The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Third Parties

  • From Vol. 3 No.8 (Apr. 19, 2017)

    What In-House and Outside Counsel Need to Know About ACC’s First Model Cybersecurity Practices for Law Firms

    The publicized breaches of major law firms last year served as a wake-up call for the legal industry, signaling the importance of having effective cybersecurity measures in place. On the heels of these breaches, the Association of Corporate Counsel released a set of model cybersecurity practices to help in-house counsel set expectations with respect to the data-security practices of their outside counsel and serve as a benchmark for best practices. But how realistic are those guidelines? Justin Hectus, the CIO and CISO of Keesal, Young and Logan, told The Cybersecurity Law Report that “the reality is that it’s a buyer's market right now in legal. If a law firm is not willing to do these kinds of things in order to keep the clients’ data safe, then another firm will be willing to do it, as there are plenty of firms that take these steps even absent client pressure.” We analyze the guidelines’ recommendations with input from Hectus on the practicality of their implementation. See also “Eight Attributes In-House Counsel Look For in Outside Cybersecurity Counsel” (Jun. 8, 2016); and “How Law Firms Should Strengthen Cybersecurity to Protect Themselves and Their Clients” (Mar. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    Forensic Firms: Effective Vetting and Collaboration (Part Three of Three)

    Because a forensic investigation by a security firm often drives the critical path of incident response, companies are best positioned to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an incident arises. With a myriad of firms from which to choose, not only must a company carefully select the right one, but both sides must communicate effectively to build a trusting relationship. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these and other considerations. This third installment provides advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. Part two examined contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. See also “Key Strategies to Manage the First 72 Hours Following an Incident“ (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Forensic Firms: Key Contract Considerations and Terms (Part Two of Three)

    Companies are increasingly turning to outside forensic firms for assistance with both proactive cybersecurity measures as well as incident response. To optimize the relationship, companies must carefully choose a firm, negotiate the right contract terms, and effectively collaborate with the chosen forensic service provider. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these considerations. This second part examines contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. Part three will provide advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. See also “Key Strategies to Manage the First 72 Hours Following an Incident” (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    How Fund Managers Can Prepare for Investor Cybersecurity Due Diligence 

    Cybersecurity remains a top-of-mind issue for regulators, investors and investment advisers. As part of operational due diligence, investors often evaluate whether an adviser has robust cybersecurity defenses. Similarly, advisers must ensure that their administrators, brokers and other third parties have appropriate defenses. A recent program hosted by the Investment Management Due Diligence Association gave specifics on what investors may be looking for, including due diligence questions they may ask and how they may evaluate a firm’s cybersecurity program, including its cyber insurance. See also our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Considerations for Managing Cybersecurity and Privacy Risk in Outsourcing Contracts

    Companies must ensure cybersecurity and privacy issues are addressed when establishing new outsourcing arrangements and should continue to monitor those issues as the outsourcing relationship continues. At a recent PLI program, Mayer Brown partner Rebecca Eisner discussed how attorneys and boards of directors can mitigate cyber risk prior to entering such arrangements (including specific contractual terms to consider) and how they can best monitor outsourcing providers during the relationship. See also our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    Attorney-Consultant Privilege? Structuring and Implementing the Kovel Arrangement (Part Two of Two)

    So-called “Kovel arrangements” provide unique opportunities for companies and their legal counsel to extend the attorney-client privilege to consultants. After deciding to use the arrangement, the next (and most important) step is ensuring that the entire Kovel engagement is performed correctly so that the privilege will be recognized by regulators and courts, and documents detailing the company’s operational deficiencies are not unnecessarily made available. This article, the second in a two-part series, provides practical guidance regarding the provisions that need to be included in an engagement letter with a consultant, details daily steps a company must take to ensure it remains Kovel-compliant, and examines circumstances under which it is and is not appropriate for companies to employ Kovel arrangements. The first article in this series detailed the legal requirements of the Kovel doctrine, as well as considerations for companies when deciding whether to invoke or waive the privilege. See also “Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two)” (Jun. 17, 2015); Part Two (Jul. 1, 2015). 

