The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Third Parties

  • From Vol. 3 No.25 (Dec. 20, 2017)

    Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure

    Following cyber due diligence, acquiring companies should focus on carefully drafting M&A transaction documents, as many boilerplate reps and warranties regarding cybersecurity and privacy lack sufficient specificity. In addition, companies should develop a process governing internal due diligence and how and when to disclose cyber risks and events to the SEC. Proskauer partners Lauren Boglivi and Julie Allen provided guidance on these critical issues of documentation and disclosure at a recent event. In a companion article, we covered Boglivi and Allen’s remarks, in addition to those of Proskauer partners Kristen Mathews and Jeff Neuburger, about strategies for conducting cyber diligence on a target. See also “The Arc of the Deal: Tips for Cybersecurity Due Diligence Advisors in Mergers & Acquisitions From Beginning to End” (Jun. 28, 2017).

    Read Full Article …
  • From Vol. 3 No.24 (Dec. 6, 2017)

    How to Move Beyond a Checklist Approach to Third-Party Oversight

    While those responsible for third-party oversight must conduct adequate pre-contract due diligence and actively monitor their third parties, they must also think about whether they “want to be a business inhibitor,” suggested Christopher Pierson, EVP, chief security officer and general counsel for Viewpost, a FinTech payments company. Speaking at the International Association of Privacy Professionals Privacy.Security.Risk. 2017 conference, Pierson and other panelists talked about practical and efficient ways to oversee third parties. See our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016).

    Read Full Article …
  • From Vol. 3 No.22 (Nov. 8, 2017)

    How to Mitigate the Risks of Open-Source Software (Part Two of Two)

    Companies may be unaware they are using open-source software in their operations. This can be significant because while OSS is inexpensive and reliable, it does carry with it significant cybersecurity and intellectual property risks that should be addressed. A recent Strafford program offered a comprehensive primer on OSS and insights on designing appropriate compliance controls for its use. The program featured James G. Gatto, a partner at Sheppard Mullin Richter & Hampton and Baker Botts attorneys Luke K. Pedersen and Andrew Wilson. Part two of our coverage discusses where attorneys encounter OSS challenges, how to identify whether a company is using OSS, best practices for OSS governance, and patent issues that OSS presents. Part one explained the key legal issues, common OSS license provisions, and cybersecurity and litigation risks. See also “Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.21 (Oct. 25, 2017)

    How to Mitigate the Risks of Open-Source Software (Part One of Two)

    Organizations frequently use open-source software for both internal operations as well as in commercial software and other products. While OSS can be inexpensive, efficient and reliable, it also comes with significant risks including cybersecurity and intellectual property concerns. A recent Strafford program offered a comprehensive primer on the uses and risks of OSS, and insights on designing appropriate compliance controls for its use. The program featured Sheppard Mullin attorney James G. Gatto and Baker Botts attorneys Luke K. Pedersen and Andrew Wilson. Part one of this two-article series explains the key legal issues, common OSS license provisions, and cybersecurity and litigation risks. Part two will addresses where attorneys encounter OSS challenges, identifying OSS, best practices for OSS guidance, and patent issues that OSS presents. See our two-part series on vendor risk management: “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016).

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    FTC Launches Stick With Security Series, Adding Detail and Guidance to Its Start With Security Guide (Part Two of Two)

    Companies continue to seek more detailed guidance on data-security expectations from regulators such as the FTC. As a follow-up to its 2015 Start With Security Guide, which contained 10 fundamentals, the FTC launched its Stick With Security blog series. It builds on those 10 principles using hypotheticals to take “a deeper dive” into proactive data-protection steps. The first article in our two-part series examined the blog posts analyzing the first five principles of Start With, and this second article continues with the remaining five. The “examples in the posts help companies with line drawing and balancing risk,” Kelley Drye partner Dana Rosenfeld told The Cybersecurity Law Report. See “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017); and “A Behind-the-Curtains View of FTC Security and Privacy Expectations” (Mar. 16, 2016).  

