys Luke K. Pedersen and Andrew Wilson. Part one of this two-article series explains the key legal issues, common OSS license provisions, and cybersecurity and litigation risks. Part two will addresses where attorneys encounter OSS challenges, identifying OSS, best practices for OSS guidance, and patent issues that OSS presents. See our two-part series on vendor risk management: “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016).

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    FTC Launches Stick With Security Series, Adding Detail and Guidance to Its Start With Security Guide (Part Two of Two)

    Companies continue to seek more detailed guidance on data-security expectations from regulators such as the FTC. As a follow-up to its 2015 Start With Security Guide, which contained 10 fundamentals, the FTC launched its Stick With Security blog series. It builds on those 10 principles using hypotheticals to take “a deeper dive” into proactive data-protection steps. The first article in our two-part series examined the blog posts analyzing the first five principles of Start With, and this second article continues with the remaining five. The “examples in the posts help companies with line drawing and balancing risk,” Kelley Drye partner Dana Rosenfeld told The Cybersecurity Law Report. See “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017); and “A Behind-the-Curtains View of FTC Security and Privacy Expectations” (Mar. 16, 2016).  

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    FTC Settlements in Privacy Shield Cases and With Lenovo Over Use of “Man-in-the-Middle” Software Highlight Vigorous Enforcement Efforts

    Despite operating with only two of five Commissioners, the FTC has continued its data-privacy-enforcement efforts. It recently struck a major settlement with Lenovo over adware that was pre-installed on laptops and, unbeknownst to consumers, acted as a “man-in-the-middle,” with the ability to capture all of the data users transmitted to e-commerce websites they visited. It also reached settlements with three companies based on allegedly false claims of compliance with the U.S.-E.U. Privacy Shield framework. We explain the facts and circumstances that gave rise to the FTC enforcement actions and the terms of the settlements. See also “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.18 (Sep. 13, 2017)

    Negotiating an Effective Cloud Service Agreement

    As attractive, economically viable and convenient as the cloud is, companies must be cognizant of the potential cybersecurity risks associated with any cloud-services arrangement. A well-drafted contract between the corporate customer and cloud-service provider is an essential tool for managing that risk on both sides. This article, based on insights offered at a recent PLI event, covers what a prospective business customer should and should not expect from a cloud-service provider, and why some provisions that look good in writing might not be quite so helpful in practice. See also “The Advantages of Sending Data Up to the Cloud” (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 3 No.16 (Aug. 9, 2017)

    Identifying and Managing Third-Party Cybersecurity Risks for Asset Managers

    As connectivity grows, the risk that data entrusted to vendors could be compromised or that a company’s own system may be breached through one of its vendors continues to increase. A recent Advise Technologies program focused on how private fund managers can understand and mitigate third-party risks. A panel of attorneys and compliance and regulatory consultants discussed the regulatory emphasis on third-party risk, ways to assess this risk, and common errors and best practices for managing vendors, including due diligence questionnaires. While certain regulatory considerations are specific to fund managers, the due diligence concerns and best practices provide important advice to all companies working with third-party vendors.  See our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016).

    Read Full Article …
  • From Vol. 3 No.14 (Jul. 12, 2017)

    How Small Businesses Can Maximize Cybersecurity Protections and Prioritize Their Spending

    While surviving as a small or medium-sized business is challenging enough, the realization that the company could fail if it suffers a cyber attack adds another measure of stress. Knowing where to start and obtaining and allocating the right resources are key to ensuring adequate cybersecurity. Panelists at the recent Georgetown Cybersecurity Law Institute discussed ways that small and medium-sized businesses can take meaningful cybersecurity steps given their limited budgets and, in some cases, expertise. See “Using a Risk Assessment as a Critical Component of a Robust Cybersecurity Program (Part One of Two)” (Nov. 16, 2016); Part Two (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    Cyber Crisis Communication Plans: What Works and What to Avoid (Part Two of Two)

    Even a small cyber incident can erupt into a major high-profile event depending on whether and how it becomes public. Because of the damaging effects press coverage can have, companies should be prepared with a thorough communications plan that contemplates more than just technical answers. In this second installment of our two-part article series on cyber crisis communication plans, experts offer advice on strategies for handling external communications to the media, regulators and other stakeholders, including specific questions companies might face; how to control and coordinate with a third-party vendor; and how to overcome common pitfalls and challenges. Part one covered key stakeholders and their roles, crucial playbook components and the benefits of planning ahead, and how to approach internal communications during a cyber crisis event. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.12 (Jun. 14, 2017)

    Are New York’s Cyber Regulations a “Game Changer” for Hedge Fund Managers?