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor

    When an organization hires a third-party vendor that needs access to its network systems, a failure of legal and IT to coordinate the implementation of that access can cause costly delays. The Cybersecurity Law Report discussed the problem with David Cass, the CISO of IBM’s cloud and SaaS operational services, using a fact pattern familiar to many companies: A company is seeking to hire a third-party vendor that needs access to its network systems to perform its duties, but legal and IT have different ideas about the process, and the project stalls. Cass offered advice to bridge the gap between technology and legal teams. See also our two-part series on vendor risk management: “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.23 (Nov. 16, 2016)

    Attorney-Consultant Privilege? Key Considerations for Invoking the Kovel Doctrine (Part One of Two)

    As organizations increasingly engage consultants to conduct cyber risk assessments and to assist in the event of a breach, a logical concern is whether the attorney-client privilege is available to protect those efforts. The Kovel decision in the Second Circuit extended the attorney-client privilege to third parties assisting attorneys in representing clients under certain circumstances. This two-part series describes the use of so-called “Kovel arrangements” by companies to extend the attorney-client privilege to interactions with consultants. This first article describes the requirements of the Kovel privilege as established by case law, as well as critical considerations for deciding whether to invoke or waive the privilege when interacting with regulators or litigants. The second article will detail the requisite features of a fully compliant Kovel arrangement and will examine circumstances under which it is and is not appropriate for companies to employ Kovel arrangements. See also “Target Privilege Decision Delivers Guidance for Post-Data Breach Internal Investigations” (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    How to Protect Against Weaponized Devices in Light of the Massive Denial-of-Service Attack

    Tweets, shopping, money transfers and entertainment were some of the countless internet activities stopped in their tracks by a recent massive attack on a domain name service provider. The hackers utilized ordinary household connected devices to carry out one of the largest denial-of-service attacks to date, shutting down more than a thousand sites such as Amazon, Twitter, Netflix and PayPal. While such attacks are not new and are typically quickly mitigated, this one was critically different in terms of its scale and its reliance on compromised connected devices, and presented “another type of attack that even state-of-the-art organizations in terms of data security have to contend with,” Ed McAndrew, a partner at Ballard Spahr, told The Cybersecurity Law Report. See “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    How the Financial Services Industry Can Handle Cybersecurity Threats, Acquisition Diligence and Breach Response

    The financial services sector is often praised as having some of the most mature cybersecurity practices, but it also holds especially sensitive data and is one of the most common targets for malicious hackers. Asset managers in particular are confronted with general cybersecurity risks while navigating industry nuances. At a recent panel hosted by Major, Lindsey & Africa, Debevoise partners Luke Dembosky and Jim Pastore, both former federal prosecutors, addressed emerging cybersecurity threats, risks from vendors, potential breaches in a pre-acquisition and post-acquisition context, breach response and special considerations for breaches of investor or consumer data. Much of the advice is relevant to all companies grappling with data security risks and breach consequences. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.14 (Jul. 6, 2016)

    Mitigating Cyber Risk in M&A Deals and Third-Party Relationships

    Ensuring that a target, or a third–party vendor, has adequate cybersecurity controls before the company takes on the risks of that entity is of paramount importance in today’s cyber threat environment. At a recent PLI panel, counsel at Tiffany & Co. and EY shared advice for conducting M&A due diligence, including specific questions to ask, and presented a five-step plan for assessing and addressing data security and privacy risks that accompany third-party vendor relationships. See also “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Vendor Cyber Risk Management: 14 Key Contract Terms (Part Two of Two)

    Actions by third-party vendors with access to a company’s data are the cause of some of the most damaging breaches. Carefully vetting and monitoring those vendors is crucial to a strong cybersecurity program. At a recent panel at IAPP’s Global Privacy Summit, counsel from Under Armour, AOL and Unisys provided practical guidance on how to implement a comprehensive vendor management program. This article, the second installment in our coverage of the panel, includes fourteen key cybersecurity provisions to include in vendor contracts and the panelists’ strategies for monitoring the vendor relationship and for effective breach response. The first article in our series includes the panelists’ discussion of nine questions to ask vendors during the due diligence process and factors to consider before contract negotiations. See also “Learning From the Target Data Breach About Effective Third-Party Risk Management”: Part One (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    Vendor Cyber Risk Management: Nine Due Diligence Questions (Part One of Two)