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    FTC Settlements in Privacy Shield Cases and With Lenovo Over Use of “Man-in-the-Middle” Software Highlight Vigorous Enforcement Efforts

    Despite operating with only two of five Commissioners, the FTC has continued its data-privacy-enforcement efforts. It recently struck a major settlement with Lenovo over adware that was pre-installed on laptops and, unbeknownst to consumers, acted as a “man-in-the-middle,” with the ability to capture all of the data users transmitted to e-commerce websites they visited. It also reached settlements with three companies based on allegedly false claims of compliance with the U.S.-E.U. Privacy Shield framework. We explain the facts and circumstances that gave rise to the FTC enforcement actions and the terms of the settlements. See also “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.18 (Sep. 13, 2017)

    Negotiating an Effective Cloud Service Agreement

    As attractive, economically viable and convenient as the cloud is, companies must be cognizant of the potential cybersecurity risks associated with any cloud-services arrangement. A well-drafted contract between the corporate customer and cloud-service provider is an essential tool for managing that risk on both sides. This article, based on insights offered at a recent PLI event, covers what a prospective business customer should and should not expect from a cloud-service provider, and why some provisions that look good in writing might not be quite so helpful in practice. See also “The Advantages of Sending Data Up to the Cloud” (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 3 No.16 (Aug. 9, 2017)

    Identifying and Managing Third-Party Cybersecurity Risks for Asset Managers

    As connectivity grows, the risk that data entrusted to vendors could be compromised or that a company’s own system may be breached through one of its vendors continues to increase. A recent Advise Technologies program focused on how private fund managers can understand and mitigate third-party risks. A panel of attorneys and compliance and regulatory consultants discussed the regulatory emphasis on third-party risk, ways to assess this risk, and common errors and best practices for managing vendors, including due diligence questionnaires. While certain regulatory considerations are specific to fund managers, the due diligence concerns and best practices provide important advice to all companies working with third-party vendors.  See our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016).

    Read Full Article …
  • From Vol. 3 No.14 (Jul. 12, 2017)

    How Small Businesses Can Maximize Cybersecurity Protections and Prioritize Their Spending

    While surviving as a small or medium-sized business is challenging enough, the realization that the company could fail if it suffers a cyber attack adds another measure of stress. Knowing where to start and obtaining and allocating the right resources are key to ensuring adequate cybersecurity. Panelists at the recent Georgetown Cybersecurity Law Institute discussed ways that small and medium-sized businesses can take meaningful cybersecurity steps given their limited budgets and, in some cases, expertise. See “Using a Risk Assessment as a Critical Component of a Robust Cybersecurity Program (Part One of Two)” (Nov. 16, 2016); Part Two (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    Cyber Crisis Communication Plans: What Works and What to Avoid (Part Two of Two)

    Even a small cyber incident can erupt into a major high-profile event depending on whether and how it becomes public. Because of the damaging effects press coverage can have, companies should be prepared with a thorough communications plan that contemplates more than just technical answers. In this second installment of our two-part article series on cyber crisis communication plans, experts offer advice on strategies for handling external communications to the media, regulators and other stakeholders, including specific questions companies might face; how to control and coordinate with a third-party vendor; and how to overcome common pitfalls and challenges. Part one covered key stakeholders and their roles, crucial playbook components and the benefits of planning ahead, and how to approach internal communications during a cyber crisis event. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.12 (Jun. 14, 2017)

    Are New York’s Cyber Regulations a “Game Changer” for Hedge Fund Managers?