    Experts caution that the New York State Department of Financial Services’ cybersecurity regulations are relevant beyond the covered entities to hedge fund managers, for example, because compliance with the regulations may become the “gold standard.” Some state organizations, such as the Colorado Division of Securities, have already proposed similar rules following New York’s lead. Panelists at the recent Alternative Asset Management Symposium sponsored by Crystal & Company highlighted the key provisions and discussed how they may affect alternative asset managers and their service providers. The experts from Crystal, Brown Rudnick, Mullen Coughlin, Charles River Associates and Prosek Partners addressed the impact of the regulations, including the CISO’s role, third-party vetting and potential enforcement. See “What Covered Financial Entities Need to Know About New York’s New Cybersecurity Regulations” (Mar. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.10 (May 17, 2017)

    Investigative Realities: Working Effectively With Forensic Firms (Part Two of Two)

    Lawyers and forensic investigators must work together when investigating breaches, but the differences in their outlook and approach can sometimes make that difficult. In a two-part guest article series, Stephen Surdu, a senior advisor at Covington, and Jennifer Martin, of counsel at Covington, provide insight into how forensic teams work during the investigative process and how to make the process smoother and more effective. This second part addresses how to work with forensic teams when documenting and otherwise communicating findings, and during the remediation process. The first installment addressed investigative realities and how attorneys and forensic investigators can gain an understanding of each other’s perspectives and preemptively discuss any potential issues to be in the best position to address them efficiently during an investigation. See also our three-part series on forensic firms: “Understanding and Leveraging Their Expertise From the Start” (Feb. 22, 2017); “Key Contract Considerations and Terms” (Mar. 8, 2017); and “Effective Vetting and Collaboration” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.9 (May 3, 2017)

    Investigative Realities: Working Effectively With Forensic Firms (Part One of Two)

    Lawyers and computer forensic investigators have significantly different skills and perspectives, both of which are essential during cybersecurity incident response. The differences, however, can create friction and even conflict in setting priorities, communicating effectively and interpreting findings. In a two-part guest article series, Stephen Surdu, a senior advisor at Covington, and Jennifer Martin, of counsel at Covington, provide legal counsel with a better understanding of the focus of the forensic team in incident response, the various factors and evidentiary realities that may affect how an investigation is performed, and why response teams cannot always reach definitive conclusions. This first installment addresses investigative realities and how attorneys and forensic investigators can gain an understanding of each other’s perspectives and preemptively discuss any potential issues to be in the best position to address them efficiently during an incident and to provide the greatest value to their clients. See also our three-part series on forensic firms: “Understanding and Leveraging Their Expertise From the Start” (Feb. 22, 2017); “Key Contract Considerations and Terms” (Mar. 8, 2017); and “Effective Vetting and Collaboration” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.8 (Apr. 19, 2017)

    What In-House and Outside Counsel Need to Know About ACC’s First Model Cybersecurity Practices for Law Firms

    The publicized breaches of major law firms last year served as a wake-up call for the legal industry, signaling the importance of having effective cybersecurity measures in place. On the heels of these breaches, the Association of Corporate Counsel released a set of model cybersecurity practices to help in-house counsel set expectations with respect to the data-security practices of their outside counsel and serve as a benchmark for best practices. But how realistic are those guidelines? Justin Hectus, the CIO and CISO of Keesal, Young and Logan, told The Cybersecurity Law Report that “the reality is that it’s a buyer's market right now in legal. If a law firm is not willing to do these kinds of things in order to keep the clients’ data safe, then another firm will be willing to do it, as there are plenty of firms that take these steps even absent client pressure.” We analyze the guidelines’ recommendations with input from Hectus on the practicality of their implementation. See also “Eight Attributes In-House Counsel Look For in Outside Cybersecurity Counsel” (Jun. 8, 2016); and “How Law Firms Should Strengthen Cybersecurity to Protect Themselves and Their Clients” (Mar. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    Forensic Firms: Effective Vetting and Collaboration (Part Three of Three)

