The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Data Mapping

  • From Vol. 4 No.6 (Mar. 28, 2018)

    When and How Legal and Information Security Should Engage on Cyber Strategy: It Starts With Governance (Part One of Three)

    Effective protection of key data requires a healthy relationship and frequent interaction between the legal and security functions. As regulators increasingly blend privacy and security subject matter, privacy officers and CISOs need to work together to stay compliant. This three-part series addresses when and how legal and security professionals should be communicating to build strong working relationships for a robust cybersecurity and data privacy program. Part one covers how to structure corporate governance for optimal collaboration between these two groups. Part two will look at how both teams can come together to assess risk and privacy impact. Part three will tackle coordination between legal and security on vendor assessments and in the M&A context. See “How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    Lessons From the Equifax Breach on How to Bolster Incident Response Planning (Part Two of Two)

    After a vulnerability that allowed hackers to access the sensitive personal data of an estimated 145.5 million individuals, Equifax is now facing numerous class actions along with multiple regulatory actions and investigations. “The facts as we see them raise the question of how well and whether Equifax tested the mega-breach scenario,” Mintz Levin partner Cynthia Larose told The Cybersecurity Law Report. In this second installment of our two-part series on incident response lessons from Equifax’s fallout, we provide experts’ top ten tips on ensuring a plan is efficient and effective. We also address the roles and responsibilities of key incident response stakeholders. In part one, we looked at Equifax’s mistakes and heard from experts on essential components of incident response planning and how to bolster those plans. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    Lessons From the Equifax Breach on How to Bolster Incident Response Planning (Part One of Two)

    While it is now fairly common practice for organizations to have a formalized incident response plan, many organizations fail to test those plans, leaving them susceptible to unanticipated problems. Credit reporting agency Equifax learned this lesson the hard way when it was hit by a cyber attack that exposed the addresses, Social Security numbers and financial information of 143 million customers. The breach has also led to over 20 class actions filed to date, at least one AG action filed thus far (with pending investigations by other AG offices and the FTC), and the departures of the CSO, CIO and the CEO. Other companies can learn from this fallout. In this first installment of our two-part series on incident response lessons from Equifax, we hear from experts on key components of incident response planning and how to bolster those plans by learning from Equifax’s mistakes. Part two will provide expert tips on ensuring an incident response plan is efficient and effective and will address key stakeholders and their roles and responsibilities. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.11 (May 31, 2017)

    One Year Until GDPR Enforcement: Five Steps Companies Should Take Now

    The European Union’s General Data Protection Regulation (GDPR) will be enforceable on May 25, 2018, with consequences for global businesses far broader than those of the decades-old European Data Protection Directive it replaces. The GDPR will have a vast reach, applying not only to E.U. companies that process personal data, but also non-E.U. companies that process personal data in connection with offering goods and services to individuals in the E.U. It will likewise apply to companies, regardless of location, that process data in the course of monitoring or profiling individuals in the E.U. In this guest article, Kiran Raj, Mallory Jensen and Sara Zdeb, attorneys at O’Melveny & Myers, discuss five key steps companies should take now to ensure compliance with the GDPR’s transformative requirements, avoid significant penalties, and improve their overall data-management practices. See also “A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)” (Mar. 22, 2017); Part Two (Apr. 5, 2017).

    Read Full Article …
  • From Vol. 3 No.10 (May 17, 2017)

    Tracking Data and Maximizing Its Potential

    How companies use and store data can be in conflict with regulations, notably the GDPR. Kristina Bergman, CEO and founder of Integris Software, and David Ray, Integris vice president, privacy, product and services, recently spoke to The Cybersecurity Law Report about using new technological tools to gain critical knowledge about companies’ data. That understanding not only facililates compliance, but can also provide evidence for regulators, output concrete illustrations for a board or executive presentation, and assist in identifying the best data sets for marketing efforts. See “A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: From Data Mapping to Evaluation (Part One of Three)” (Apr. 27, 2016).

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    Guide to Getting Your Security Program Certified Under ISO 27001

    Companies seeking guidance in the development and implementation of their information security programs are looking for a robust and recognized framework. The ISO/IEC 27001 standard offers exactly that, while also providing a useful evaluation process and valuable certification. In a guest article, Lionel Cochey, director of information of a large international law firm, provides a roadmap to the key aspects of the standard, the certification process, and the ongoing effort to remain certified on an annual basis. See also “Steps for Companies to Take This Week, This Month and This Year to Meet the Challenges of International Cyberspace Governance” (Mar. 30, 2016).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: From Data Mapping to Evaluation (Part One of Three)

    Many organizations are coming to terms with the troubling fact that they will fall victim to a cyber attack at some point, if they have not already. An effective incident response plan can be one of the best tools to mitigate the impact of an attack – it can limit damage, increase the confidence of external stakeholders and reduce recovery time and costs. The Cybersecurity Law Report spoke with a range of top experts, including consultants, in-house and outside counsel, who answered some of the tougher practical questions that are typically left unanswered in this area. They shared in-depth advice on the subject based on their own challenges and successes. In the first article of this three-part series, we cover what type of incident the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. Parts two and three will examine key components of the plan, implementation, evaluating its efficacy, pitfalls, challenges and costs. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Study Analyzes How Companies Can Overcome Cybersecurity Challenges and Create Business Value

    Many executives tasked with combatting cybersecurity threats lack necessary awareness and readiness, according to a survey commissioned by security firm Tanium and the NASDAQ. The Accountability Gap: Cybersecurity & Building a Culture of Responsibility (the Survey Report) includes findings of an extensive study involving 1,530 non-executive directors, CEOs, CISOs and CIOs of major corporations around the globe. Using information from a combination of one-on-one interviews and a quantitative survey, the Survey Report highlighted seven key cybersecurity challenges facing boards and executives and provided actionable advice in these areas. We examine these findings, with input from Lance Hayden, managing director of Berkley Research Group, and author of People-Centric Security. See also “Protecting the Crown Jewels Using People, Processes and Technology” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Surveys Find Internal and Third-Party Cybersecurity Risks Among Top Executive Concerns

    Corporate executives, even those with great defense resources, consider cybersecurity one of the most worrisome issues they confront.  In this article, experts from Deloitte, Protiviti and the Santa Fe Group dissect the results of two recent studies.  Greg Dickinson, a director at Deloitte who leads the quarterly survey “CFO Signals: What North America’s top finance executives are thinking – and doing,” explained how and why many CFOs are feeling unprepared for cybersecurity threats.  In addition, while discussing the “2015 Vendor Risk Management Benchmark Study: The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management” Rocco Grillo, cybersecurity managing director at Protiviti, and Gary Roboff, senior advisor to the Santa Fe Group and manager of its Shared Assessments Program, explain how the finance industry outperforms others in third-party risk management and stress the importance of risk committees and data mapping.  See also “Ponemon Study Finds Increasing Data Breach Costs and Analyzes Causes,” The Cybersecurity Law Report, Vol. 1, No. 5 (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    Ten Actions for Effective Data Risk Management

    High-profile data breaches expose breached companies to intense negative scrutiny from lawmakers, regulators, media, customers and plaintiffs’ attorneys.  But not every data breach is a headline-grabbing theft of consumer credit card data – and small breaches cannot be ignored.  Effective information risk management to prevent data leaks, the unauthorized transfer of information to the outside world, and security breach incidents requires a top-driven coordinated information security compliance program that is implemented on a company-wide basis.  In a guest article, Jesse M. Brody, a partner at Manatt Phelps & Phillips, provides ten immediate steps companies should take to prevent data leaks and larger breach events.

    Read Full Article …