The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Operations

  • From Vol. 3 No.8 (Apr. 19, 2017)

    Effective and Compliant Employee Monitoring (Part Two of Two)

    Experts agree that network monitoring is a critical proactive cybersecurity measure. But complexities arise that require cross-department coordination and deep understanding of numerous privacy limitations and other legal requirements. The second installment of this two-part series provides operational guidance on implementing monitoring programs and navigating contrasting rules in Europe, as well as issues surrounding individual monitoring, monitoring for non-security purposes, and data controlled by third parties. The first part tackled the role of data monitoring, effective notice, legal considerations, and specific policy considerations. See also “Do You Know Where Your Employees Are? Tackling the Privacy and Security Challenges of Remote Working Arrangements” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.8 (Apr. 19, 2017)

    How to Ensure Cyber Risks Do Not Derail an IPO

    In preparation for a public offering, companies should expect scrutiny of their cybersecurity risks and the measures they take to address them, just as they do with other aspects of their business. Cyber risks and incidents can derail an IPO if they are not handled correctly. Gibson Dunn partners Andrew L. Fabens, Stewart L. McDowell and Peter W. Wardle spoke with The Cybersecurity Law Report about steps companies should take in preparing for an IPO, as well as the potential impact cybersecurity can have on the IPO process and stock price. See also “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    Forensic Firms: Effective Vetting and Collaboration (Part Three of Three)

    Because a forensic investigation by a security firm often drives the critical path of incident response, companies are best positioned to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an incident arises. With a myriad of firms from which to choose, not only must a company carefully select the right one, but both sides must communicate effectively to build a trusting relationship. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these and other considerations. This third installment provides advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. Part two examined contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. See also “Key Strategies to Manage the First 72 Hours Following an Incident“ (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Forensic Firms: Key Contract Considerations and Terms (Part Two of Three)

    Companies are increasingly turning to outside forensic firms for assistance with both proactive cybersecurity measures as well as incident response. To optimize the relationship, companies must carefully choose a firm, negotiate the right contract terms, and effectively collaborate with the chosen forensic service provider. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these considerations. This second part examines contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. Part three will provide advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. See also “Key Strategies to Manage the First 72 Hours Following an Incident” (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Preparing For Ransomware Attacks As Part of the Board’s Fiduciary Duty

    Managing enterprise cybersecurity risk is a key obligation of a company’s general counsel and board of directors. The rapidly increasing frequency and sophistication of ransomware attacks in particular have made them a pervasive and challenging part of that enterprise risk. Debevoise partner Jim Pastore spoke with The Cybersecurity Law Report about what GCs and boards need to know about ransomware and how those stakeholders can effectively fulfill the board’s cyber-related fiduciary duty to the company. Pastore will be a panelist at Skytop Strategies’ Cyber Risk Governance conference on March 16, 2017 in New York. An event discount registration link is available to CSLR subscribers inside this article. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    Forensic Firms: Understanding and Leveraging Their Expertise From the Start (Part One of Three)

    After a company discovers a cybersecurity incident, it must understand exactly what happened and how it happened. That means bringing in the experts. The number of forensic firms from which companies can choose has grown along with the number and size of cyber breaches. How can companies evaluate the firms? What should be included in the contract? What should companies expect from these firms? How can they best collaborate with them for an effective and efficient investigation? With input from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series provides answers to these vital questions and others. This first part explains the expertise of forensic firms, why they are used, and their role before and after an incident. Part two will examine contract considerations, key terms and what companies can and should expect in deliverables. Part three will provide advice on how to evaluate the forensic firm to determine if it has the right expertise and how to communicate and work with these experts once they are brought on board. See also “Key Strategies to Manage the First 72 Hours Following an Incident” (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    A CSO/GC Advises on How and When to Present Cybersecurity to the Board 