    Experts caution that the New York State Department of Financial Services’ cybersecurity regulations are relevant beyond the covered entities to hedge fund managers, for example, because compliance with the regulations may become the “gold standard.” Some state organizations, such as the Colorado Division of Securities, have already proposed similar rules following New York’s lead. Panelists at the recent Alternative Asset Management Symposium sponsored by Crystal & Company highlighted the key provisions and discussed how they may affect alternative asset managers and their service providers. The experts from Crystal, Brown Rudnick, Mullen Coughlin, Charles River Associates and Prosek Partners addressed the impact of the regulations, including the CISO’s role, third-party vetting and potential enforcement. See “What Covered Financial Entities Need to Know About New York’s New Cybersecurity Regulations” (Mar. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.10 (May 17, 2017)

    Investigative Realities: Working Effectively With Forensic Firms (Part Two of Two)

    Lawyers and forensic investigators must work together when investigating breaches, but the differences in their outlook and approach can sometimes make that difficult. In a two-part guest article series, Stephen Surdu, a senior advisor at Covington, and Jennifer Martin, of counsel at Covington, provide insight into how forensic teams work during the investigative process and how to make the process smoother and more effective. This second part addresses how to work with forensic teams when documenting and otherwise communicating findings, and during the remediation process. The first installment addressed investigative realities and how attorneys and forensic investigators can gain an understanding of each other’s perspectives and preemptively discuss any potential issues to be in the best position to address them efficiently during an investigation. See also our three-part series on forensic firms: “Understanding and Leveraging Their Expertise From the Start” (Feb. 22, 2017); “Key Contract Considerations and Terms” (Mar. 8, 2017); and “Effective Vetting and Collaboration” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.9 (May 3, 2017)

    Investigative Realities: Working Effectively With Forensic Firms (Part One of Two)

    Lawyers and computer forensic investigators have significantly different skills and perspectives, both of which are essential during cybersecurity incident response. The differences, however, can create friction and even conflict in setting priorities, communicating effectively and interpreting findings. In a two-part guest article series, Stephen Surdu, a senior advisor at Covington, and Jennifer Martin, of counsel at Covington, provide legal counsel with a better understanding of the focus of the forensic team in incident response, the various factors and evidentiary realities that may affect how an investigation is performed, and why response teams cannot always reach definitive conclusions. This first installment addresses investigative realities and how attorneys and forensic investigators can gain an understanding of each other’s perspectives and preemptively discuss any potential issues to be in the best position to address them efficiently during an incident and to provide the greatest value to their clients. See also our three-part series on forensic firms: “Understanding and Leveraging Their Expertise From the Start” (Feb. 22, 2017); “Key Contract Considerations and Terms” (Mar. 8, 2017); and “Effective Vetting and Collaboration” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.8 (Apr. 19, 2017)

    What In-House and Outside Counsel Need to Know About ACC’s First Model Cybersecurity Practices for Law Firms

    The publicized breaches of major law firms last year served as a wake-up call for the legal industry, signaling the importance of having effective cybersecurity measures in place. On the heels of these breaches, the Association of Corporate Counsel released a set of model cybersecurity practices to help in-house counsel set expectations with respect to the data-security practices of their outside counsel and serve as a benchmark for best practices. But how realistic are those guidelines? Justin Hectus, the CIO and CISO of Keesal, Young and Logan, told The Cybersecurity Law Report that “the reality is that it’s a buyer's market right now in legal. If a law firm is not willing to do these kinds of things in order to keep the clients’ data safe, then another firm will be willing to do it, as there are plenty of firms that take these steps even absent client pressure.” We analyze the guidelines’ recommendations with input from Hectus on the practicality of their implementation. See also “Eight Attributes In-House Counsel Look For in Outside Cybersecurity Counsel” (Jun. 8, 2016); and “How Law Firms Should Strengthen Cybersecurity to Protect Themselves and Their Clients” (Mar. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    Forensic Firms: Effective Vetting and Collaboration (Part Three of Three)

    Because a forensic investigation by a security firm often drives the critical path of incident response, companies are best positioned to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an incident arises. With a myriad of firms from which to choose, not only must a company carefully select the right one, but both sides must communicate effectively to build a trusting relationship. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these and other considerations. This third installment provides advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. Part two examined contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. See also “Key Strategies to Manage the First 72 Hours Following an Incident“ (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    How to Establish and Manage a Successful Bug Bounty Program 

