The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Recent Issue Headlines

Vol. 4, No. 19 (Jul. 4, 2018) Print IssuePrint This Issue

  • CSLR’s Most Popular Articles of 2018 Q1 & Q2

    In honor of the July Fourth holiday in the United States, in place of our regular issue, The Cybersecurity Law Report is featuring some of its most-read articles from the first half of 2018. This year has been an active one in the cybersecurity and data privacy fields – the GDPR came into effect, domestic and international jurisdictions continued to pass substantial legislation and cyber threats continued to increase and shift. As organizations race to keep up, our readers have been focused on regulatory actions and guidance, shaping their internal programs and structure and managing third-party relationships. It has become clearer than ever that legal and technical teams need to communicate and collaborate to be effective. CSLR’s most popular series focused on when and how legal and information security should engage on cyber strategy and closing that legal/technical gap was also highlighted in other popular articles. Our regular publication schedule will resume on Wednesday, July 11, 2018.

    Read full article …
  • When and How Legal and Information Security Should Engage on Cyber Strategy

    Effective cybersecurity strategy requires a healthy relationship and frequent interaction between the legal and security functions. As regulators increasingly blend privacy and security subject matter, privacy officers and CISOs need to work together to stay compliant and protect data effectively. This three-part series addressed when and how legal and security professionals should communicate to build strong working relationships for robust cybersecurity and data privacy programs. Part one covered how to structure corporate governance for optimal collaboration between the legal and security groups. Part two examined how both teams can coordinate on incident response and to assess risk and privacy impact. Part three tackled coordination between legal and security on vendor assessments and in the M&A context. See also “How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

    Read full article …
  • Lessons and Trends From FTC’s 2017 Privacy and Data Security Update

    In its Privacy & Data Security Update, released in January 2018, the FTC recapped its 2017 enforcement actions, workshops, advocacy and guidance. “FTC is establishing itself as the top dog in the cybersecurity regulatory arena and I think it is struggling to keep up with the evolving technology innovation in its enforcement actions, not only in terms of the tech innovation but also in terms of the sophistication of the malicious actors that are potentially attempting to breach systems,” Fried Frank partner Una Dean told The Cybersecurity Law Report. The first part of our article series distilled lessons from the FTC’s update, examined enforcement highlights and steps companies can take to comply with applicable laws and steer clear of the FTC’s reach. Part two explored what can be learned from the FTC’s 2017 workshops and guidance and shed light on what to expect from the agency in 2018. See also “The Devil Is in the Details: LabMD Imposes Limitations on the FTC’s Enforcement Authority” (Jun. 13, 2018).

    Read full article …
  • What Lawyers Need to Know About Security Technologies and Techniques

    IT has an indisputably important role in implementing a defense-in-depth cybersecurity strategy, but given the regulatory implications of cybersecurity breaches and the growing possibility of ensuing litigation, lawyers also need to reserve a seat at the table. With input from technical and legal experts, this three-part series addresses what attorneys need to understand about how security technologies are used to mitigate risk. The first installment explored the knowledge base needed depending on the lawyer’s role, whether security certification is necessary, technology’s overall role in mitigating risk and surveyed certain technologies and techniques, such as pen testing. Part two examined other security techniques, including red teaming, vulnerability scanning and social engineering. Part three covered how and when common types of cloud solutions are used and the attorney’s role in mitigating risk in connection with this service, along with what to consider when “hacking back” to secure data. See also “Tech Meets Legal Spotlight: Advice on Working With Information Security” (Jan. 11, 2017).

    Read full article …
  • A Practical Look at the GDPR’s Data Breach Notification Provision

    The E.U.’s General Data Protection Regulation introduced specific breach notification obligations for data controllers and processors. To help covered entities better understand when notification is required and what processes they should have in place, the Article 29 Working Party issued Guidelines on Personal Data Breach Notification at the end of 2017. With advice and perspective from a former Special Agent with the FBI’s Cyber Division and current head of Nardello & Co.’s digital investigations and cybersecurity practice, this article addressed key concepts of the WP29 guidance, processes organizations should have in place to comply with the GDPR’s breach notification provisions and strategies to balance global notification requirements. We also looked at the GDPR’s overall effectiveness in addressing cyber risk. See also “Countdown to GDPR Enforcement: Final Steps and Looking Ahead” (May 16, 2018).