    As more boards come to understand cybersecurity as a critical issue that cannot be ignored, briefings on the topic have become more common. Those with the responsibility for presenting such briefings must understand what information is essential for the board to know and how to communicate it effectively. Dr. Chris Pierson, EVP, chief security officer and general counsel for Viewpost, a FinTech payments company, and the former CPO, SVP for the Royal Bank of Scotland’s U.S. banking operations, spoke to The Cybersecurity Law Report about his experiences briefing the board on cybersecurity and shared his insights on the most effective reporting structure, how to obtain buy-in and budget and the importance of communicating business advantage. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    Strategies for In-House Counsel Responsible for Privacy and Data Security 

    Preparing for, preventing and responding to privacy and data security litigation are crucial aspects of the in-house attorney function. Key responsibilities for the role will often include developing training programs and privacy policies, working with the board, choosing the right outside counsel and effectively coordinating with them during major events. As part of a recent Practising Law Institute conference, a panel of in-house and outside attorneys from Greenberg Traurig, Glassdoor, Inc., Activision Blizzard and Pandora Media, Inc., discussed successful approaches to these tasks, as well as lessons learned from mistakes. See “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part One of Two)” (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part Two of Two)

    Cybersecurity risk management requires having the right leadership and governance in place, and within that structure lies the shifting role of the chief information security officer and its reporting lines. With input from CISOs, executive search experts and attorneys this article series provides insight into the most effective approaches to recruiting, compensating and structuring cybersecurity leadership roles. This second article in the series explains the problems with the current dominant CISO reporting structure and offers experts’ advice on effective governance as well as alternatives for companies that are not finding or cannot compensate a technical expert with executive-level experience. Part one covered how to find and compensate individuals for the multi-faceted cyber leadership role. “There’s a lot changing in the way people think about the CISO. There is a pretty fast-evolving set of responsibilities and reporting structure, especially given the increasing [attention to] security by the board of directors and others charged with the fiduciary responsibility of protecting a company,” Hertz CISO Peter Nicoletti told The Cybersecurity Law Report. See also our two-part series about the roles of the CISO and CPO, “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)” (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    Ten Cybersecurity Priorities for 2017

    Even companies that have mature information security practices in place must exercise constant vigilance by reevaluating their needs and improving their approaches. The Cybersecurity Law Report spoke with several experts to find out what companies should be focusing on and how they should allocate time and resources when setting cybersecurity priorities for 2017. In this article, we outline the resulting top ten cybersecurity action items for companies to tackle to ensure a more secure new year. See also “Cybersecurity Preparedness Is Now a Business Requirement” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    Tech Meets Legal Spotlight: Advice on Working With Information Security

    Although most companies recognize that legal and technology teams need to collaborate closely to address cybersecurity challenges, they often fail to overcome barriers to effective coordination. In this interview, Holland & Knight partner Scott Lashway offers advice on how to bring legal and security teams together, such as by establishing a risk committee. See also “What CISOs Want Lawyers to Understand About Cybersecurity” (Jun. 8, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)

    Managing the challenge of securing a company’s digital information while collaborating with other executive leadership is something that only a select group of individuals can do well. In this article series, The Cybersecurity Law Report spoke to CISOs, executive search experts and attorneys to examine what it takes to fulfill both of these crucial roles. This first article discusses the challenges of merging technology expertise with executive function, compensation expectations for cyber leaders, what companies should be (and are) looking for in candidates and the value of certifications. The second article will discuss the changing role of the CISO, including why many current reporting structures are not working, and what companies can do if they do not have the resources for or cannot find the right CISO. “Many organizations regard CISO and technology-risk executive recruitment as an increasingly daunting and complex process, and recognize that one size does not fit all,” Tracy Lenzner, founder and CEO of The Lenzner Group, a global executive search company, said. See “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two),” (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Advice From Compliance Officers on Getting the C-Suite to Show You the Money for Your Data Privacy Program

    The end of the year is often when companies evaluate their budgets, and it is a crucial time to make sure the CEO is educated about data privacy legislation and its potential repercussions. So, how can privacy officers best advocate for system-wide buy-in and budget support of their data privacy programs? At a recent panel at IAPP’s Practical Privacy Series 2016 conference, compliance leaders from Shire, CBRE and InterSystems discussed their three different operational approaches and practical tactics for making sure the compliance office has the tools and the budget it needs to comply with dynamic global data privacy regulations, including the GDPR. See also “Privacy Leaders Share Key Considerations for Incorporating a Privacy Policy in the Corporate Culture” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    Using a Risk Assessment as a Critical Component of a Robust Cybersecurity Program (Part Two of Two)