    Bug bounty programs – paying a researcher who has found a “bug” in a company’s system – can be effective at mitigating cybersecurity risk, but they must be implemented and managed carefully lest they be abused and backfire. Cassio Goldschmidt, vice president in Stroz Friedberg’s cyber resilience practice, spoke to The Cybersecurity Law Report about the steps to take to establish a bug bounty program, including the measures that should be in place prior to launching it, and how to best manage a successful program. See also “Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Forensic Firms: Key Contract Considerations and Terms (Part Two of Three)

    Companies are increasingly turning to outside forensic firms for assistance with both proactive cybersecurity measures as well as incident response. To optimize the relationship, companies must carefully choose a firm, negotiate the right contract terms, and effectively collaborate with the chosen forensic service provider. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these considerations. This second part examines contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. Part three will provide advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. See also “Key Strategies to Manage the First 72 Hours Following an Incident” (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    How Fund Managers Can Prepare for Investor Cybersecurity Due Diligence 

    Cybersecurity remains a top-of-mind issue for regulators, investors and investment advisers. As part of operational due diligence, investors often evaluate whether an adviser has robust cybersecurity defenses. Similarly, advisers must ensure that their administrators, brokers and other third parties have appropriate defenses. A recent program hosted by the Investment Management Due Diligence Association gave specifics on what investors may be looking for, including due diligence questions they may ask and how they may evaluate a firm’s cybersecurity program, including its cyber insurance. See also our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    Ten Cybersecurity Priorities for 2017

    Even companies that have mature information security practices in place must exercise constant vigilance by reevaluating their needs and improving their approaches. The Cybersecurity Law Report spoke with several experts to find out what companies should be focusing on and how they should allocate time and resources when setting cybersecurity priorities for 2017. In this article, we outline the resulting top ten cybersecurity action items for companies to tackle to ensure a more secure new year. See also “Cybersecurity Preparedness Is Now a Business Requirement” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Considerations for Managing Cybersecurity and Privacy Risk in Outsourcing Contracts

    Companies must ensure cybersecurity and privacy issues are addressed when establishing new outsourcing arrangements and should continue to monitor those issues as the outsourcing relationship continues. At a recent PLI program, Mayer Brown partner Rebecca Eisner discussed how attorneys and boards of directors can mitigate cyber risk prior to entering such arrangements (including specific contractual terms to consider) and how they can best monitor outsourcing providers during the relationship. See also our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    Attorney-Consultant Privilege? Structuring and Implementing the Kovel Arrangement (Part Two of Two)

    So-called “Kovel arrangements” provide unique opportunities for companies and their legal counsel to extend the attorney-client privilege to consultants. After deciding to use the arrangement, the next (and most important) step is ensuring that the entire Kovel engagement is performed correctly so that the privilege will be recognized by regulators and courts, and documents detailing the company’s operational deficiencies are not unnecessarily made available. This article, the second in a two-part series, provides practical guidance regarding the provisions that need to be included in an engagement letter with a consultant, details daily steps a company must take to ensure it remains Kovel-compliant, and examines circumstances under which it is and is not appropriate for companies to employ Kovel arrangements. The first article in this series detailed the legal requirements of the Kovel doctrine, as well as considerations for companies when deciding whether to invoke or waive the privilege. See also “Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two)” (Jun. 17, 2015); Part Two (Jul. 1, 2015). 

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor

    When an organization hires a third-party vendor that needs access to its network systems, a failure of legal and IT to coordinate the implementation of that access can cause costly delays. The Cybersecurity Law Report discussed the problem with David Cass, the CISO of IBM’s cloud and SaaS operational services, using a fact pattern familiar to many companies: A company is seeking to hire a third-party vendor that needs access to its network systems to perform its duties, but legal and IT have different ideas about the process, and the project stalls. Cass offered advice to bridge the gap between technology and legal teams. See also our two-part series on vendor risk management: “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.23 (Nov. 16, 2016)

    Attorney-Consultant Privilege? Key Considerations for Invoking the Kovel Doctrine (Part One of Two)

