The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Recent Issue Headlines

Vol. 2, No. 1 (Jan. 6, 2016) Print IssuePrint This Issue

  • Opportunities and Challenges of the Long-Awaited Cybersecurity Act of 2015

    After years of discussions, numerous draft bills and extended debates about the privacy and liability risks associated with information sharing, on December 18, 2015, President Obama signed into law the Cybersecurity Act of 2015 as part of the omnibus spending bill.  Title I of the Act, Cybersecurity Information Sharing (CISA), establishes a framework for sharing and receiving cyber threat information among the private sector and federal government entities.  It shields companies from liability for sharing cyber threat information in accordance with certain procedures, as well as for specific actions undertaken to defend or monitor corporate networks.  Saxby Chambliss, DLA Piper partner and former U.S. Senator who served on the Senate Select Committee on Intelligence and sponsored an earlier cybersecurity bill, told The Cybersecurity Law Report that this Act “is going to be beneficial to both big and small companies.  It is another tool in the toolbox that allows companies to protect their systems and the information that is on them.”  However, Shahryar Shaghaghi, BDO Consulting’s managing director and technology advisory leader, cautioned that CISA will also pose “potential challenges” to companies in terms of the resources required to share cyber threat information and perceived privacy risk.  See also “How the Legal Industry Is Sharing Information to Combat Cyber Threats” (Sep. 16, 2015).

    Read full article …
  • Navigating FCA and SEC Cybersecurity Expectations (Part One of Two)

    Given the increased scrutiny of cybersecurity by governments around the globe, regulated entities operating in more than one jurisdiction must be aware of the relevant regulatory cybersecurity expectations.  This two-part series looks at the operations of the U.K. Financial Conduct Authority (FCA) and the SEC, both of which have increased their focus on cybersecurity, but with differing approaches.  Part One discusses the FCA and SEC as regulators of financial services in their respective jurisdictions and outlines the guidance issued, and the methods adopted, by the two regulators.  Part Two will explore how the financial sector is navigating the current regulatory environments, including existing guidance, in the U.S. and abroad and how the industry can simultaneously satisfy the requirements of each regulator.  See also “Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One)” (Aug. 12, 2015) and Part Two (Aug. 26, 2015).

    Read full article …
  • FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016

    The FTC’s Bureau of Consumer Protection was hard at work in 2015, reaching settlements with a wide range of companies on a variety of privacy and data security issues.  During the recent IAPP Practical Privacy Series 2015, Jessica Rich, Director of the Bureau of Consumer Protection and an architect of the FTC’s privacy program, reflected on the agency’s major enforcement actions, reports and relationships in 2015 and what businesses should expect in the coming year.  See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity” (Jul. 15, 2015).

    Read full article …
  • Cybersecurity and Whistleblowing Converge in a New Wave of SEC Activity

    The SEC has long-prioritized incentivizing corporate whistleblowers to report violations of the securities laws, and protecting them when they do.  Increasingly, the federal agency also has vigorously enforced certain key aspects of cybersecurity, as its importance has permeated every facet of the way registered entities operate.  In a recent webinar, Orrick attorneys Mark Mermelstein, Jill Rosenberg and Renee Phillips examined how these two formerly disassociated areas of regulatory enforcement are converging in a new wave of SEC guidance and enforcement.  This article discusses the practitioners’ insights on the SEC’s recent initiatives and enforcement actions both in cybersecurity and whistleblowing contexts; the applicable regulations; and how companies can address and mitigate the risks of cybersecurity whistleblower actions.  See also “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments” (May 6, 2015).

    Read full article …
  • Keeping Up with Technology and Regulatory Changes in Online Advertising to Mitigate Risks

    The advertising and marketing industries are continually transforming the ways they reach and track consumers.  These changes bring with them a moving target of privacy challenges as companies try to ensure security of the data they collect as well as legal and regulatory compliance.  At a recent PLI program, Joseph J. Lewczak, a Davis & Gilbert partner, and Matthew Haies, general counsel at global digital media platform Xaxis, analyzed the current state of consumer data collection and privacy issues in a discussion of technological, regulatory and legal developments.  See also “The Tension Between Interest-Based Advertising and Data Privacy” (Sep. 16, 2015).

    Read full article …
  • How the Financial Services Sector Can Meet the Cybersecurity Challenge: A Plan for Building a Cyber-Compliance Program (Part Two of Two)

    Despite the abundance of principles-based cybersecurity guidance provided by regulators, interpreting those principles and turning them into actionable items remains a formidable task.  Nevertheless, financial services professionals have a fiduciary duty to devote best efforts to mitigating cyber risk by building an appropriate risk management solution.  In a guest article, the second in a two-part series, Moshe Luchins, the deputy general counsel and compliance officer of Zweig-DiMenna Associates LLC, provides a practical blueprint to build a cyber-compliance program.  Many aspects of the blueprint are not only applicable to those in the financial industry but to other sectors as well.  The first article explored current regulatory expectations applicable to the financial services sector.  See also “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two)” (May 6, 2015) and Part Two (May 20, 2015).

    Read full article …
  • Cybercrime Prosecutor Joins Ballard Spahr

    Edward J. McAndrew recently joined Ballard Spahr as a partner in its Philadelphia, Delaware and Washington, D.C., offices.  He served for nearly a decade as a federal cybercrime prosecutor in the U.S. Attorney’s Offices for the Eastern District of Virginia and the District of Delaware.  McAndrew advises on cybersecurity, digital privacy, incident response, national security issues, digital speech and conduct, corporate governance, regulatory compliance, and enforcement. 

    Read full article …