    The core value of a risk assessment as a critical component of a robust cybersecurity program is in its findings and recommendations. With perspectives and advice from various experts, including the CISO of a large global cloud services provider, attorneys and technical consultants, this second part in our two-part series on risk assessments details what the written report should include, with whom it should be shared and how companies can use it to strengthen their cybersecurity program. It also provides recommended actions for assessment follow-up, explores common challenges to the process and offers tips and solutions to overcome them. Part one covered the scope and purpose of the assessment, the roles of internal stakeholders and third parties, and examined what the risk assessment evaluation process entails. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor

    When an organization hires a third-party vendor that needs access to its network systems, a failure of legal and IT to coordinate the implementation of that access can cause costly delays. The Cybersecurity Law Report discussed the problem with David Cass, the CISO of IBM’s cloud and SaaS operational services, using a fact pattern familiar to many companies: A company is seeking to hire a third-party vendor that needs access to its network systems to perform its duties, but legal and IT have different ideas about the process, and the project stalls. Cass offered advice to bridge the gap between technology and legal teams. See also our two-part series on vendor risk management: “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.23 (Nov. 16, 2016)

    Increasing Role of Counsel Among Operational Shifts Highlighted by Cyber Risk Management Survey

    As companies become more aware of the complexities of cyber risk, they are approaching not only preventative measures more collaboratively, but also risk management and insurance selection. A recent survey conducted by Advisen and Zurich North America shows operational shifts, including the increasing cooperation between IT and risk management, a heightened role for counsel and boards, as well as more reliance on external resources for post-breach efforts. The survey also reveals that the process of determining the right insurance coverage is also becoming part of this collaborative security effort. “Insurance in the cyber realm is not merely an instrument for transferring risk. Even the process of obtaining the insurance is viewed as a catalyst for driving and elevating enterprise-wide cybersecurity risk management,” Roberta Anderson, K&L Gates partner, told The Cybersecurity Law Report. See also “Building a Strong Cyber Insurance Policy to Weather the Potential Storm” Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    Taking Action to Refocus on Security: Conversation With a CIO 

    Each sector faces both industry-specific as well as general data security risks. One challenge is implementing general cybersecurity best practices while also addressing the company's unique vulnerabilities. Ken Kurz, vice president of information technology and chief information officer at Corporate Office Properties Trust, a real estate investment trust focused on government and defense contractors, spoke with The Cybersecurity Law Report about evaluating current security efforts and taking substantial proactive steps involving people and technology to address the company’s priorities. See also “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)” (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    Privacy Leaders Share Key Considerations for Incorporating a Privacy Policy in the Corporate Culture 

    For in-house privacy counsel, building a cohesive privacy program means leading the company, its employees and its vendors through regulatory landmines. While there is no one-size-fits-all approach, there are certain privacy program essentials applicable to most organizations, regardless of size or industry. At the recent Women, Influence and Power in Law Conference, Megan Duffy, founder of Summit Privacy and former privacy counsel at Snapchat, Inc., Tori Silas, senior counsel and privacy officer of Cox Enterprises, Inc. and Zuzana Ikels, principal at Polsinelli, shared advice on how the legal department can create and implement a strong privacy program, from initial considerations to key components. See also “Designing Privacy Policies for Products and Devices in the Internet of Things“ (Apr. 27, 2016).