    As organizations increasingly engage consultants to conduct cyber risk assessments and to assist in the event of a breach, a logical concern is whether the attorney-client privilege is available to protect those efforts. The Kovel decision in the Second Circuit extended the attorney-client privilege to third parties assisting attorneys in representing clients under certain circumstances. This two-part series describes the use of so-called “Kovel arrangements” by companies to extend the attorney-client privilege to interactions with consultants. This first article describes the requirements of the Kovel privilege as established by case law, as well as critical considerations for deciding whether to invoke or waive the privilege when interacting with regulators or litigants. The second article will detail the requisite features of a fully compliant Kovel arrangement and will examine circumstances under which it is and is not appropriate for companies to employ Kovel arrangements. See also “Target Privilege Decision Delivers Guidance for Post-Data Breach Internal Investigations” (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    How to Protect Against Weaponized Devices in Light of the Massive Denial-of-Service Attack

    Tweets, shopping, money transfers and entertainment were some of the countless internet activities stopped in their tracks by a recent massive attack on a domain name service provider. The hackers utilized ordinary household connected devices to carry out one of the largest denial-of-service attacks to date, shutting down more than a thousand sites such as Amazon, Twitter, Netflix and PayPal. While such attacks are not new and are typically quickly mitigated, this one was critically different in terms of its scale and its reliance on compromised connected devices, and presented “another type of attack that even state-of-the-art organizations in terms of data security have to contend with,” Ed McAndrew, a partner at Ballard Spahr, told The Cybersecurity Law Report. See “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    How the Financial Services Industry Can Handle Cybersecurity Threats, Acquisition Diligence and Breach Response

    The financial services sector is often praised as having some of the most mature cybersecurity practices, but it also holds especially sensitive data and is one of the most common targets for malicious hackers. Asset managers in particular are confronted with general cybersecurity risks while navigating industry nuances. At a recent panel hosted by Major, Lindsey & Africa, Debevoise partners Luke Dembosky and Jim Pastore, both former federal prosecutors, addressed emerging cybersecurity threats, risks from vendors, potential breaches in a pre-acquisition and post-acquisition context, breach response and special considerations for breaches of investor or consumer data. Much of the advice is relevant to all companies grappling with data security risks and breach consequences. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    Essential Cyber Due Diligence Considerations in M&A Deals Raised by Yahoo Breach

    Yahoo’s 2014 massive data breach, made public only two months after Verizon announced its plans to acquire Yahoo for $4.83 billion, highlights the necessity for proper cybersecurity due diligence in advance of an acquisition, and for the acquiring company to account for an undetected breach as part of the value of the transaction. There probably needs to be “a little more cybersecurity homework done before pulling the trigger on an acquisition. We hope this situation brings that conversation to the forefront,” Milan Patel, a managing director in K2 Intelligence’s cyber defense practice, told The Cybersecurity Law Report. In this article, with insight from attorneys and technical consultants, we examine current contingencies in Verizon’s deal with Yahoo and detail steps companies should be taking to identify and mitigate cyber risk through due diligence and how to structure a deal to account for those potential risks. See “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015). 

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    What Private Companies Can Learn From the OPM Data Breaches

    The recent breaches of the U.S. Office of Personnel Management illustrate the importance of an effective information security program for businesses in both the public and private sector. A recently released exhaustive investigative report by the House Oversight and Government Reform Committee outlines findings and recommendations to help the federal government better acquire, deploy, maintain and monitor its information technology. “The [Report] is replete with recommendations that private sector entities should be considering seriously,” DLA Piper partner Jim Halpert told The Cybersecurity Law Report. This article summarizes the committee’s findings and examines valuable lessons applicable to both the public and private sectors. See also “White House Lays Out Its Broad Cybersecurity Initiatives” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    How the Financial Services Industry Can Manage Cyber Risk