    Some of the biggest cybersecurity headlines point to suppliers as the root cause of the most damaging breaches. This highlights the importance of carefully vetting and monitoring vendors as part of a strong cybersecurity program. At a recent panel at IAPP’s Global Privacy Summit, counsel from Under Armour, AOL and Unisys provided practical guidance on how to implement a comprehensive vendor management program and mitigate data security and privacy risks third-party vendors present. This first article in our series includes the panelists’ discussion of nine questions to ask vendors during the due diligence process and factors to consider before contract negotiations. The second installment in our coverage of the panel will include fourteen key cybersecurity provisions to include in vendor contracts. See also “Learning From the Target Data Breach About Effective Third-Party Risk Management”: Part One (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    How to Protect Intellectual Property and Confidential Information in the Supply Chain

    Sharing information, including intellectual property, with third parties such as suppliers, distributors and consultants is essential for the operations of many companies but exposes them to various points of cyber risk.  Pamela Passman, President and CEO at the Center for Responsible Enterprise and Trade (CREATe.org), spoke with The Cybersecurity Law Report about how to assess and mitigate third-party and supply chain risk.  CREATe.org, a global NGO, works with companies and third parties with whom they do business to help put processes in place to prevent corruption and protect intellectual property, trade secrets and other confidential information.  See also “Protecting and Enforcing Trade Secrets in a Digital World,” The Cybersecurity Law Report, Vol. 1, No. 13 (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Implementing an Effective Cloud Service Provider Compliance Program

    The ubiquity of cloud computing platforms as a tool for companies to share, store and back up critical and sensitive data has catapulted the implementation of a comprehensive third-party cloud service provider program to the top of compliance officers’ ever growing to-do lists.  During a recent seminar held by the Society of Corporate Compliance & Ethics, Web Hull, a privacy, data protection and compliance advisor provided a practical framework for engaging, managing, auditing and monitoring third-party cloud computing providers.  This article summarizes those insights, including key risks, and compiles the resources compliance officers can use to meet the relevant state and federal cybersecurity regulatory requirements.  See also “Examining Evolving Legal Ethics in the Age of the Cloud, Mobile Devices and Social Media (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 11 (Aug. 26, 2015); Part Two,” Vol. 1, No. 12 (Sep. 16, 2015); and “The Advantages of Sending Data Up to the Cloud,” The Cybersecurity Law Report, Vol. 1, No. 6 (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    Learning from the Target Data Breach About Effective Third-Party Risk Management (Part Two of Two)

    Third-party relationships are integral to companies of all sizes, and bring with them increasingly sophisticated cybersecurity risk, as highlighted by the Target data breach.  In our continued coverage of a recent third-party risk management webinar, Mintz Levin attorneys Cynthia Larose and Peter Day provide concrete strategies for implementing and monitoring a third-party risk management program that protects data from third-party security breaches.  In part one, they discussed lessons from Target’s breach, and business and regulatory justifications for a strong third-party risk management program.  See also “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.12 (Sep. 16, 2015)

    Learning from the Target Data Breach About Effective Third-Party Risk Management  (Part One of Two)

    Companies and law firms are increasingly partnering with vendors and other third parties to outsource formerly in-house functions in order to reduce operating costs and increase focus on core businesses.  But, as Mintz Levin attorneys Cynthia Larose and Peter Day said during a recent webinar, the potential consequences of failing to adequately manage the risks associated with giving third parties access to highly confidential systems and information can be disastrous, as evidenced by the 2013 Target data breach.  In part one of our two-part article series, Larose and Day discuss lessons from Target’s breach and business and regulatory justifications for a strong third-party risk management (TPRM) program.  In part two, they will detail strategies for implementing and monitoring a TPRM program that protects companies’ data – and their clients’ and customers’ data – from third-party security breaches.  See “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    How the Hospitality Industry Confronts Cybersecurity Threats that Never Take Vacations

    Technology offers travelers the convenience they value – such as software that recalls a frequent traveler’s preferences, room key cards that act as charge cards at resort restaurants, stores and more.  However, these amenities come with risks to the travelers (as well as responsibilities for the company offering the convenience) relating to the collection of sensitive data.  In this interview with The Cybersecurity Law Report, Eileen Ridley, a partner at Foley & Lardner, discusses the hospitality industry’s specific data privacy and cybersecurity challenges, and offers best practices in the collection, storage and protection of the increasing amount of personal data these companies are holding.