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    What Private Companies Can Learn From the OPM Data Breaches

    The recent breaches of the U.S. Office of Personnel Management illustrate the importance of an effective information security program for businesses in both the public and private sector. A recently released exhaustive investigative report by the House Oversight and Government Reform Committee outlines findings and recommendations to help the federal government better acquire, deploy, maintain and monitor its information technology. “The [Report] is replete with recommendations that private sector entities should be considering seriously,” DLA Piper partner Jim Halpert told The Cybersecurity Law Report. This article summarizes the committee’s findings and examines valuable lessons applicable to both the public and private sectors. See also “White House Lays Out Its Broad Cybersecurity Initiatives” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    Seven Overlooked Business Costs of a Cyber Breach and Strategies for Avoiding Them

    It is no surprise that a breach can have substantial repercussions for a company. However, Deloitte has found that the extent and the duration of those impacts are greater than even experts anticipated. Its recent study highlights both well-known and less expected breach impacts, such as an increased cost to raise debt in capital markets and devaluation of trade names. Some of these effects can linger for years. We examine seven subtle but significant breach impacts – painting a complete picture of where companies “actually feel pain,” a Deloitte principal told us – and how to lessen those impacts. See also “Picking up the Pieces After a Cyber Attack and Understanding Sources of Liability” (Apr. 13, 2016).

    Read Full Article …
  • From Vol. 2 No.18 (Sep. 7, 2016)

    Sullivan & Cromwell Hires Former Chief of the SDNY's Complex Frauds and Cybercrime Unit  

    Nicole Friedlander, former chief of the Southern District of New York’s complex frauds and cybercrime unit has joined Sullivan & Cromwell and will head its online security practice.

    Read Full Article …
  • From Vol. 2 No.17 (Aug. 24, 2016)

    How GE’s Global CPO Approaches Shifting Regulations With Dynamic Implications 

    Shifting cybersecurity and data privacy regulations across industries and regions challenge many companies to frequently update their practices to remain compliant, not only at their home base, but also in other countries where they conduct business. Renard Francois, General Electric’s global chief privacy officer, spoke with The Cybersecurity Law Report in advance of ALM’s cyberSecure conference on September 27-28, 2016, at the New York Hilton, where he will participate as a panelist. An event discount code is available to CSLR readers inside this article. In our interview, Francois discusses some of the key ways GE’s privacy team approaches modifying practices to stay up-to-date with global regulations, and ensuring all stakeholders are informed and working collaboratively across businesses and departments. See also “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)” (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    How Cyber Stakeholders Can Speak the Same Language (Part Two of Two)

    The way cybersecurity terminology is used can significantly affect how a cyber event is handled. Differences in the training and background of certain cybersecurity stakeholders, particularly technical and legal teams, however, may lead to inconsistent use of important terms in the context of security breaches and protocols. This second article of a two-part series highlights ten of the most frequently misunderstood cybersecurity terms, and provides insight on their meanings and implications from both legal and security experts. Part one of the series examined how to overcome cybersecurity stakeholder communication challenges and detailed six strategies for better interaction. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    How Cyber Stakeholders Can Speak the Same Language (Part One of Two)

    In the areas of cybersecurity and data privacy, a company’s attorneys and technical teams must work together closely. The two groups often have different approaches, however, and may not speak the same language when it comes to handling security breaches and protocols. Commonly used terms can be used inconsistently, and their implications misunderstood. In this first article of a two-part series, attorneys and consultants with different perspectives share advice with The Cybersecurity Law Report on the importance of clear communication between key stakeholders. They also examine the different approaches to cybersecurity and detail six strategies for overcoming communication challenges. Part two of the series will explore frequently misunderstood cybersecurity terms and their meanings. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    Challenges Facing Chief Privacy Officers

    Constantly evolving data privacy laws and heightened cyber threats place a large burden on the shoulders of chief privacy officers (CPOs). At a recent PLI panel, Keith Enright, the legal director of privacy at Google; Lauren Shy, the CPO of Pepsico; and Zoe Strickland, the global CPO at JP Morgan Chase, shared their thoughts on some of the recent challenges facing CPOs, including how to work with different departments, the CPO’s role in incident prevention and response, and the pros and cons of different cross-border data transfer mechanisms. The panel was moderated by Lisa J. Sotto, a partner at Hunton & Williams. See also “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer” Part One (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Eight Attributes In-House Counsel Look For in Outside Cybersecurity Counsel