    Financial services providers and financial institutions are prime targets for hackers, and have also been targets of SEC scrutiny – the agency has recently brought actions against Morgan Stanley, Craig Scott Capital, and RT Jones for cybersecurity violations, even in the absence of a breach. How can firms in those industries ensure their cybersecurity programs are robust and mitigate risk? At a recent symposium held by the Hedge Fund Association, panelists with various cybersecurity perspectives and expertise shared their insight on preparedness, incident response plans, vendor management, cyber insurance (including recommendations for carriers) and whether to use cloud services. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.14 (Jul. 6, 2016)

    Mitigating Cyber Risk in M&A Deals and Third-Party Relationships

    Ensuring that a target, or a third–party vendor, has adequate cybersecurity controls before the company takes on the risks of that entity is of paramount importance in today’s cyber threat environment. At a recent PLI panel, counsel at Tiffany & Co. and EY shared advice for conducting M&A due diligence, including specific questions to ask, and presented a five-step plan for assessing and addressing data security and privacy risks that accompany third-party vendor relationships. See also “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Vendor Cyber Risk Management: 14 Key Contract Terms (Part Two of Two)

    Actions by third-party vendors with access to a company’s data are the cause of some of the most damaging breaches. Carefully vetting and monitoring those vendors is crucial to a strong cybersecurity program. At a recent panel at IAPP’s Global Privacy Summit, counsel from Under Armour, AOL and Unisys provided practical guidance on how to implement a comprehensive vendor management program. This article, the second installment in our coverage of the panel, includes fourteen key cybersecurity provisions to include in vendor contracts and the panelists’ strategies for monitoring the vendor relationship and for effective breach response. The first article in our series includes the panelists’ discussion of nine questions to ask vendors during the due diligence process and factors to consider before contract negotiations. See also “Learning From the Target Data Breach About Effective Third-Party Risk Management”: Part One (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    Vendor Cyber Risk Management: Nine Due Diligence Questions (Part One of Two)

    Some of the biggest cybersecurity headlines point to suppliers as the root cause of the most damaging breaches. This highlights the importance of carefully vetting and monitoring vendors as part of a strong cybersecurity program. At a recent panel at IAPP’s Global Privacy Summit, counsel from Under Armour, AOL and Unisys provided practical guidance on how to implement a comprehensive vendor management program and mitigate data security and privacy risks third-party vendors present. This first article in our series includes the panelists’ discussion of nine questions to ask vendors during the due diligence process and factors to consider before contract negotiations. The second installment in our coverage of the panel will include fourteen key cybersecurity provisions to include in vendor contracts. See also “Learning From the Target Data Breach About Effective Third-Party Risk Management”: Part One (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part Three of Three)

    An effective employee cybersecurity program does not start or end with a single training session. To combat evolving threats, companies need to establish ongoing communications with employees and continuously evaluate their training program. In this final article in our three-part series on the topic, outside counsel, consultants, and in-house experts provide actionable insight and recommendations on how companies should follow up after the initial training. They also address the challenges of establishing an employee cybersecurity training program and how to handle training when dealing with third-party vendors. Part one of the series discussed tailoring policies and training to the type of company and universe of employees and part two highlighted ten important topics to cover during training, as well strategies for engaging employees and getting the message across. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    How to Protect Intellectual Property and Confidential Information in the Supply Chain

    Sharing information, including intellectual property, with third parties such as suppliers, distributors and consultants is essential for the operations of many companies but exposes them to various points of cyber risk.  Pamela Passman, President and CEO at the Center for Responsible Enterprise and Trade (CREATe.org), spoke with The Cybersecurity Law Report about how to assess and mitigate third-party and supply chain risk.  CREATe.org, a global NGO, works with companies and third parties with whom they do business to help put processes in place to prevent corruption and protect intellectual property, trade secrets and other confidential information.  See also “Protecting and Enforcing Trade Secrets in a Digital World,” The Cybersecurity Law Report, Vol. 1, No. 13 (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Implementing an Effective Cloud Service Provider Compliance Program

