The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Federal Legislation

  • From Vol. 4 No.7 (Apr. 11, 2018)

    Breaking the Cloud: CLOUD Act Brings Data Held Overseas Under U.S. Jurisdiction

    On the heels of Supreme Court oral arguments in a case that brought the data issues of international law enforcement front and center, Congress passed the CLOUD Act, a major step by the U.S. in extending the reach of law enforcement where electronic content is concerned. The law is controversial, but its significance is not in dispute – “it purports to resolve the question of whether and how the federal government can compel service providers that are within the jurisdiction of the U.S. courts to produce data stored abroad,” Paul Hastings partner Behnam Dayanim told The Cybersecurity Law Report. In this article, we analyze the law and its implications. See “Managing Data Privacy Across Multiple Jurisdictions” (Nov. 8, 2017); and “Navigating Data Privacy Laws in Cross-Border Investigations” (Dec. 14, 2016).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    Dynamic Regulations and Shareholder Actions Guide the Board’s Shifting Role in Cyber (Part Two of Two)

    As large-scale data breaches become regular occurrences, and new regulations are implemented, shareholder derivative suits are increasingly being used by investors seeking to be made whole after data breaches. Boards of directors need to take note and understand the increasing costs and risks these suits pose. In this second part of a guest article series, Shearman & Sterling attorneys Jeewon Kim Serrato, Marc Elzweig and David Lee draw on the recent cases examined in part one and identify five lessons that boards may learn from these suits – lessons that are applicable to companies seeking to assess litigation risks related to data breaches and that also provide a practical starting point for managing cybersecurity risks in general. See “Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations” (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.2 (Jan. 31, 2018)

    Dynamic Regulations and Shareholder Actions Guide the Board’s Shifting Role in Cyber (Part One of Two)

    Post-breach litigation can be costly and the rise of one type in particular shareholder derivative suits filed against boards of directors of companies that have suffered data breaches merits further attention. Regulatory changes, including the GDPR, may make such suits more frequent in addition to creating other data breach response expenses. Boards of directors need to take note and understand these increasing costs and risks. In part one of this guest article series, Jeewon Kim Serrato, David Lee and Marc Elzweig, attorneys at Shearman & Sterling, review the evolving understanding of the board of directors’ responsibility for cybersecurity and consider several shareholder derivative suits filed in the wake of data breaches as case studies. In part two, they will consider some of the lessons that boards may learn from these suits. See “Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations” (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.18 (Sep. 13, 2017)

    Focus on Children’s Privacy by FTC and Plaintiffs Calls for Prioritizing COPPA

    The FTC and private plaintiffs have sharpened their focus on children’s privacy and COPPA in recent months. Updated COPPA guidance and approval for changes to a valuable safe harbor program for companies have been issued by the FTC. In addition, private plaintiffs are attempting to find ways to bring civil suits based on COPPA concepts despite the lack of a private right of action in the regulation itself. Companies “absolutely need to start thinking very seriously about COPPA compliance and the FTC’s warning. If the FTC starts to make enforcement a priority, it can certainly take a lot of steps to impose hefty sanctions on companies that are found out of compliance,” Eimer Stahl partner Dan Birk told The Cybersecurity Law Report. See also “Enforcing Consumer Consent: FTC Focuses on Location Tracking and Children’s Privacy” (Jul. 6, 2016). 

    Read Full Article …
  • From Vol. 3 No.14 (Jul. 12, 2017)

    Navigating the Intersection of ERISA Fiduciary Duties and Cybersecurity Risk

    Last year, two retirement-plan administrators experienced data breaches, and unlike the liability standards for breaches of healthcare plans, which are more certain, Employee Retirement Income Security Act of 1974 (ERISA) liability standards are not clear. In many instances, ERISA fiduciary duty can extend to cybersecurity or data protection. And liability for violations of ERISA fiduciary duties is personal to the individual fiduciary. This article summarizes insights presented by Poyner Spruill, LLP attorneys at a recent Strafford program on the relationship between cybersecurity and ERISA. The panelists looked at recent breaches and litigation involving ERISA plans; evaluated when cybersecurity is a fiduciary duty under ERISA; analyzed whether ERISA preempts state cybersecurity and data-protection laws; and explored how plan sponsors can implement effective cybersecurity measures. See also “Navigating Data Breaches and Regulatory Compliance for Employee Benefit Plans” (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    Three Takeaways From Congress’s Cross-Border Data Hearings

    The circumstances under which American law enforcement can obtain access to digital content information stored outside the United States is a critical issue for both the private and public sectors. It is currently under scrutiny both in recent Senate and House Judiciary Committee hearings and continued litigation in Microsoft Corp. v. U.S., in which the DOJ has filed a petition in the Supreme Court seeking to challenge the Second Circuit’s decision quashing a warrant seeking overseas data. In this guest article, Jenner & Block attorneys David Bitkower and Natalie Orpett discuss warrants under the Stored Communications Act, the ongoing litigation, and key takeaways and insights from the hearings. See also “Second Circuit Quashes Warrant for Microsoft to Produce Email Content Stored Overseas” (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.9 (May 3, 2017)