    Because a forensic investigation by a security firm often drives the critical path of incident response, companies are best positioned to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an incident arises. With a myriad of firms from which to choose, not only must a company carefully select the right one, but both sides must communicate effectively to build a trusting relationship. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these and other considerations. This third installment provides advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. Part two examined contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. See also “Key Strategies to Manage the First 72 Hours Following an Incident“ (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    How to Establish and Manage a Successful Bug Bounty Program 

    Bug bounty programs – paying a researcher who has found a “bug” in a company’s system – can be effective at mitigating cybersecurity risk, but they must be implemented and managed carefully lest they be abused and backfire. Cassio Goldschmidt, vice president in Stroz Friedberg’s cyber resilience practice, spoke to The Cybersecurity Law Report about the steps to take to establish a bug bounty program, including the measures that should be in place prior to launching it, and how to best manage a successful program. See also “Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Forensic Firms: Key Contract Considerations and Terms (Part Two of Three)

    Companies are increasingly turning to outside forensic firms for assistance with both proactive cybersecurity measures as well as incident response. To optimize the relationship, companies must carefully choose a firm, negotiate the right contract terms, and effectively collaborate with the chosen forensic service provider. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these considerations. This second part examines contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. Part three will provide advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. See also “Key Strategies to Manage the First 72 Hours Following an Incident” (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    How Fund Managers Can Prepare for Investor Cybersecurity Due Diligence 

    Cybersecurity remains a top-of-mind issue for regulators, investors and investment advisers. As part of operational due diligence, investors often evaluate whether an adviser has robust cybersecurity defenses. Similarly, advisers must ensure that their administrators, brokers and other third parties have appropriate defenses. A recent program hosted by the Investment Management Due Diligence Association gave specifics on what investors may be looking for, including due diligence questions they may ask and how they may evaluate a firm’s cybersecurity program, including its cyber insurance. See also our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    Ten Cybersecurity Priorities for 2017

    Even companies that have mature information security practices in place must exercise constant vigilance by reevaluating their needs and improving their approaches. The Cybersecurity Law Report spoke with several experts to find out what companies should be focusing on and how they should allocate time and resources when setting cybersecurity priorities for 2017. In this article, we outline the resulting top ten cybersecurity action items for companies to tackle to ensure a more secure new year. See also “Cybersecurity Preparedness Is Now a Business Requirement” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Considerations for Managing Cybersecurity and Privacy Risk in Outsourcing Contracts

    Companies must ensure cybersecurity and privacy issues are addressed when establishing new outsourcing arrangements and should continue to monitor those issues as the outsourcing relationship continues. At a recent PLI program, Mayer Brown partner Rebecca Eisner discussed how attorneys and boards of directors can mitigate cyber risk prior to entering such arrangements (including specific contractual terms to consider) and how they can best monitor outsourcing providers during the relationship. See also our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    Attorney-Consultant Privilege? Structuring and Implementing the Kovel Arrangement (Part Two of Two)

    So-called “Kovel arrangements” provide unique opportunities for companies and their legal counsel to extend the attorney-client privilege to consultants. After deciding to use the arrangement, the next (and most important) step is ensuring that the entire Kovel engagement is performed correctly so that the privilege will be recognized by regulators and courts, and documents detailing the company’s operational deficiencies are not unnecessarily made available. This article, the second in a two-part series, provides practical guidance regarding the provisions that need to be included in an engagement letter with a consultant, details daily steps a company must take to ensure it remains Kovel-compliant, and examines circumstances under which it is and is not appropriate for companies to employ Kovel arrangements. The first article in this series detailed the legal requirements of the Kovel doctrine, as well as considerations for companies when deciding whether to invoke or waive the privilege. See also “Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two)” (Jun. 17, 2015); Part Two (Jul. 1, 2015). 