    The ubiquity of cloud computing platforms as a tool for companies to share, store and back up critical and sensitive data has catapulted the implementation of a comprehensive third-party cloud service provider program to the top of compliance officers’ ever growing to-do lists.  During a recent seminar held by the Society of Corporate Compliance & Ethics, Web Hull, a privacy, data protection and compliance advisor provided a practical framework for engaging, managing, auditing and monitoring third-party cloud computing providers.  This article summarizes those insights, including key risks, and compiles the resources compliance officers can use to meet the relevant state and federal cybersecurity regulatory requirements.  See also “Examining Evolving Legal Ethics in the Age of the Cloud, Mobile Devices and Social Media (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 11 (Aug. 26, 2015); Part Two,” Vol. 1, No. 12 (Sep. 16, 2015); and “The Advantages of Sending Data Up to the Cloud,” The Cybersecurity Law Report, Vol. 1, No. 6 (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    Learning from the Target Data Breach About Effective Third-Party Risk Management (Part Two of Two)

    Third-party relationships are integral to companies of all sizes, and bring with them increasingly sophisticated cybersecurity risk, as highlighted by the Target data breach.  In our continued coverage of a recent third-party risk management webinar, Mintz Levin attorneys Cynthia Larose and Peter Day provide concrete strategies for implementing and monitoring a third-party risk management program that protects data from third-party security breaches.  In part one, they discussed lessons from Target’s breach, and business and regulatory justifications for a strong third-party risk management program.  See also “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.12 (Sep. 16, 2015)

    Learning from the Target Data Breach About Effective Third-Party Risk Management  (Part One of Two)

    Companies and law firms are increasingly partnering with vendors and other third parties to outsource formerly in-house functions in order to reduce operating costs and increase focus on core businesses.  But, as Mintz Levin attorneys Cynthia Larose and Peter Day said during a recent webinar, the potential consequences of failing to adequately manage the risks associated with giving third parties access to highly confidential systems and information can be disastrous, as evidenced by the 2013 Target data breach.  In part one of our two-part article series, Larose and Day discuss lessons from Target’s breach and business and regulatory justifications for a strong third-party risk management (TPRM) program.  In part two, they will detail strategies for implementing and monitoring a TPRM program that protects companies’ data – and their clients’ and customers’ data – from third-party security breaches.  See “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Surveys Find Internal and Third-Party Cybersecurity Risks Among Top Executive Concerns

    Corporate executives, even those with great defense resources, consider cybersecurity one of the most worrisome issues they confront.  In this article, experts from Deloitte, Protiviti and the Santa Fe Group dissect the results of two recent studies.  Greg Dickinson, a director at Deloitte who leads the quarterly survey “CFO Signals: What North America’s top finance executives are thinking – and doing,” explained how and why many CFOs are feeling unprepared for cybersecurity threats.  In addition, while discussing the “2015 Vendor Risk Management Benchmark Study: The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management” Rocco Grillo, cybersecurity managing director at Protiviti, and Gary Roboff, senior advisor to the Santa Fe Group and manager of its Shared Assessments Program, explain how the finance industry outperforms others in third-party risk management and stress the importance of risk committees and data mapping.  See also “Ponemon Study Finds Increasing Data Breach Costs and Analyzes Causes,” The Cybersecurity Law Report, Vol. 1, No. 5 (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    Model Cybersecurity Contract Terms and Guidance for Investment Managers to Manage Their Third-Party Vendors

    Investment managers use a wide range of third-party vendor-provided products and services to manage their daily operations, and many of those third parties have access to sensitive data.  Ensuring that data is protected from theft, either deliberate or inadvertent, is paramount.  In a guest article, Schulte Roth & Zabel partner Robert Kiesel provides practical vendor management guidance and comprehensive contract provisions, and discusses critical policies and contract terms that investment managers can use to protect their, and their investors’, data.  See “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015). 