    When it comes to handling cybersecurity issues, in-house counsel can help minimize the company’s legal risks – but they cannot do it alone. By partnering with an outside firm, in-house counsel can boast security expertise and navigate through unfamiliar territory such as compliance with local, state and national privacy and security requirements, data breach litigation and corporate governance. The Cybersecurity Law Report spoke to a number of in-house counsel who advise on cybersecurity issues at major companies such as ExxonMobil and IBM. They discussed eight attributes they look for in outside cybersecurity counsel, when they find outside counsel most valuable and the importance of vetting the firm’s own cybersecurity practices. See also “The Multifaceted Role of In-House Counsel in Cybersecurity” (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: Does Your Plan Work? (Part Three of Three)

    Many companies recognize that an effective incident response plan can go a long way towards mitigating the consequences of cybersecurity incidents. However, they often make simple mistakes in implementing these plans, largely because they lack a comprehensive strategy to combat persistent cyber threats. In this final segment of our three-part series on the topic, we explore common deficiencies in response plans, challenges companies face when implementing a plan, how to use metrics to troubleshoot and advocate for plan resources, and estimated costs associated with investigating and remediating the inevitable breach. The article features exclusive and in-depth advice from a range of top experts, including consultants, in-house and outside counsel. Part two set forth seven key components of a robust incident response plan. Part one covered the types of incidents the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    Do You Know Where Your Employees Are? Tackling the Privacy and Security Challenges of Remote Working Arrangements

    The growing number of individuals working remotely, telecommuting or traveling with increasing frequency has challenged the traditional business cybersecurity model. With the advent of new technologies that support remote working arrangements, the secure, clearly defined perimeter many organizations once enjoyed has become a bit less distinct. The Cybersecurity Law Report spoke to Heather Egan Sussman, a privacy and data security partner at Ropes & Gray, about the privacy and security implications for employees working remotely, both in the U.S. and abroad, and proactive measures companies can take to ensure proper protections are in place and that they are compliant with the relevant laws. See also “How to Reduce the Cybersecurity Risks of Bring Your Own Device Policies”: Part One (Oct. 14, 2015); Part Two (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: Seven Key Components (Part Two of Three)

    Organizations today face an overwhelming volume, variety and complexity of cyber attacks. Regardless of the size of an enterprise or its industry, organizations must create and implement an incident response plan to effectively and confidently respond to the current and emerging cyber threats. In this second part of our three-part series on the topic, we examine the seven key components of a robust incident response plan, with exclusive and in-depth advice from a range of top experts, including consultants, in-house and outside counsel. Part one covered the types of incidents the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. Part three will explore implementation of the plan, evaluating its efficacy, pitfalls, challenges and costs. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    A Guide to Developing and Implementing a Successful Cyber Incident Response Plan: From Data Mapping to Evaluation (Part One of Three)

    Many organizations are coming to terms with the troubling fact that they will fall victim to a cyber attack at some point, if they have not already. An effective incident response plan can be one of the best tools to mitigate the impact of an attack – it can limit damage, increase the confidence of external stakeholders and reduce recovery time and costs. The Cybersecurity Law Report spoke with a range of top experts, including consultants, in-house and outside counsel, who answered some of the tougher practical questions that are typically left unanswered in this area. They shared in-depth advice on the subject based on their own challenges and successes. In the first article of this three-part series, we cover what type of incident the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. Parts two and three will examine key components of the plan, implementation, evaluating its efficacy, pitfalls, challenges and costs. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    A Look Inside the Cybersecurity and Privacy Law Department of a Top Defense Company

    The “bad guys” seeking to hack into systems of defense companies want sensitive information not for commercial success, but to do our nation and our allies harm, and that changes the cybersecurity equation, Raytheon’s John Smith told The Cybersecurity Law Report. In a Q &A, Smith, the vice president, cybersecurity and privacy, and general counsel of the global business services group at Raytheon, discusses how the Raytheon cybersecurity and privacy department is structured, when outside counsel is called in, how Raytheon approaches information sharing, why the new Department of Defense cybersecurity guidance is flawed, and more. See also “How the American Energy Industry Approaches Security and Emphasizes Information Sharing” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Study Analyzes How Companies Can Overcome Cybersecurity Challenges and Create Business Value