    Infrastructure Cybersecurity Challenges: A View Through the Oil and Gas Pipeline Lens

    In 1997, the ad hoc Presidential Commission on Critical Infrastructure Protection issued an ominous warning that “the capability to do harm” by “cyberattack” to America’s critical infrastructures “is growing at an alarming rate, and we have little defense against it.” Jones Walker partner Andrew R. Lee argues in this guest article that since then, we have accepted the reality that the threat of critical infrastructure terror attacks is now pervasive, and has also grown increasingly complex and diffuse. He dissects the cybersecurity landscape in the energy industry, explains the effects of regulations and industry initiatives, and shares insights on what is coming from the Trump Administration. See “WilmerHale Attorneys Explain the Evolving Cybersecurity Environment of the Energy Sector” (Nov. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.23 (Nov. 16, 2016)

    WilmerHale Attorneys Explain the Evolving Cybersecurity Environment of the Energy Sector

    Congress and federal agencies have dramatically strengthened cybersecurity requirements and authorities in the energy sector in recent years, with additional efforts underway. WilmerHale attorneys Jonathan Cedarbaum, Jason Chipman and Nathaniel Custer detailed these governmental efforts in an interview with The Cybersecurity Law Report, and discussed how the energy sector is responding to the changes. See also “How the American Energy Industry Approaches Security and Emphasizes Information Sharing” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.23 (Nov. 16, 2016)

    Navigating U.S. and E.U. Cybersecurity Requirements

    Complicating cybersecurity’s rapidly evolving legal landscape is the lack of any single government or regulatory entity providing umbrella legislation or universal legal guidance. At a recent PLI program, Paul Tiao and Adam Solomon, a partner and associate, respectively, in Hunton & Williams’ global privacy and cybersecurity practice, examined the existing framework, steps that led there, and recent changes in cybersecurity’s legal landscape, both in the U.S. and in the E.U. See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” (May 20, 2015).


    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    Examining Newly Released Privacy and Security Guidance for the Fast-Driving Development of Autonomous Cars

    Auto manufacturers and technology companies are moving closer to making driverless cars a reality, much to the excitement and fear of consumers. While autonomous cars have the potential to provide enormous safety and environmental benefits, this unchartered territory also presents an array of unknowns for companies and consumers.  As a first step to address the risks of this new technology, and signal possible regulations, the government has released voluntary guidance for manufacturers that addresses safety, privacy and security. “The 15-point Safety Assessment may be a safe harbor that provides a benchmark for car manufacturers to meet,” Alma Murray, senior counsel for privacy at Hyundai Motor America, explained to The Cybersecurity Law Report. “This standard-setting is also good for the consumer/driver in that it sets a standard of care that must be met by manufacturers which, if not met, can subject the manufacturers to lawsuits.”  See also “Managing Risk for the Internet of Things in the Current Regulatory Landscape” (May 11, 2016); and “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.18 (Sep. 7, 2016)

    Navigating Online Identity Management’s Risks and Regulations

    As more time and money are spent online, identifying personal web presence is valuable in many ways for retailers, employers, and individuals. Online identity management (IdM) systems provide methods for generating and monitoring an individual’s internet presence. In a recent PLI webcast, Thomas J. Smedinghoff, of counsel at Locke Lord, explained how IdM systems work, how they are used, what risks they can create, as well as recent legal and regulatory developments that may affect the operation of such systems. See also “Managing Risk for the Internet of Things in the Current Regulatory Landscape” (May 11, 2016). 

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Mitigating the Risks of Using Social Media in the Workplace

    Both employees and employers continue to expand their use of social media, presenting a myriad of risks and spawning a spate of guidance and regulations. In a recent Practising Law Institute program, Christine Lyon, a partner at Morrison & Foerster, discussed recent developments related to social media in the workplace and detailed best practices for drafting a social media policy with the enforcement landscape in mind. See also “Avoiding Privacy Pitfalls While Using Social Media for Internal Investigations” (Dec. 9, 2015). 

