The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Regulatory Authority

  • From Vol. 3 No.5 (Mar. 8, 2017)

    What Covered Financial Entities Need to Know About New York’s New Cybersecurity Regulations

    Cybersecurity regulations from the New York State Department of Financial Services took effect on March 1, 2017. The scope of the regulations, which apply to financial institutions, insurance companies, and other financial services firms licensed by the State of New York, was narrowed to a degree following numerous industry comments on the proposed draft. This guest article by James Kaplan and Moein Khawaja, partner and associate at Quarles & Brady, explains the new requirements and changes from previous versions, and provides guidance regarding the implementation of the regulations and best cybersecurity practices related to the current regulatory environment. They also predict what future regulation might look like in this area. See also “Preparing to Meet the Deadlines of DFS’ Revised New York Cybersecurity Regulation” (Jan. 25, 2017).

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    Preparing to Meet the Deadlines of DFS’ Revised New York Cybersecurity Regulation

    The New York State Department of Financial Services proposed a cybersecurity regulation that raised many eyebrows when it was first introduced in September 2016. Taking into account the over 150 comments it received, the DFS published an updated version of the regulation at the end of 2016 and delayed the effective date by two months – until March 1, 2017. In this interview, Patterson Belknap Webb & Tyler LLP partner Craig A. Newman offers insight on what the new regulation means to covered institutions and the actions companies will need to take to be in compliance. See also “Steps Financial Institutions Should Take to Meet New York’s Proposed Cybersecurity Regulation” (Sep. 21, 2016).  

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    Triaging Security Projects in the Current Legal Landscape

    Escalating cyber threats, liability risks and the numerous legal and regulatory standards make it difficult for a company to know how to plan and prioritize security projects. During a recent webcast, ZwillGen attorneys Amy Mushahwar and Marci Rozen offered their advice on top-priority security projects for mitigating corporate risk, and discussed how to determine and understand applicable data security regulations and guidelines, as well as the potential liabilities and business harms that can arise from inadequate security. See also “Demystifying the FTC’s Reasonableness Requirement in the Context of the NIST Cybersecurity Framework (Part One of Two)” (Oct. 19, 2016); Part Two (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    FCC Flexes Its Muscles With Proposed Broadband Privacy Rules and Verizon Settlement

    Continuing its increased emphasis on online privacy, the FCC has proposed regulations for broadband ISP services, right on the heels of a $1.35 million settlement with Verizon Wireless tied to its use of unique identifier headers or “supercookies.” Verizon agreed to adopt a three-year compliance program in connection with its tracking of customers for targeted advertising purposes and failing to adequately notify them about it. Experts told The Cybersecurity Law Report that the consent decree seemed to pave the way for the proposed new privacy rules, which center around choice, security and transparency. We analyze the settlement, provide three key takeaways from it and explore the impact of the new proposed rules. See also “FCC Makes Its Mark on Cybersecurity Enforcement With Record Data Breach Settlement” (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Expert Advice on Newly Effective NFA Cybersecurity Requirements for Market Participants

    How will the National Futures Association’s new Interpretive Notice on cybersecurity (effective March 1, 2016) change data and electronic system security requirements for NFA members? The NFA recently held a Cybersecurity Workshop featuring a number of senior NFA personnel and industry experts to discuss the particulars of the Notice and provide insight into what NFA examiners will be looking for when they conduct member examinations. The program, which was moderated by NFA director Amy McCormick, included NFA directors Shuna Awong, Patricia Cushing and Dale Spoljaric, as well as industry participants Patricia Donahue, senior vice president and chief compliance officer at Rosenthal Collins Group LLC; Buddy Doyle, founder and CEO of Oyster Consulting; and Peter Salmon, a senior director at the Investment Company Institute. See also “New NFA Notice Provides Cybersecurity Guidance to Futures and Derivatives Market” (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.4 (Feb. 17, 2016)

    Legal and Regulatory Expectations for Mobile Device Privacy and Security (Part Two of Two)