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Surveys Find Internal and Third-Party Cybersecurity Risks Among Top Executive Concerns

    Corporate executives, even those with great defense resources, consider cybersecurity one of the most worrisome issues they confront.  In this article, experts from Deloitte, Protiviti and the Santa Fe Group dissect the results of two recent studies.  Greg Dickinson, a director at Deloitte who leads the quarterly survey “CFO Signals: What North America’s top finance executives are thinking – and doing,” explained how and why many CFOs are feeling unprepared for cybersecurity threats.  In addition, while discussing the “2015 Vendor Risk Management Benchmark Study: The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management” Rocco Grillo, cybersecurity managing director at Protiviti, and Gary Roboff, senior advisor to the Santa Fe Group and manager of its Shared Assessments Program, explain how the finance industry outperforms others in third-party risk management and stress the importance of risk committees and data mapping.  See also “Ponemon Study Finds Increasing Data Breach Costs and Analyzes Causes,” The Cybersecurity Law Report, Vol. 1, No. 5 (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    Model Cybersecurity Contract Terms and Guidance for Investment Managers to Manage Their Third-Party Vendors

    Investment managers use a wide range of third-party vendor-provided products and services to manage their daily operations, and many of those third parties have access to sensitive data.  Ensuring that data is protected from theft, either deliberate or inadvertent, is paramount.  In a guest article, Schulte Roth & Zabel partner Robert Kiesel provides practical vendor management guidance and comprehensive contract provisions, and discusses critical policies and contract terms that investment managers can use to protect their, and their investors’, data.  See “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015). 

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part Two of Two)

    Vendors and other third parties – necessary for most businesses – present significant cybersecurity risks and are frequently the source of breaches, from large-scale incidents to smaller data leaks.  Properly vetting these third parties is a challenging, but critical, aspect of cybersecurity programs.  This article series provides a three-step framework to appropriately allocate resources to due diligence and mitigate the risks third parties pose.  Part One provided a framework for companies to (1) categorize potential vendors based on risk levels, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium or high level of risk.  Part Two addresses when the categorization of medium-risk vendors should move to high-risk based on red flags discovered during the initial due diligence and details step three of the framework: deeper due diligence for high-risk vendors, including follow-up questioning, documentation of audits or certifications and in-person diligence. 

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    FCC Makes Its Mark on Cybersecurity Enforcement with Record Data Breach Settlement

    With its $25 million settlement with AT&T, the “FCC has now planted its flag, and sent the message that it will use its powers to protect consumers,” Jenny Durkan, a partner at Quinn Emanuel Urquhart & Sullivan, told The Cybersecurity Law Report.  The FCC’s decision earlier this year to classify Internet providers as public utilities under the FCC’s jurisdiction has caused a broad range of companies to follow the agency’s actions closely.  The record AT&T settlement resolves an investigation into the theft of information by employees of a vendor call center in Mexico and requires AT&T to, among other things, overhaul its compliance program, provide free credit-monitoring services for affected customers and meet certain compliance benchmarks at intervals for the next seven years. 

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)

    Vendors and other third parties are vital to most businesses, but can leave a company dangerously vulnerable to a breach of its data or network.  As the Target breach demonstrated, even a non-IT vendor can cause widespread damage.  Properly vetting third parties remains one of the most challenging aspects of cybersecurity programs.  In order to appropriately allocate due diligence resources, companies must first assess potential third parties to determine which of them present low, medium or high levels of cybersecurity risk and subsequently conduct the corresponding levels of diligence.  This article, the first in our series, provides a framework for companies to (1) categorize potential vendors based on risk, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium and high level of risk.  Part Two will address the third step of deeper due diligence for high-risk vendors.

    Read Full Article …