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor

    When an organization hires a third-party vendor that needs access to its network systems, a failure of legal and IT to coordinate the implementation of that access can cause costly delays. The Cybersecurity Law Report discussed the problem with David Cass, the CISO of IBM’s cloud and SaaS operational services, using a fact pattern familiar to many companies: A company is seeking to hire a third-party vendor that needs access to its network systems to perform its duties, but legal and IT have different ideas about the process, and the project stalls. Cass offered advice to bridge the gap between technology and legal teams. See also our two-part series on vendor risk management: “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.23 (Nov. 16, 2016)

    Attorney-Consultant Privilege? Key Considerations for Invoking the Kovel Doctrine (Part One of Two)

    As organizations increasingly engage consultants to conduct cyber risk assessments and to assist in the event of a breach, a logical concern is whether the attorney-client privilege is available to protect those efforts. The Kovel decision in the Second Circuit extended the attorney-client privilege to third parties assisting attorneys in representing clients under certain circumstances. This two-part series describes the use of so-called “Kovel arrangements” by companies to extend the attorney-client privilege to interactions with consultants. This first article describes the requirements of the Kovel privilege as established by case law, as well as critical considerations for deciding whether to invoke or waive the privilege when interacting with regulators or litigants. The second article will detail the requisite features of a fully compliant Kovel arrangement and will examine circumstances under which it is and is not appropriate for companies to employ Kovel arrangements. See also “Target Privilege Decision Delivers Guidance for Post-Data Breach Internal Investigations” (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    How to Protect Against Weaponized Devices in Light of the Massive Denial-of-Service Attack

    Tweets, shopping, money transfers and entertainment were some of the countless internet activities stopped in their tracks by a recent massive attack on a domain name service provider. The hackers utilized ordinary household connected devices to carry out one of the largest denial-of-service attacks to date, shutting down more than a thousand sites such as Amazon, Twitter, Netflix and PayPal. While such attacks are not new and are typically quickly mitigated, this one was critically different in terms of its scale and its reliance on compromised connected devices, and presented “another type of attack that even state-of-the-art organizations in terms of data security have to contend with,” Ed McAndrew, a partner at Ballard Spahr, told The Cybersecurity Law Report. See “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    How the Financial Services Industry Can Handle Cybersecurity Threats, Acquisition Diligence and Breach Response

    The financial services sector is often praised as having some of the most mature cybersecurity practices, but it also holds especially sensitive data and is one of the most common targets for malicious hackers. Asset managers in particular are confronted with general cybersecurity risks while navigating industry nuances. At a recent panel hosted by Major, Lindsey & Africa, Debevoise partners Luke Dembosky and Jim Pastore, both former federal prosecutors, addressed emerging cybersecurity threats, risks from vendors, potential breaches in a pre-acquisition and post-acquisition context, breach response and special considerations for breaches of investor or consumer data. Much of the advice is relevant to all companies grappling with data security risks and breach consequences. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    Essential Cyber Due Diligence Considerations in M&A Deals Raised by Yahoo Breach

    Yahoo’s 2014 massive data breach, made public only two months after Verizon announced its plans to acquire Yahoo for $4.83 billion, highlights the necessity for proper cybersecurity due diligence in advance of an acquisition, and for the acquiring company to account for an undetected breach as part of the value of the transaction. There probably needs to be “a little more cybersecurity homework done before pulling the trigger on an acquisition. We hope this situation brings that conversation to the forefront,” Milan Patel, a managing director in K2 Intelligence’s cyber defense practice, told The Cybersecurity Law Report. In this article, with insight from attorneys and technical consultants, we examine current contingencies in Verizon’s deal with Yahoo and detail steps companies should be taking to identify and mitigate cyber risk through due diligence and how to structure a deal to account for those potential risks. See “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015). 