    Companies are capitalizing on increased personal and professional mobile device use by collecting, storing and sharing mobile-generated information to improve products and services and target advertising. During a recent webinar, WilmerHale partners D. Reed Freeman, Jr. and Heather Zachary examined the latest federal, state and self-regulatory privacy and data security expectations tied to mobile devices. In this second installment of our two-part series, Freeman and Zachary address: how to ensure compliance in the use of cross-device advertising and tracking; Telephone Consumer Protection Act lessons; and key differences in Canada and E.U. regulations. Part one covered how practitioners can navigate the regulatory environment for mobile advertising, including self-regulatory guidance and the increasingly important role of the FCC. See also “FTC Chair Addresses the Agency’s Data Privacy Concerns With Cross-Device Tracking” (Nov. 25, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    So, You Just Got a Letter From the FTC: A Guide for Attorneys (Part Two of Two)

    The receipt of a civil investigative demand from the FTC should not induce panic – a CID is “a vehicle for inquiry and we close far more [cases] than we bring,” Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, said during a panel at the recent IAPP Practical Privacy Series. Along with Mithal, the panel featured private outside counsel experts Stuart Ingis, a partner at Venable; and Hunton & Williams counsel Phyllis Marcus. They provided advice on how to handle a CID, from the first steps through requesting a closed case, including the view from behind the scenes at the FTC. In this second installment of our two-part series, we cover the FTC’s perspective on the CID process and how best to prepare for and conduct the meetings with the FTC staff and directors. Part one examined best practices for the first steps to take after receiving the CID, as well as strategies for setting up the client for a successful result. See also “FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016“ (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    Legal and Regulatory Expectations for Mobile Device Privacy and Security (Part One of Two)

    With consumers now using mobile devices in nearly every aspect of their personal and professional lives, companies are collecting, storing and sharing information from mobile use for a wide range of initiatives such as improving products and services and targeted advertising. During a recent webinar, WilmerHale partners D. Reed Freeman, Jr. and Heather Zachary examined the latest federal, state and self-regulatory privacy and data security expectations. Part one in this two-part series covers the panelists’ detailed discussion about how practitioners can navigate the regulatory environment for mobile advertising, including self-regulatory guidance and the increasingly important role of the FCC. In part two, Freeman and Zachary address: how to ensure compliance in the use of cross-device advertising and tracking; lessons from the Telephone Consumer Protection Act; and key aspects of the E.U. and Canada’s mobile privacy and data security regulations. See also “FTC Chair Addresses the Agency’s Data Privacy Concerns With Cross-Device Tracking” (Nov. 25, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    The FTC’s Big Data Report Helps Companies Maximize Benefits While Staying Compliant

    Recognizing the benefits of “big data” and its widespread use, on January 6, 2016, the FTC issued a staff report on best practices for companies to minimize risks of that use, including the potential for discrimination against certain populations. The report, Big Data: A Tool For Inclusion or Exclusion? Understanding the Issues, addresses applicable laws and policy considerations and provides a series of questions to help companies become and remain compliant. See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity” (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    So, You Just Got a Letter From the FTC: A Guide for Attorneys (Part One of Two)

    Receiving a civil investigation demand (CID) from the FTC can be nerve-wracking, but there are ways to make the process smoother. During the recent IAPP Practical Privacy Series 2015, a panel of government and private outside counsel experts provided advice on how to respond to written requests and steps companies can take to best position themselves in front of the agency, starting with the first telephone call. The panel featured Maneesha Mithal, FTC Associate Director, Division of Privacy and Identity Protection; Venable partner Stuart Ingis; and Hunton & Williams counsel Phyllis Marcus. Part one in this two-part series examines best practices for first steps after receiving the CID, including the first call with the client and the initial contact with the FTC, as well as strategies for setting up the client for a successful result. Part two will cover the FTC’s perspective on the CID process and how best to prepare for and conduct the meetings with the FTC staff and directors. See also “FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016

    The FTC’s Bureau of Consumer Protection was hard at work in 2015, reaching settlements with a wide range of companies on a variety of privacy and data security issues.  During the recent IAPP Practical Privacy Series 2015, Jessica Rich, Director of the Bureau of Consumer Protection and an architect of the FTC’s privacy program, reflected on the agency’s major enforcement actions, reports and relationships in 2015 and what businesses should expect in the coming year.  See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity” (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    Cybersecurity and Whistleblowing Converge in a New Wave of SEC Activity