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    Sample Questions for Companies to Ask to Assess Their Law Firms’ Cybersecurity Environment

    Law firms constantly handle sensitive information, often in digital form, and, as Jennifer Topper of Topper Consulting explained in “Understanding and Addressing Cybersecurity Vulnerabilities at Law Firms: Strategies for Vendors, Lawyers and Clients,” defending against cybersecurity threats presents particular challenges to law firms and their service providers.  Corporate clients should understand how their law firms handle data.  In this article, Topper provides a non-technical questionnaire corporate clients can use to obtain and assess that information from law firms as well as from other vendors.

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    Understanding and Addressing Cybersecurity Vulnerabilities at Law Firms: Strategies for Vendors, Lawyers and Clients

    Handling and discussing sensitive and confidential information is an essential aspect of law practice.  But, defending against cybersecurity threats attached to the increasing digital form of such information presents particular challenges to law firms and their service providers.  In a guest article, Jennifer Topper of Topper Consulting explores cybersecurity vulnerabilities at law firms that service providers often do not understand; structural and operational obstacles to addressing those vulnerabilities; and steps that law firms are taking, as client pressure increases, to address this critical issue.  In a subsequent issue of The Cybersecurity Law Report, Topper will provide a non-technical questionnaire corporate clients can use to help understand the data security at the law firms they use.  See also “How Can a Company Mitigate Cyber Risk with Cross-Departmental Decisionmaking?,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    Navigating Data Breaches and Regulatory Compliance for Employee Benefit Plans

    Employee benefit plans, including health and pension plans, are prime targets of hackers, as evident from the most recent Anthem and Premera crises, and the proper proactive and reactive steps are key to mitigating breach risk and breach fallout.  In a recent Strafford webinar, Ogletree Deakins attorneys Vance E. Drawdy, Timothy G. Verrall and Stephen A. Riga shared their insights on best practices for fiduciaries and sponsors to navigate the complex state and federal regulations on data breaches that are applicable to ERISA benefit plans.  This article details some of their advice on preventing, assessing and responding to a plan data breach.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part Two of Two)

    Vendors and other third parties – necessary for most businesses – present significant cybersecurity risks and are frequently the source of breaches, from large-scale incidents to smaller data leaks.  Properly vetting these third parties is a challenging, but critical, aspect of cybersecurity programs.  This article series provides a three-step framework to appropriately allocate resources to due diligence and mitigate the risks third parties pose.  Part One provided a framework for companies to (1) categorize potential vendors based on risk levels, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium or high level of risk.  Part Two addresses when the categorization of medium-risk vendors should move to high-risk based on red flags discovered during the initial due diligence and details step three of the framework: deeper due diligence for high-risk vendors, including follow-up questioning, documentation of audits or certifications and in-person diligence. 

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    FCC Makes Its Mark on Cybersecurity Enforcement with Record Data Breach Settlement

    With its $25 million settlement with AT&T, the “FCC has now planted its flag, and sent the message that it will use its powers to protect consumers,” Jenny Durkan, a partner at Quinn Emanuel Urquhart & Sullivan, told The Cybersecurity Law Report.  The FCC’s decision earlier this year to classify Internet providers as public utilities under the FCC’s jurisdiction has caused a broad range of companies to follow the agency’s actions closely.  The record AT&T settlement resolves an investigation into the theft of information by employees of a vendor call center in Mexico and requires AT&T to, among other things, overhaul its compliance program, provide free credit-monitoring services for affected customers and meet certain compliance benchmarks at intervals for the next seven years. 

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)

    Vendors and other third parties are vital to most businesses, but can leave a company dangerously vulnerable to a breach of its data or network.  As the Target breach demonstrated, even a non-IT vendor can cause widespread damage.  Properly vetting third parties remains one of the most challenging aspects of cybersecurity programs.  In order to appropriately allocate due diligence resources, companies must first assess potential third parties to determine which of them present low, medium or high levels of cybersecurity risk and subsequently conduct the corresponding levels of diligence.  This article, the first in our series, provides a framework for companies to (1) categorize potential vendors based on risk, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium and high level of risk.  Part Two will address the third step of deeper due diligence for high-risk vendors.

    Read Full Article …