    Many executives tasked with combatting cybersecurity threats lack necessary awareness and readiness, according to a survey commissioned by security firm Tanium and the NASDAQ. The Accountability Gap: Cybersecurity & Building a Culture of Responsibility (the Survey Report) includes findings of an extensive study involving 1,530 non-executive directors, CEOs, CISOs and CIOs of major corporations around the globe. Using information from a combination of one-on-one interviews and a quantitative survey, the Survey Report highlighted seven key cybersecurity challenges facing boards and executives and provided actionable advice in these areas. We examine these findings, with input from Lance Hayden, managing director of Berkley Research Group, and author of People-Centric Security. See also “Protecting the Crown Jewels Using People, Processes and Technology” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    Twenty Ways a Company Can Use Behavioral Psychology to Improve Compliance

    Limited compliance resources can be a challenge, but there are ways to get the compliance message across without breaking the bank. Whether it is a cybersecurity or an anti-corruption compliance message, behavioral psychology can be used to encourage people to do the right thing in their jobs, Virginia MacSuibhne, vice president and general counsel of Ventana Medical Systems, explained during a recent Clear Law Institute program. MacSuibhne presented 20 inexpensive, but effective, communication tools that can be used to assure that a compliance message hits home. See “Defining, Documenting and Measuring Compliance Program Effectiveness” (Jan. 20, 2016).
    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Implementing a Privacy by Design Program to Protect Corporate and Consumer Information

    One way for companies to integrate their internal and external commitment to data protection and privacy is by implementing a “privacy by design” mechanism, Sachin Kothari, director of online privacy and compliance at AT&T, Inc., explained during a recent ALM cyberSecure Conference. Kothari highlighted specific steps companies can take to effectively integrate such a program into their corporate governance structures. He was joined by Andrea Arias, an attorney in the Division of Privacy and Identity Protection at the FTC and Chaim Levin, chief U.S. legal officer at Tradition Group. This article examines Levin and Kothari’s insights on data security and privacy governance and best practices to meet the potentially competing demands of in-house, consumer and regulatory cybersecurity expectations. A future article will address Arias’ perspective on recent FTC guidance and cyber enforcement actions. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.4 (Feb. 17, 2016)

    Cybersecurity Preparedness Is Now a Business Requirement

    How can companies make cybersecurity preparedness an integral part of their business practices? During a recent panel at ALM’s cyberSecure event, JoAnn Carlton, general counsel and corporate secretary at Bank of America Merchant Services, Edward J. McAndrew, Assistant U.S. Attorney and Cybercrime Coordinator at the U.S. Attorney’s Office, and Mercedes Tunstall, a partner at Pillsbury, gave their perspectives on steps companies can take to enhance cybersecurity. They discussed how the evolving nature of cyber attacks requires evolving business models. Simply establishing an incident response plan is not enough: companies must build privacy preparedness across the organization and engage in a continuous cycle of planning and response to stay ahead of cyber threats. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); “The Challenge of Coordinating the Legal and Security Teams in the Current Cyber Landscape (Part Two)” (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)

    “Cybersecurity is an enterprise risk issue that should ultimately rise to the level of the board of directors,” Ivan Fong, senior vice president, legal affairs and general counsel of 3M Company, advised. Understanding the role of the board, and counsel’s role working with the board, is integral for managing cybersecurity risk effectively. Part one of this two-part article series examines the increased role of directors in ensuring companies are appropriately protected against cyber threats and how management, including in-house counsel, should communicate with the board and keep it updated and informed. Part two will address the litigation risks faced by the board and individual directors and how to limit that liability, including details about the role directors should play to satisfy their fiduciary duties. See also “Protecting the Crown Jewels Using People, Processes and Technology” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    Defining, Documenting and Measuring Compliance Program Effectiveness