    The SEC has long-prioritized incentivizing corporate whistleblowers to report violations of the securities laws, and protecting them when they do.  Increasingly, the federal agency also has vigorously enforced certain key aspects of cybersecurity, as its importance has permeated every facet of the way registered entities operate.  In a recent webinar, Orrick attorneys Mark Mermelstein, Jill Rosenberg and Renee Phillips examined how these two formerly disassociated areas of regulatory enforcement are converging in a new wave of SEC guidance and enforcement.  This article discusses the practitioners’ insights on the SEC’s recent initiatives and enforcement actions both in cybersecurity and whistleblowing contexts; the applicable regulations; and how companies can address and mitigate the risks of cybersecurity whistleblower actions.  See also “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments” (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    New NFA Notice Provides Cybersecurity Guidance to Futures and Derivatives Market

    Cybersecurity in the futures and derivatives market is “perhaps the single most important new risk to market integrity and financial stability,” according to Commodity Futures Trading Commission Chairman Timothy Massad.  The National Futures Association (NFA), a self-regulatory organization responsible for the registration of certain market participants, recently received approval from the CFTC of its Interpretive Notice to several existing NFA compliance rules.  The new guidance will provide more specific standards for supervisory procedures and will require NFA members to adopt and enforce written policies and procedures to secure customer data and electronic systems.  “The approach of the Interpretive Notice is to tie cybersecurity best practices to a firm’s supervisory obligations,” Stephen Humenik, a Covington & Burling partner, told The Cybersecurity Law Report.  See also “Debunking Cybersecurity Myths and Setting Program Goals for the Financial Services Industry,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.15 (Oct. 28, 2015)

    Privacy and Data Security Considerations for Life Sciences and Health Technology Companies (Part Two of Two)

    Companies in the life sciences and health information technology industry face unique data privacy and security concerns based on the highly sensitive personal health information that they handle.  In our continued coverage of a recent health sector data privacy and security webinar, WilmerHale partners Barry Hurewitz and Jonathan Cedarbaum address HIPAA’s nuances, including requirements for business associates and its applicability in medical research.  They also highlight the latest regulatory guidance regarding medical and mobile devices, and move beyond HIPAA to examine current state and international regulations.  In part one, Hurewitz discussed security issues specific to life science and health information technology companies and provided a federal regulatory overview.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    MasterCard and U.S. Bancorp Execs Share Tips for Awareness and Prevention of Mushrooming Cyber Risk (Part One of Two)

    Two senior-level executives in the financial industry, leading cybersecurity experts, recently offered their views on how they are balancing the lure of new technology with the associated risks.  In this article, the first in a two-part series covering the PLI program “Cybersecurity 2015: Managing the Risk,” Jenny Menna, the cybersecurity partnership executive at U.S. Bancorp and Greg Temm, vice president for information security at MasterCard, and responsible for MasterCard’s cyber intelligence program, address: the current cyber landscape; the most pressing threats across industries; and how the government, regulators and private companies are responding to those threats.  In the second article, they tackle mitigating cybersecurity risk, including industry projects geared toward improving the overall cybersecurity ecosystem; and tips for avoiding cyber threats at work and home.  See “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments,” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    Canada’s Digital Privacy Act: What Businesses Need to Know

    Companies that conduct business in Canada or collect data from Canada will need to make significant changes going forward to comply with the recently enacted Digital Privacy Act.  As Kirsten Thompson, Daniel G.C. Glover and Marissa Caldwell of McCarthy Tétrault explain, the substantial regulation mandates breach notification, imposes new consent requirements and significant fines, and changes the confidentiality requirements within government investigations.  In addition, it gives the Office of the Privacy Commission of Canada an enforcement role.  Even companies with no Canadian presence are looking closely at this legislation as the U.S., Europe and other countries debate legislative proposals of their own.  

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)

    As cybersecurity concerns permeate every industry, it becomes increasingly urgent for lawyers across disciplines to understand the most pressing threats and shifting regulatory landscape; help shape and direct the responses; and be able to effectively communicate and collaborate with technical security efforts.  In this first article in our two-part coverage of a recent panel at PLI’s Sixteenth Annual Institute on Privacy and Data Security Law, Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice, discusses the current cyber threat landscape and the relevant laws and rules.  See “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).  The second part will detail her advice on preparing for and responding to a cyber incident and will include insight from her co-panelist Vincent Liu, a partner at security consulting firm Bishop Fox, on how security and legal teams can effectively work together throughout the process. 

    Read Full Article …