The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Recent Issue Headlines

Vol. 1, No. 16 (Nov. 11, 2015) Print IssuePrint This Issue

  • How to Reduce Cybersecurity Risks of Bring Your Own Device Policies (Part Two of Two)

    The now-common practice of employees bringing their own devices into the office offers companies savings, but use of these devices comes with complex risks that must be addressed.  Part one of our two-part series discussed these risks and recommended BYOD policies and training to mitigate the risks.  This second article in the series explores how mobile device management programs and proper protocols for outgoing employees and lost devices can further reduce BYOD risks.  It also explains how BYOD policies can impact litigation, and even result in significant sanctions. 

    Read full article …
  • Target Privilege Decision Delivers Guidance for Post-Data Breach Internal Investigations

    In a ruling that may clarify how companies should conduct breach responses to preserve privilege, on October 23, 2015, a federal district court in Minnesota found that certain documents created during Target’s internal investigation of its 2013 payment card breach were protected by the attorney-client privilege and work product doctrine.  The Target case “is one of the first cases we are seeing in the data breach context where the privilege issue has been tested,” Michelle A. Kisloff, a partner at Hogan Lovells, said.  The Court’s denial of class plaintiffs’ motion to compel production of these documents recognized “that data breach victims have a legitimate need to perform an investigation in the aftermath of a breach in which communications are protected by the attorney-client privilege,” Michael Gottlieb, a partner at Bois, Schiller & Flexner, told The Cybersecurity Law Report.  See also “Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 6 (Jun. 17, 2015); Part Two, Vol. 1, No. 7 (Jul. 1, 2015).

    Read full article …
  • What Companies Can Learn from Cybersecurity Resources in Pittsburgh

    Cyber crime is a serious threat – it cripples companies, damages economies, funds terrorism, launders drug money and bleeds the assets of individuals, according to the DOJ.  Often this cyber war is waged from shadows overseas (and often in the form of corporate cyber espionage).  Companies should be using a broad array of tools to prevent and mitigate the effect of international and domestic cyber crime, such as information sharing, sufficient cyber insurance as well as a thorough breach response plan that includes proper notification and preservation of evidence for future actions.  As K&L Gates attorneys Mark A. Rush and Joseph A. Valenti describe in a guest article, one place where law enforcement and the private sector have come together is Pittsburgh, where a string of major cyber crime cases has recently been prosecuted.  Developments there can serve as a model for cybersecurity measures across the country and across industries.  Rush and Valenti describe cybersecurity best practices before, during and after a breach, as well as some unique ways government officials as well as companies in Pittsburgh specifically are handling cyber crime.  See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read full article …
  • California Law Enforcement Faces Higher Bar in Acquiring Electronic Information

    California, looked to as a leader in privacy protections as well as breach notification requirements, has passed the California Electronic Communications Privacy Act (CalECPA), a new law that raises the bar for state law enforcement seeking electronic information.  Aravind Swaminathan and Marc Shapiro, Orrick partner and associate, respectively, told The Cybersecurity Law Report what CalECPA – which requires state law enforcement officials to secure a warrant before they can access electronic information – means for companies and individuals.  See also “Orrick Attorneys Explain California’s New Specific Standards for Breach Notification,” The Cybersecurity Law Report, Vol. 1, No. 15 (October 28, 2015).

    Read full article …
  • Liability Lessons from Data Breach Enforcement Actions

    Inadequate cybersecurity measures can expose companies not only to data breach incidents, but to liability from multiple fronts, including state attorneys general, the FTC and civil litigants.  In a recent panel at the Practising Law Institute, Michael Vatis, a Steptoe & Johnson partner, and KamberLaw partner David Stampley discussed the dynamic enforcement and judicial climate in this space, distilling actionable takeaways from recent settlements with state attorneys general, FTC actions including Wyndham, and evolving consumer litigation jurisprudence.  The enforcement actions and litigations are instructive for companies seeking to fortify their internal information security and data privacy efforts and guard against the risk of liability in the event of a breach.  See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015). 

    Read full article …
  • New NFA Notice Provides Cybersecurity Guidance to Futures and Derivatives Market

    Cybersecurity in the futures and derivatives market is “perhaps the single most important new risk to market integrity and financial stability,” according to Commodity Futures Trading Commission Chairman Timothy Massad.  The National Futures Association (NFA), a self-regulatory organization responsible for the registration of certain market participants, recently received approval from the CFTC of its Interpretive Notice to several existing NFA compliance rules.  The new guidance will provide more specific standards for supervisory procedures and will require NFA members to adopt and enforce written policies and procedures to secure customer data and electronic systems.  “The approach of the Interpretive Notice is to tie cybersecurity best practices to a firm’s supervisory obligations,” Stephen Humenik, a Covington & Burling partner, told The Cybersecurity Law Report.  See also “Debunking Cybersecurity Myths and Setting Program Goals for the Financial Services Industry,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read full article …
  • Cyber Insurance Lawyer Joins Jones Day

    Jones Day recently welcomed Richard DeNatale as a partner in its insurance recovery practice.  He will be based in the firm’s San Francisco Office.  He was previously a partner at Orrick in its insurance recovery group and headed its cyber and data breach practice.  See “Analyzing the Cyber Insurance Market, Choosing the Right Policy and Avoiding Policy Traps,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read full article …
  • OPM Director Announces Key New Cyber Advisor

    The U.S. Office of Personnel Management recently announced the appointment of Clifton Triplett as a new senior cyber and information technology advisor.  The appointment fulfills an important tenet of OPM’s 15-step Cybersecurity Action Report.

    Read full article …