    Read full article …
  • Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers

    Complying with the E.U.’s General Data Protection Regulation is complex. Once a company has determined it falls within its boundaries, even more difficult questions begin to arise as it grapples with the complicated process of applying the many provisions of the GDPR to existing and past data privacy practices. In this guest article, Scott Pink, Hayley Ichilcik and Mallory Jensen, attorneys at O’Melveny & Myers, identified and responded to common key questions companies raised and worked to tackle during their GDPR preparations. See also “One Year Until GDPR Enforcement: Five Steps Companies Should Take Now” (May 31, 2017).

    Read full article …
  • How Financial Services Firms Should Structure Their Cybersecurity Programs

    Governments and regulators – including the SEC and the U.K. Financial Conduct Authority (FCA) – are intensifying their scrutiny of financial services firms’ cybersecurity programs. At a minimum, firms must ensure that they comply with industry best practices, including adopting one or more cybersecurity frameworks and creating a culture of cybersecurity compliance. This article discussed the roles of the CISO and CCO in cybersecurity programs, regulator priorities, steps firms can take to mitigate cyber risk, and outsourcing cybersecurity functions. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read full article …
  • Ten Cybersecurity Resolutions for 2018

    Even companies with mature information security practices must consistently reevaluate their needs and update their measures. The start of the year is a good time to stop and ensure that your organization is taking the right steps. The Cybersecurity Law Report spoke with several legal and technical experts for their advice on what companies should prioritize in 2018 and compiled the resulting top ten cybersecurity action items for a more secure new year.  See also “Ten Cybersecurity Priorities for 2017” (Jan. 11, 2017).

    Read full article …
  • Direct From the Irish Data Protection Commissioner

    The GDPR’s implementation has left many multinational organizations craving more guidance from regulators. Facebook may be one test case – given recent revelations about its past privacy practices, how will the GDPR affect the social media giant? Ireland’s Data Protection Commissioner Helen Dixon sat down with The Cybersecurity Law Report to provide her frank perspective on both. In part one of this article series, Dixon discussed how her office has been working with Facebook on privacy issues and GDPR preparations for quite some time and how her office coordinates with other jurisdictions. In part two, Dixon shed light on her office’s enforcement priorities and what companies should prioritize in their final preparations. See also our previous conversation with Dixon, “A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)” (Mar. 22, 2017); Part Two (Apr. 5, 2017).

    Read full article …
  • Managing Cyber Investigations: A CISO and In-House Counsel Discuss Best Practices for Real-Life Scenarios

    Lawyers are increasingly on the front lines of incident response. At the Georgetown Cybersecurity Law Institute conference, panelists from three global companies discussed best practices and practical tips for attorneys managing a cyber investigation. Moderator Kimberly Peretti, a partner at Alston & Bird, presented three real-life scenarios to Wyndham Worldwide’s chief compliance officer, chief counsel for cybersecurity and privacy at SAIC and the CISO at Cvent, a global meetings and events technology software company. Their recommendations included planning ahead, creating and practicing robust incident response plans and fostering a strong relationship between legal and information security teams. See our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read full article …
  • How to Maintain Effective and Secure Long-Term Vendor Relationships

    Once the critical process of vetting and selecting vendors is complete, the third-party oversight work begins. Change is inevitable – whether it be in regulations, data sets, technology, products, or circumstances – and organizations need to follow up with the vendors and ensure the relationship is maintained properly. Following a webinar we hosted on this topic, The Cybersecurity Law Report delved further into these issues with the panelists –  Karen Hornbeck, senior manager at Consilio, Kristina Bergman, founder and CEO of Integris Software, and Aaron Tantleff, partner at Foley & Lardner. Our first installment of this two-part article series discussed the legal and technical third-party risks and what regulators (domestic and international) expect in terms of vendor oversight. Part two explained how to identify and address issues with third-party vendors, including when and how to revise contractual relationships and best practices for internal oversight structure. See also “Developing an Effective Third-Party Management Program” (Mar. 14, 2018); and  “Checklist for an Effective Incident Response Plan” (Jul. 20, 2016).

    Read full article …