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    What Private Companies Can Learn From the OPM Data Breaches

    The recent breaches of the U.S. Office of Personnel Management illustrate the importance of an effective information security program for businesses in both the public and private sector. A recently released exhaustive investigative report by the House Oversight and Government Reform Committee outlines findings and recommendations to help the federal government better acquire, deploy, maintain and monitor its information technology. “The [Report] is replete with recommendations that private sector entities should be considering seriously,” DLA Piper partner Jim Halpert told The Cybersecurity Law Report. This article summarizes the committee’s findings and examines valuable lessons applicable to both the public and private sectors. See also “White House Lays Out Its Broad Cybersecurity Initiatives” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    How the Financial Services Industry Can Manage Cyber Risk

    Financial services providers and financial institutions are prime targets for hackers, and have also been targets of SEC scrutiny – the agency has recently brought actions against Morgan Stanley, Craig Scott Capital, and RT Jones for cybersecurity violations, even in the absence of a breach. How can firms in those industries ensure their cybersecurity programs are robust and mitigate risk? At a recent symposium held by the Hedge Fund Association, panelists with various cybersecurity perspectives and expertise shared their insight on preparedness, incident response plans, vendor management, cyber insurance (including recommendations for carriers) and whether to use cloud services. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.14 (Jul. 6, 2016)

    Mitigating Cyber Risk in M&A Deals and Third-Party Relationships

    Ensuring that a target, or a third–party vendor, has adequate cybersecurity controls before the company takes on the risks of that entity is of paramount importance in today’s cyber threat environment. At a recent PLI panel, counsel at Tiffany & Co. and EY shared advice for conducting M&A due diligence, including specific questions to ask, and presented a five-step plan for assessing and addressing data security and privacy risks that accompany third-party vendor relationships. See also “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Vendor Cyber Risk Management: 14 Key Contract Terms (Part Two of Two)

    Actions by third-party vendors with access to a company’s data are the cause of some of the most damaging breaches. Carefully vetting and monitoring those vendors is crucial to a strong cybersecurity program. At a recent panel at IAPP’s Global Privacy Summit, counsel from Under Armour, AOL and Unisys provided practical guidance on how to implement a comprehensive vendor management program. This article, the second installment in our coverage of the panel, includes fourteen key cybersecurity provisions to include in vendor contracts and the panelists’ strategies for monitoring the vendor relationship and for effective breach response. The first article in our series includes the panelists’ discussion of nine questions to ask vendors during the due diligence process and factors to consider before contract negotiations. See also “Learning From the Target Data Breach About Effective Third-Party Risk Management”: Part One (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    Vendor Cyber Risk Management: Nine Due Diligence Questions (Part One of Two)

    Some of the biggest cybersecurity headlines point to suppliers as the root cause of the most damaging breaches. This highlights the importance of carefully vetting and monitoring vendors as part of a strong cybersecurity program. At a recent panel at IAPP’s Global Privacy Summit, counsel from Under Armour, AOL and Unisys provided practical guidance on how to implement a comprehensive vendor management program and mitigate data security and privacy risks third-party vendors present. This first article in our series includes the panelists’ discussion of nine questions to ask vendors during the due diligence process and factors to consider before contract negotiations. The second installment in our coverage of the panel will include fourteen key cybersecurity provisions to include in vendor contracts. See also “Learning From the Target Data Breach About Effective Third-Party Risk Management”: Part One (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part Three of Three)

    An effective employee cybersecurity program does not start or end with a single training session. To combat evolving threats, companies need to establish ongoing communications with employees and continuously evaluate their training program. In this final article in our three-part series on the topic, outside counsel, consultants, and in-house experts provide actionable insight and recommendations on how companies should follow up after the initial training. They also address the challenges of establishing an employee cybersecurity training program and how to handle training when dealing with third-party vendors. Part one of the series discussed tailoring policies and training to the type of company and universe of employees and part two highlighted ten important topics to cover during training, as well strategies for engaging employees and getting the message across. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    How to Protect Intellectual Property and Confidential Information in the Supply Chain

    Sharing information, including intellectual property, with third parties such as suppliers, distributors and consultants is essential for the operations of many companies but exposes them to various points of cyber risk.  Pamela Passman, President and CEO at the Center for Responsible Enterprise and Trade (CREATe.org), spoke with The Cybersecurity Law Report about how to assess and mitigate third-party and supply chain risk.  CREATe.org, a global NGO, works with companies and third parties with whom they do business to help put processes in place to prevent corruption and protect intellectual property, trade secrets and other confidential information.  See also “Protecting and Enforcing Trade Secrets in a Digital World,” The Cybersecurity Law Report, Vol. 1, No. 13 (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Implementing an Effective Cloud Service Provider Compliance Program

