The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Recent Issue Headlines

Vol. 1, No. 7 (Jul. 1, 2015) Print IssuePrint This Issue

  • Preserving Privilege Before and After a Cybersecurity Incident (Part Two of Two)

    With the looming threats of post-breach litigation and regulatory enforcement actions, preserving privilege in connection with a company’s cybersecurity efforts – both before and after an incident – is critical to encouraging openness in assessing and addressing a company’s vulnerabilities.  Unless companies take the proper steps, however, communications and other documentation that could have been protected by the attorney-client and work product privileges will be open to discovery.  The first part of The Cybersecurity Law Report’s series on preserving privilege addressed pre-incident response planning and testing activities.  This article, the second part of the series, addresses how to retain privilege during post-incident response efforts. 

    Read full article …
  • What Companies Need to Know About the FCC’s Actions Against Unwanted Calls and Texts

    The FCC has sent a strong message to companies that it will proactively monitor and regulate consumer consent related to phone calls and texts.  The agency claims this is the largest source of consumer complaints it receives.  “It is clear that the FCC will be more active in this area of enforcement,” Jen Deitch Lavie, a partner at Manatt, Phelps & Phillips, told The Cybersecurity Law Report.  The FCC recently has taken actions in two different forms to enforce and clarify the Telephone Consumer Protection Act (TCPA).  During the month of June, the FCC sent a public warning to PayPal regarding planned amendments to its User Agreement.  PayPal subsequently announced it would modify that agreement to address the FCC’s concerns.  The FCC also adopted a package of declaratory rulings regarding robocalls and spam texts that clarifies and modifies the TCPA in significant ways.  See also “FCC Makes Its Mark on Cybersecurity Enforcement with Record Data Breach Settlement,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read full article …
  • Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)

    As cybersecurity concerns permeate every industry, it becomes increasingly urgent for lawyers across disciplines to understand the most pressing threats and shifting regulatory landscape; help shape and direct the responses; and be able to effectively communicate and collaborate with technical security efforts.  In this first article in our two-part coverage of a recent panel at PLI’s Sixteenth Annual Institute on Privacy and Data Security Law, Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice, discusses the current cyber threat landscape and the relevant laws and rules.  See “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).  The second part will detail her advice on preparing for and responding to a cyber incident and will include insight from her co-panelist Vincent Liu, a partner at security consulting firm Bishop Fox, on how security and legal teams can effectively work together throughout the process. 

    Read full article …
  • Cybersecurity and Information Governance Considerations in Mergers and Acquisitions

    The growing impact of cyber incidents has led to a heightened need to conduct a thorough cyber due diligence both before and after an M&A deal.  In a recent webinar, Reed Smith partners Anthony J. Diana, Courtney C.T. Horrigan, Mark S. Melodia and Richard D. Smith shared insight on how cybersecurity affects the valuation of certain assets and offered advice on how to focus due diligence to detect and assess cyber risks pre-transaction, including litigation risks that can arise from data breaches.  They also recommended specific steps for planning post-closing data integration and evaluating the adequacy of insurance coverage.  See also “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015).  There has been a flurry of data breach activity over the past 10 years, and “it is only increasing in pace,” Melodia noted.  A company’s cyber risk can directly affect its value in an M&A context.  This is where “cyber risk meets the deal,” he said.

    Read full article …
  • Regulatory Compliance and Practical Elements of Cybersecurity Testing for Fund Managers (Part Two of Two)

    Cybersecurity is one important element of an investment manager’s overall regulatory compliance responsibilities.  Although not explicitly required by SEC regulations, it is clear that the SEC and other regulators expect fund managers to test for cybersecurity vulnerabilities and preparedness.  A recent program sponsored by K&L Gates and the Investment Advisors’ Association featuring experts from those entities as well as BNY Mellon and Nth Generation explored the most effective and efficient testing methods   This article, the second in a two-part series, discusses testing approaches; vulnerability assessments; penetration testing; and recent SEC and private litigation on cybersecurity matters.  The first article summarized the panelists’ discussion of the legal and compliance framework for cybersecurity testing; testing considerations; and how to leverage OCIE’s recent cybersecurity examination initiative to improve cybersecurity compliance and testing.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read full article …
  • SEC Commissioner Says Public-Private Partnership Is Key to Effective Cybersecurity

    In a speech at this year’s SINET Innovation Summit, SEC Commissioner Luis Aguilar emphasized the “scope and urgency” of cybersecurity threats and the ineffectiveness of many network security programs, citing a multitude of studies.  He also called for more formalized information-sharing between private sector companies and the government.  See also “In a Candid Conversation, FBI Director James Comey Talks About the ‘Evil Layer Cake’ of Cybersecurity Threats,” The Cybersecurity Law Report, Vol. 1, No. 5 (Jun. 3, 2015).

    Read full article …
  • Odia Kagan Joins Ballard Spahr in Philadelphia

    Ballard Spahr recently announced that Odia Kagan, an attorney who focuses on technology transactions, privacy and data security, has joined the firm as of counsel in Philadelphia.  She will be a member of the firm’s privacy and data security and mergers and acquisitions groups.

    Read full article …