The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Recent Issue Headlines

Vol. 1, No. 2 (Apr. 22, 2015) Print IssuePrint This Issue

  • Steps to Take Following a Healthcare Data Breach

    The prevalence, size and cost of healthcare breaches is skyrocketing, with hackers gaining sophistication and regulators becoming more active.  It is a rare covered entity that has not had to report a data breach to patients/members and the U.S. Department of Health & Human Services Office for Civil Rights since the Health Information Technology and Economic Clinical Health Act became effective in 2009.  To assist healthcare companies in understanding and responding to data breaches in this regulatory environment, in a guest article, BakerHostetler partner Lynn Sessions discusses: the enforcement climate; the legal definition of a healthcare breach; strategies for handling unsecured personal health information; notification requirements and best notification procedures; activating a breach response team; mitigating the impact of a breach; and what’s next in cybersecurity for the healthcare industry.

    Read full article …
  • Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part Two of Two)

    Vendors and other third parties – necessary for most businesses – present significant cybersecurity risks and are frequently the source of breaches, from large-scale incidents to smaller data leaks.  Properly vetting these third parties is a challenging, but critical, aspect of cybersecurity programs.  This article series provides a three-step framework to appropriately allocate resources to due diligence and mitigate the risks third parties pose.  Part One provided a framework for companies to (1) categorize potential vendors based on risk levels, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium or high level of risk.  Part Two addresses when the categorization of medium-risk vendors should move to high-risk based on red flags discovered during the initial due diligence and details step three of the framework: deeper due diligence for high-risk vendors, including follow-up questioning, documentation of audits or certifications and in-person diligence. 

    Read full article …
  • Shifting to Holistic Information Governance and Managing Information as an Asset

    As companies store more and more data and increasingly rely on that data for a variety of purposes, they are starting to integrate data management into all aspects of the business.  In this interview with The Cybersecurity Law Report, Donna L. Wilson, a partner at Manatt, Phelps & Phillips and co-chair of the firm’s Privacy and Data Security practice, discussed how companies should be implementing holistic information governance as part of enterprise risk management by stressing the importance to the board of directors, designating a corporate “conductor” to bring various stakeholders within the organization together, and conducting an internal inventory to understand what information assets the company has and needs to protect.  Wilson also commented on the efforts to share threat information between and among financial firms and law firms.

    Read full article …
  • Analyzing the Cyber Insurance Market, Choosing the Right Policy and Avoiding Policy Traps

    The demand for cyber insurance has dramatically increased as cybersecurity incidents, large and small, proliferate and companies scramble for protection.  The market for cyber insurance has been changing in response to this demand, evolving technology, as well as new cyber regulations that are adding to the cost of breaches.  Roberta Anderson and Sarah Turpin, partners at K&L Gates in Pittsburgh and London, respectively, and Peter Foster, Executive Vice President, Privacy, Network Security, Media, Errors & Omissions and Intellectual Property Risk at Willis Group, shared their insights in a recent webinar about the evolution of the cyber insurance market, policy options available, traps to look out for and how to implement an incident response plan to properly trigger most policies.

    Read full article …
  • Debunking Cybersecurity Myths and Setting Program Goals for the Financial Services Industry

    The financial sector has been an obvious target of hackers for a long time.  Increased scrutiny of firms’ security from regulators, including the SEC, and customers has raised the stakes even further as firms try to stay ahead of risks.  ACA Compliance Group recently presented a program to help those regulated industries navigate the current cybersecurity landscape.  The panelists, Raj Bakhru and Marc Lotti, both partners at ACA Aponix (the cybersecurity and risk arm of ACA Compliance Group), offered insights into what advisers and fund managers may expect from regulators going forward; discussed common misperceptions about cybersecurity; and explored goals of cybersecurity and technology risk programs. 

    Read full article …
  • FCC Makes Its Mark on Cybersecurity Enforcement with Record Data Breach Settlement

    With its $25 million settlement with AT&T, the “FCC has now planted its flag, and sent the message that it will use its powers to protect consumers,” Jenny Durkan, a partner at Quinn Emanuel Urquhart & Sullivan, told The Cybersecurity Law Report.  The FCC’s decision earlier this year to classify Internet providers as public utilities under the FCC’s jurisdiction has caused a broad range of companies to follow the agency’s actions closely.  The record AT&T settlement resolves an investigation into the theft of information by employees of a vendor call center in Mexico and requires AT&T to, among other things, overhaul its compliance program, provide free credit-monitoring services for affected customers and meet certain compliance benchmarks at intervals for the next seven years. 

    Read full article …
  • William J. Cook Joins Reed Smith in Chicago

    Reed Smith recently welcomed William J. Cook as a partner in its Information Technology, Privacy & Data Security practice in Chicago.  Cook focuses his practice on IP litigation, internal investigations, data security and privacy counseling.  Cook joins from McGuireWoods where he served as deputy chair of the data privacy and security team.

    Read full article …