The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Recent Issue Headlines

Vol. 1, No. 1 (Apr. 8, 2015) Print IssuePrint This Issue

  • Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)

    Vendors and other third parties are vital to most businesses, but can leave a company dangerously vulnerable to a breach of its data or network.  As the Target breach demonstrated, even a non-IT vendor can cause widespread damage.  Properly vetting third parties remains one of the most challenging aspects of cybersecurity programs.  In order to appropriately allocate due diligence resources, companies must first assess potential third parties to determine which of them present low, medium or high levels of cybersecurity risk and subsequently conduct the corresponding levels of diligence.  This article, the first in our series, provides a framework for companies to (1) categorize potential vendors based on risk, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium and high level of risk.  Part Two will address the third step of deeper due diligence for high-risk vendors.

    Read full article …
  • The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions

    When a data security incident has been identified, a company’s initial priorities include understanding, containing and remedying the vulnerabilities.  In the aftermath of a data security incident, however, companies often have to focus nearly as quickly on responding to inquiries from an expanding array of federal, state, and local regulators and law enforcement agencies, including state attorneys general and the FTC.  The SEC is a more recent entrant into the cybersecurity enforcement arena.  It has dramatically increased its focus on these issues in the last four years, and it has signaled an intent to continue to expand its efforts.  This is true not only for financial institutions subject to extensive SEC oversight – such as broker-dealers and investment advisers – but for all publicly-traded companies.  In a guest article, Daniel F. Schubert and Jonathan G. Cedarbaum, partners at WilmerHale, and Leah Schloss, a WilmerHale associate, explain the SEC’s role in cybersecurity enforcement, the SEC’s two primary theories in cyber-related enforcement actions and another theory that the SEC may use to broaden its cyber enforcement authority.

    Read full article …
  • Strategies for Preventing and Handling Cybersecurity Threats from Employees

    Not all data breaches stem from trained cybercriminals – in fact, many cybersecurity incidents come from the inside.  They are initiated by an employee’s inadvertent mistake or intentional act.  In this interview with The Cybersecurity Law Report, Holly Weiss, a partner in the Employment & Employee Benefits Group, and Robert Kiesel, a partner and chair of the Intellectual Property, Sourcing & Technology Group, at Schulte Roth & Zabel, discuss: the two categories of internal cybersecurity threats (inadvertent and intentional); specific ways to protect against those threats, including effective training methods and “bring your own device” policies; and the effect of relevant regulations.

    Read full article …
  • How Can a Company Mitigate Cyber Risk with Cross-Departmental Decisionmaking?

    A lack of coordination among company units can be detrimental in many business areas, but when it comes to cybersecurity, isolated actions and decisions can pave a clear path to a data breach, and exacerbate the legal ramifications of that breach.  In a guest article, Jennifer Topper of Topper Consulting explains: why cross-functional decisionmaking is so important in cybersecurity; how to make the business case for investing in proactive cyber planning; how to integrate the cybersecurity program; how to create a multidisciplinary group of stakeholders; and the role of the general counsel in information governance.

    Read full article …
  • Ten Actions for Effective Data Risk Management

    High-profile data breaches expose breached companies to intense negative scrutiny from lawmakers, regulators, media, customers and plaintiffs’ attorneys.  But not every data breach is a headline-grabbing theft of consumer credit card data – and small breaches cannot be ignored.  Effective information risk management to prevent data leaks, the unauthorized transfer of information to the outside world, and security breach incidents requires a top-driven coordinated information security compliance program that is implemented on a company-wide basis.  In a guest article, Jesse M. Brody, a partner at Manatt Phelps & Phillips, provides ten immediate steps companies should take to prevent data leaks and larger breach events.

    Read full article …
  • ECJ Hearing on Safe Harbor Challenges How U.S. Companies Handle European Data

    Can U.S. companies continue to rely on the Safe Harbor program that permits them to transmit and store data originating in the EU despite the EU’s stricter privacy laws?  The European Court of Justice is now considering how and where U.S. companies are permitted to handle EU data.  The court heard arguments in Luxembourg on March 24, 2015 related to Austrian Facebook user Maximilian Schrems’ challenge to the 15 year-old Safe Harbor structure.  Clara Rosales Rosado of Policy and Regulatory Report (PaRR), a sister publication of The Cybersecurity Law Report, talked to Schrems about the case and his strategy and reported on the hearing.

    Read full article …
  • NSA General Counsel to Lead Mayer Brown’s Privacy & Security Practice in D.C.

    Mayer Brown recently announced that Rajesh De is rejoining the firm as a partner in Washington D.C., where he will lead the firm’s global Privacy & Security practice.  Most recently, De served as the general counsel for the U.S. National Security Agency after holding a series of notable positions in the federal government.

    Read full article …
  • Cybersecurity Litigator Jeffrey Rabkin to Join Jones Day from California's OAG

    Jones Day has announced that Jeffrey Rabkin will join its San Francisco office as a partner in the firm’s Business and Tort Litigation Practice as of April 20, 2015.  Rabkin has been the principal advisor to the California Attorney General on cybersecurity and related matters.

    Read full article …
  • Federal Prosecutor Ronald Cheng to Rejoin O’Melveny

    O’Melveny & Myers recently announced that Ronald L. Cheng will join the firm as a partner in the firm’s White Collar Defense & Corporate Investigations Group, residing in the Los Angeles and Hong Kong offices.

    Read full article …