    The ubiquity of cloud computing platforms as a tool for companies to share, store and back up critical and sensitive data has catapulted the implementation of a comprehensive third-party cloud service provider program to the top of compliance officers’ ever growing to-do lists.  During a recent seminar held by the Society of Corporate Compliance & Ethics, Web Hull, a privacy, data protection and compliance advisor provided a practical framework for engaging, managing, auditing and monitoring third-party cloud computing providers.  This article summarizes those insights, including key risks, and compiles the resources compliance officers can use to meet the relevant state and federal cybersecurity regulatory requirements.  See also “Examining Evolving Legal Ethics in the Age of the Cloud, Mobile Devices and Social Media (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 11 (Aug. 26, 2015); Part Two,” Vol. 1, No. 12 (Sep. 16, 2015); and “The Advantages of Sending Data Up to the Cloud,” The Cybersecurity Law Report, Vol. 1, No. 6 (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    Learning from the Target Data Breach About Effective Third-Party Risk Management (Part Two of Two)

    Third-party relationships are integral to companies of all sizes, and bring with them increasingly sophisticated cybersecurity risk, as highlighted by the Target data breach.  In our continued coverage of a recent third-party risk management webinar, Mintz Levin attorneys Cynthia Larose and Peter Day provide concrete strategies for implementing and monitoring a third-party risk management program that protects data from third-party security breaches.  In part one, they discussed lessons from Target’s breach, and business and regulatory justifications for a strong third-party risk management program.  See also “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.12 (Sep. 16, 2015)

    Learning from the Target Data Breach About Effective Third-Party Risk Management  (Part One of Two)

    Companies and law firms are increasingly partnering with vendors and other third parties to outsource formerly in-house functions in order to reduce operating costs and increase focus on core businesses.  But, as Mintz Levin attorneys Cynthia Larose and Peter Day said during a recent webinar, the potential consequences of failing to adequately manage the risks associated with giving third parties access to highly confidential systems and information can be disastrous, as evidenced by the 2013 Target data breach.  In part one of our two-part article series, Larose and Day discuss lessons from Target’s breach and business and regulatory justifications for a strong third-party risk management (TPRM) program.  In part two, they will detail strategies for implementing and monitoring a TPRM program that protects companies’ data – and their clients’ and customers’ data – from third-party security breaches.  See “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Surveys Find Internal and Third-Party Cybersecurity Risks Among Top Executive Concerns

    Corporate executives, even those with great defense resources, consider cybersecurity one of the most worrisome issues they confront.  In this article, experts from Deloitte, Protiviti and the Santa Fe Group dissect the results of two recent studies.  Greg Dickinson, a director at Deloitte who leads the quarterly survey “CFO Signals: What North America’s top finance executives are thinking – and doing,” explained how and why many CFOs are feeling unprepared for cybersecurity threats.  In addition, while discussing the “2015 Vendor Risk Management Benchmark Study: The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management” Rocco Grillo, cybersecurity managing director at Protiviti, and Gary Roboff, senior advisor to the Santa Fe Group and manager of its Shared Assessments Program, explain how the finance industry outperforms others in third-party risk management and stress the importance of risk committees and data mapping.  See also “Ponemon Study Finds Increasing Data Breach Costs and Analyzes Causes,” The Cybersecurity Law Report, Vol. 1, No. 5 (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    Model Cybersecurity Contract Terms and Guidance for Investment Managers to Manage Their Third-Party Vendors

    Investment managers use a wide range of third-party vendor-provided products and services to manage their daily operations, and many of those third parties have access to sensitive data.  Ensuring that data is protected from theft, either deliberate or inadvertent, is paramount.  In a guest article, Schulte Roth & Zabel partner Robert Kiesel provides practical vendor management guidance and comprehensive contract provisions, and discusses critical policies and contract terms that investment managers can use to protect their, and their investors’, data.  See “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015). 