    The risks of having a cybersecurity compliance program that exists only on paper are well-known, but measuring whether the program is actually working, how it is working and documenting those findings for internal and external stakeholders present challenges. A recent program at the SCCE Annual Compliance & Ethics Institute considered how compliance professionals can measure and document steps taken to demonstrate the effectiveness of their compliance programs for cybersecurity and other areas of law. The program featured Scott Hilsen, a managing director at KPMG’s forensic unit and Jean-Paul Durand, a vice president and chief ethics and compliance officer at Tech Data Corporation. See also “Eight Ways Compliance Officers Can Build Relationships With the ‘Middle’” (Oct. 14, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    How the Financial Services Sector Can Meet the Cybersecurity Challenge: A Plan for Building a Cyber-Compliance Program (Part Two of Two)

    Despite the abundance of principles-based cybersecurity guidance provided by regulators, interpreting those principles and turning them into actionable items remains a formidable task.  Nevertheless, financial services professionals have a fiduciary duty to devote best efforts to mitigating cyber risk by building an appropriate risk management solution.  In a guest article, the second in a two-part series, Moshe Luchins, the deputy general counsel and compliance officer of Zweig-DiMenna Associates LLC, provides a practical blueprint to build a cyber-compliance program.  Many aspects of the blueprint are not only applicable to those in the financial industry but to other sectors as well.  The first article explored current regulatory expectations applicable to the financial services sector.  See also “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two)” (May 6, 2015) and Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Building a Strong Cyber Insurance Policy to Weather the Potential Storm (Part Two of Two)

    The enormous liability and costs that cyber incidents generate make cyber insurance a new reality in corporate risk management plans across industries.  This article, the second article in the series, explores policy exclusions and pitfalls to watch out for, including lessons from recent cyber insurance coverage litigation and steps companies can take to increase the likelihood of insurance coverage under their cyber policy.  Part one in the series covered navigating the placement proces –  having the proper individuals involved, finding the right insurer and securing the best policy for your company.  See also “Analyzing the Cyber Insurance Market, Choosing the Right Policy and Avoiding Policy Traps,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    The Multifaceted Role of In-House Counsel in Cybersecurity 

    To effectively advise corporations on cybersecurity issues, in-house counsel must navigate myriad issues that can vary across industries, state and international jurisdictions as well as privacy and information security contexts.  A recent PLI program brought together privacy and information security counsel from various industries to share insights on the role of in-house counsel charged with securing business-critical and confidential data and technology.  They discussed the different responsibilities for data privacy and cybersecurity professionals, international data privacy and protection laws, and offered strategies for in-house counsel to prevent internal cybersecurity threats, develop breach prevention and response policies and handle vendors.  The panel was moderated by Lori E. Lesser, a partner at Simpson Thacher, and included top practitioners Rick Borden, chief privacy officer at the Depository Trust & Clearing Corporation; Nur-ul-Haq, U.S. privacy counsel at NBCUniversal Media; Michelle Ifill, senior vice president at Verizon and general counsel of Verizon Corporate Services; and Michelle Perez, assistant general counsel of privacy for Interpublic Group.  See “Analyzing and Complying with Cyber Law from Different Vantage Points (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 8 (Jul. 15, 2015); and Part Two, Vol. 1, No. 9 (Jul. 29, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part Two of Two)

    There are several steps companies can take before and after a data breach to best position themselves for the litigation likely to follow.  In this second installment of our coverage of a recent Mintz Levin webinar, partners Kevin McGinty and Mark Robinson explore best practices for internal investigations and common defenses in data breach class actions.  The first article featured insight from partner Meredith Leary on how companies can put themselves in the best position now to defend their actions post-breach and Robinson’s list of threshold questions that companies can ask themselves at the outset of a data breach internal investigation.