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    Opportunities and Challenges of the Long-Awaited Cybersecurity Act of 2015

    After years of discussions, numerous draft bills and extended debates about the privacy and liability risks associated with information sharing, on December 18, 2015, President Obama signed into law the Cybersecurity Act of 2015 as part of the omnibus spending bill.  Title I of the Act, Cybersecurity Information Sharing (CISA), establishes a framework for sharing and receiving cyber threat information among the private sector and federal government entities.  It shields companies from liability for sharing cyber threat information in accordance with certain procedures, as well as for specific actions undertaken to defend or monitor corporate networks.  Saxby Chambliss, DLA Piper partner and former U.S. Senator who served on the Senate Select Committee on Intelligence and sponsored an earlier cybersecurity bill, told The Cybersecurity Law Report that this Act “is going to be beneficial to both big and small companies.  It is another tool in the toolbox that allows companies to protect their systems and the information that is on them.”  However, Shahryar Shaghaghi, BDO Consulting’s managing director and technology advisory leader, cautioned that CISA will also pose “potential challenges” to companies in terms of the resources required to share cyber threat information and perceived privacy risk.  See also “How the Legal Industry Is Sharing Information to Combat Cyber Threats” (Sep. 16, 2015).

    Read Full Article …
  • From Vol. 1 No.12 (Sep. 16, 2015)

    Learning from the Target Data Breach About Effective Third-Party Risk Management  (Part One of Two)

    Companies and law firms are increasingly partnering with vendors and other third parties to outsource formerly in-house functions in order to reduce operating costs and increase focus on core businesses.  But, as Mintz Levin attorneys Cynthia Larose and Peter Day said during a recent webinar, the potential consequences of failing to adequately manage the risks associated with giving third parties access to highly confidential systems and information can be disastrous, as evidenced by the 2013 Target data breach.  In part one of our two-part article series, Larose and Day discuss lessons from Target’s breach and business and regulatory justifications for a strong third-party risk management (TPRM) program.  In part two, they will detail strategies for implementing and monitoring a TPRM program that protects companies’ data – and their clients’ and customers’ data – from third-party security breaches.  See “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    Understanding and Mitigating Liability Under the Children’s Online Privacy Protection Act

    Faced with the threat of steep civil penalties that can arise from active FTC enforcement, operators of commercial websites must exercise caution when collecting personal information from children under the age of 13.  The long reach of the Children’s Online Privacy Protection Act (COPPA) applies not only to first-party website operators but also extends to third parties that collect personal information on behalf of first-party operators in certain circumstances.  In a recent presentation, attorneys Julia Siripurapu and Ari Moskowitz of Mintz Levin discussed key provisions and implementation of COPPA, including compliance, enforcement and applicability to third parties.  They also provided advice on best practices for websites and online services regarding the collection and use of children’s personal information, and for educational institutions as parental agents.

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)

    As cybersecurity concerns permeate every industry, it becomes increasingly urgent for lawyers across disciplines to understand the most pressing threats and shifting regulatory landscape; help shape and direct the responses; and be able to effectively communicate and collaborate with technical security efforts.  In this first article in our two-part coverage of a recent panel at PLI’s Sixteenth Annual Institute on Privacy and Data Security Law, Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice, discusses the current cyber threat landscape and the relevant laws and rules.  See “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).  The second part will detail her advice on preparing for and responding to a cyber incident and will include insight from her co-panelist Vincent Liu, a partner at security consulting firm Bishop Fox, on how security and legal teams can effectively work together throughout the process. 

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    SEC Commissioner Says Public-Private Partnership Is Key to Effective Cybersecurity

    In a speech at this year’s SINET Innovation Summit, SEC Commissioner Luis Aguilar emphasized the “scope and urgency” of cybersecurity threats and the ineffectiveness of many network security programs, citing a multitude of studies.  He also called for more formalized information-sharing between private sector companies and the government.  See also “In a Candid Conversation, FBI Director James Comey Talks About the ‘Evil Layer Cake’ of Cybersecurity Threats,” The Cybersecurity Law Report, Vol. 1, No. 5 (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    Navigating Data Breaches and Regulatory Compliance for Employee Benefit Plans

    Employee benefit plans, including health and pension plans, are prime targets of hackers, as evident from the most recent Anthem and Premera crises, and the proper proactive and reactive steps are key to mitigating breach risk and breach fallout.  In a recent Strafford webinar, Ogletree Deakins attorneys Vance E. Drawdy, Timothy G. Verrall and Stephen A. Riga shared their insights on best practices for fiduciaries and sponsors to navigate the complex state and federal regulations on data breaches that are applicable to ERISA benefit plans.  This article details some of their advice on preventing, assessing and responding to a plan data breach.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?

    Recent reports detail a breathtaking and unrelenting rise in cyber breaches, with five malware events occurring every second, and 60% of successful attackers able to compromise an organization within minutes.  But the law has not kept pace with technological innovation.  There is no single uniform law protecting individual privacy, nor one that governs all of a company’s obligations or liabilities regarding data security and privacy.  As Jenny Durkan and Alicia Cobb, a partner and associate, respectively, at Quinn Emanuel Urquhart & Sullivan, detail in a guest post, any business that suffers a significant cyber breach almost certainly will face not only multiple civil suits, but multiple investigations by federal and state authorities.  The authors provide a roadmap to the key authorities and the patchwork of relevant rules and regulations.

    Read Full Article …