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    Sample Questions for Companies to Ask to Assess Their Law Firms’ Cybersecurity Environment

    Law firms constantly handle sensitive information, often in digital form, and, as Jennifer Topper of Topper Consulting explained in “Understanding and Addressing Cybersecurity Vulnerabilities at Law Firms: Strategies for Vendors, Lawyers and Clients,” defending against cybersecurity threats presents particular challenges to law firms and their service providers.  Corporate clients should understand how their law firms handle data.  In this article, Topper provides a non-technical questionnaire corporate clients can use to obtain and assess that information from law firms as well as from other vendors.

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    Understanding and Addressing Cybersecurity Vulnerabilities at Law Firms: Strategies for Vendors, Lawyers and Clients

    Handling and discussing sensitive and confidential information is an essential aspect of law practice.  But, defending against cybersecurity threats attached to the increasing digital form of such information presents particular challenges to law firms and their service providers.  In a guest article, Jennifer Topper of Topper Consulting explores cybersecurity vulnerabilities at law firms that service providers often do not understand; structural and operational obstacles to addressing those vulnerabilities; and steps that law firms are taking, as client pressure increases, to address this critical issue.  In a subsequent issue of The Cybersecurity Law Report, Topper will provide a non-technical questionnaire corporate clients can use to help understand the data security at the law firms they use.  See also “How Can a Company Mitigate Cyber Risk with Cross-Departmental Decisionmaking?,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    Navigating Data Breaches and Regulatory Compliance for Employee Benefit Plans

    Employee benefit plans, including health and pension plans, are prime targets of hackers, as evident from the most recent Anthem and Premera crises, and the proper proactive and reactive steps are key to mitigating breach risk and breach fallout.  In a recent Strafford webinar, Ogletree Deakins attorneys Vance E. Drawdy, Timothy G. Verrall and Stephen A. Riga shared their insights on best practices for fiduciaries and sponsors to navigate the complex state and federal regulations on data breaches that are applicable to ERISA benefit plans.  This article details some of their advice on preventing, assessing and responding to a plan data breach.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part Two of Two)

    Vendors and other third parties – necessary for most businesses – present significant cybersecurity risks and are frequently the source of breaches, from large-scale incidents to smaller data leaks.  Properly vetting these third parties is a challenging, but critical, aspect of cybersecurity programs.  This article series provides a three-step framework to appropriately allocate resources to due diligence and mitigate the risks third parties pose.  Part One provided a framework for companies to (1) categorize potential vendors based on risk levels, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium or high level of risk.  Part Two addresses when the categorization of medium-risk vendors should move to high-risk based on red flags discovered during the initial due diligence and details step three of the framework: deeper due diligence for high-risk vendors, including follow-up questioning, documentation of audits or certifications and in-person diligence. 

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    FCC Makes Its Mark on Cybersecurity Enforcement with Record Data Breach Settlement

    With its $25 million settlement with AT&T, the “FCC has now planted its flag, and sent the message that it will use its powers to protect consumers,” Jenny Durkan, a partner at Quinn Emanuel Urquhart & Sullivan, told The Cybersecurity Law Report.  The FCC’s decision earlier this year to classify Internet providers as public utilities under the FCC’s jurisdiction has caused a broad range of companies to follow the agency’s actions closely.  The record AT&T settlement resolves an investigation into the theft of information by employees of a vendor call center in Mexico and requires AT&T to, among other things, overhaul its compliance program, provide free credit-monitoring services for affected customers and meet certain compliance benchmarks at intervals for the next seven years. 

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)

    Vendors and other third parties are vital to most businesses, but can leave a company dangerously vulnerable to a breach of its data or network.  As the Target breach demonstrated, even a non-IT vendor can cause widespread damage.  Properly vetting third parties remains one of the most challenging aspects of cybersecurity programs.  In order to appropriately allocate due diligence resources, companies must first assess potential third parties to determine which of them present low, medium or high levels of cybersecurity risk and subsequently conduct the corresponding levels of diligence.  This article, the first in our series, provides a framework for companies to (1) categorize potential vendors based on risk, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium and high level of risk.  Part Two will address the third step of deeper due diligence for high-risk vendors.

    Read Full Article …