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Building a Strong Cyber Insurance Policy to Weather the Potential Storm (Part One of Two)

    With cyber attacks continuing to strike companies of all sizes, cyber insurance has become an important component of corporate risk management strategies.  While cyber risk insurance can provide coverage for the litany of potential damages that a company may suffer in the wake of a data breach, it is wildly different from the usual insurance marketplace – it is nascent, changing and varied.  This, the first article in our two-part series on getting the right cyber coverage in place, provides guidance on navigating the insurance placement process, selecting the individuals who should be involved, finding the right insurer and securing the best policy for your company.  Part two will explore lessons from recent cyber insurance coverage litigation, including steps companies can take to increase the likelihood of insurance coverage under their cyber policy and what policy exclusions and pitfalls to watch out for.  See also “Transferring Risk Through the Right Cyber Insurance Policy,” The Cybersecurity Law Report, Vol. 1, No. 15 (Oct. 28, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part One of Two)

    In addition to the direct consequences of a data security incident, many companies that suffer data breaches must face lawsuits.  In a recent webinar, Mintz Levin members Meredith Leary, Kevin McGinty and Mark Robinson discussed the various types of data security litigation and gave advice on how companies can best prepare for the likelihood of a lawsuit after a data breach.  This article, the first in a two-part series, features their insight on how companies can put themselves in the best position now to defend their actions later.  The panelists also identified threshold questions that companies can ask themselves during an internal investigation following a data breach.  In the second article, they further explore best practices for internal investigations and common defenses in data breach class actions.  See also “Liability Lessons from Data Breach Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 16 (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part Two of Two)

    With the dynamic nature of privacy concerns – caused by changing legal requirements, growing data collections and evolving technology – top privacy officers must manage a shifting realm with proactive communication, effective reporting lines and operational structures to ensure accurate implementation of privacy policies and protocols.  Experts agree that it is optimal to have both a Chief Cybersecurity Officer or Chief Information Security Officer (CISO) and a separate Chief Privacy Officer (CPO).  Some confuse these positions, thinking “that the security person should know all things privacy and the privacy person should know all things security and that is clearly not the case,” Michael Overly, a partner at Foley & Lardner told The Cybersecurity Law Report.  In this two-part article series, we define and distinguish the roles of CPO and CISO.  This article, the second of the series, focuses on the CPO, including core responsibilities, considerations for structuring reporting lines and hiring for the position.  The first article focused on the CISO.

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)

    Growing cybersecurity demands on companies require effective reporting lines and operational structures to manage cybersecurity-related job functions.  Experts agree that it is optimal to have both a Chief Cybersecurity Officer or Chief Information Security Officer (CISO) and a separate Chief Privacy Officer (CPO).  Some companies confuse these positions, thinking “that the security person should know all things privacy and the privacy person should know all things security, and that is clearly not the case,” Michael Overly, a partner at Foley & Lardner told The Cybersecurity Law Report.  In this two-part article series, we define and distinguish the roles of the CPO and CISO.  Part One focuses on the CISO – including core responsibilities, best practices for structuring reporting lines, and considerations when hiring for the position – and Part Two will focus on the CPO. 

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Shifting to Holistic Information Governance and Managing Information as an Asset

    As companies store more and more data and increasingly rely on that data for a variety of purposes, they are starting to integrate data management into all aspects of the business.  In this interview with The Cybersecurity Law Report, Donna L. Wilson, a partner at Manatt, Phelps & Phillips and co-chair of the firm’s Privacy and Data Security practice, discussed how companies should be implementing holistic information governance as part of enterprise risk management by stressing the importance to the board of directors, designating a corporate “conductor” to bring various stakeholders within the organization together, and conducting an internal inventory to understand what information assets the company has and needs to protect.  Wilson also commented on the efforts to share threat information between and among financial firms and law firms.

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    How Can a Company Mitigate Cyber Risk with Cross-Departmental Decisionmaking?

    A lack of coordination among company units can be detrimental in many business areas, but when it comes to cybersecurity, isolated actions and decisions can pave a clear path to a data breach, and exacerbate the legal ramifications of that breach.  In a guest article, Jennifer Topper of Topper Consulting explains: why cross-functional decisionmaking is so important in cybersecurity; how to make the business case for investing in proactive cyber planning; how to integrate the cybersecurity program; how to create a multidisciplinary group of stakeholders; and the role of the general counsel in information governance.

    Read Full Article …