The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Recent Issue Headlines

Vol. 1, No. 14 (Oct. 14, 2015) Print IssuePrint This Issue

  • How to Reduce the Cybersecurity Risks of Bring Your Own Device Policies (Part One of Two)

    Many companies now allow employees to use their own devices for work email and other work-related functions.  Allowing employees to “bring your own device,” or BYOD, provides companies with cost savings and employees with flexibility, but also presents serious cybersecurity challenges.  This first article in our two-part series on designing cybersecure BYOD policies discusses BYOD risks and recommends strategies to reduce these risks, including employee training.  Part two will discuss mobile device management tools and software as well as handling lost devices, outgoing employees and discovery.  See “Strategies for Preventing and Handling Cybersecurity Threats from Employees,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read full article …
  • Dangerous Harbor: Analyzing the European Court of Justice Ruling

    An Austrian graduate student’s lawsuit against Facebook has resulted in the invalidation of a 15-year old data privacy treaty relied upon by thousands of multi-national companies.  On October 6, 2015, the Court of Justice of the European Union (ECJ), the highest court in the E.U., held that the Safe Harbor framework that allowed companies to transfer personal data from the E.U. to the U.S., including data for cross-border investigations and discovery, is invalid.  The ECJ found that the U.S. does not ensure adequate protection for personal data, primarily because of the access rights that the ECJ said U.S. agencies have.  Although the ruling is immediate, the “sky is not falling,” said Harriet Pearson, a partner at Hogan Lovells.  On October 16, 2015, a group of E.U. member state privacy regulators, the Article 29 Working Party, called for renewed negotiations on a treaty and recommended interim actions for companies.  There will need to be a “transition to a more complex and perhaps a more work-intensive compliance strategy than Safe Harbor had previously afforded companies,” Pearson said.  See also “ECJ Hearing on Safe Harbor Challenges How U.S. Companies Handle European Data,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read full article …
  • MasterCard and U.S. Bancorp Execs Share Tips for Awareness and Prevention of Mushrooming Cyber Risk (Part One of Two)

    Two senior-level executives in the financial industry, leading cybersecurity experts, recently offered their views on how they are balancing the lure of new technology with the associated risks.  In this article, the first in a two-part series covering the PLI program “Cybersecurity 2015: Managing the Risk,” Jenny Menna, the cybersecurity partnership executive at U.S. Bancorp and Greg Temm, vice president for information security at MasterCard, and responsible for MasterCard’s cyber intelligence program, address: the current cyber landscape; the most pressing threats across industries; and how the government, regulators and private companies are responding to those threats.  In the second article, they tackle mitigating cybersecurity risk, including industry projects geared toward improving the overall cybersecurity ecosystem; and tips for avoiding cyber threats at work and home.  See “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments,” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015).

    Read full article …
  • Privacy and Data Security Considerations for Life Sciences and Health Technology Companies (Part One of Two)

    The health sector is faced with a web of complex regulations due to the particular sensitivity of the information it handles.  During a recent webinar, WilmerHale partners discussed special health data regulatory considerations at state, federal and international levels and how health care companies can navigate them.  In this article, the first in a two-part series, Barry Hurewitz examines the security issues specific to life sciences and health information technology companies, and provides an overview of the applicable regulatory standards at the federal levels, with a focus on HIPAA.  The second article will feature Hurewitz and Jonathan Cedarbaum’s coverage of the regulatory landscape as it relates to business associate agreements, medical research and recent developments regarding mobile devices, as well as special considerations of health data privacy regulation at the state and international levels.  See “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015). 

    Read full article …
  • Energy Industry Demonstrates Public-Private Cybersecurity Coordination

    Through presidential proclamation, October has been named the twelfth National Cyber Security Awareness Month (NCSAM).  Throughout the month, many governmental agencies and private enterprises will participate in panels, conferences and other events throughout the country to emphasize cyber risks and best practices.  For example, speakers at the U.S. Chamber of Commerce’s Fourth Annual Cybersecurity Summit included top officials at the U.S. Department of Homeland Security and in the Department of Energy and private sector leaders such as the CEO of Southern Company.  They emphasized the NCSAM theme this year – “Our Shared Responsibility” – by focusing on how the private and public sector can work together to strengthen cybersecurity and diffuse cyber threats.  See also our series featuring FBI Director James Comey's discussion of the “‘Evil Layer Cake’ of Cybersecurity Threats,” The Cybersecurity Law Report, Vol. 1, No. 5 (Jun. 3, 2015); and “Cooperation among Domestic and International Cybersecurity Law Enforcement Communities,” Vol. 1, No. 6 (Jun. 17, 2015).

    Read full article …
  • Eight Ways Compliance Officers Can Build Relationships with the “Middle”

    Whether it is cybersecurity, privacy or any other type of regulatory compliance, the much-talked-about “tone at the top” is often cited as crucial for an effective compliance program.  See “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015); Part Two, Vol. 1, No. 4 (May 20, 2015).  Ensuring that tone is conveyed throughout the organization, however, is equally important.  Getting the compliance message across typically falls on an organization’s middle managers.  A recent Society of Corporate Compliance & Ethics program featuring Charlotte Nafziger, director of compliance of T-System, Inc., explored the importance of middle management in developing an effective ethics and compliance program and the ways compliance officers can engage middle management in doing so.

    Read full article …
  • Venable Welcomes White House Cybersecurity Adviser

    Venable has announced that senior director for White House cybersecurity Ari Schwartz will join the firm as managing director of cybersecurity services.  Previously, he served as a senior policy advisor to three Commerce Department secretaries on developing voluntary cybersecurity standards in accordance with the administration’s executive order.  Schwartz also served as a senior Internet policy adviser at the National Institute of Standards and Technology and the Commerce Department and as a senior policy analyst at the Center for Effective Government.

    Read full article …
  • Epstein Becker Green Bolsters Data Security and Privacy Capabilities

    Epstein Becker Green recently announced that Robert J. Hudock has returned as a member of the firm in the health care and life sciences practice, in its Washington, D.C. office, after serving as chief privacy and data security officer and senior vice president at SAIC, a major intelligence, military, aerospace, engineering and systems contractor.

    Read full article …
  • Baker & McKenzie Enhances London Data Protection Practice

    Baker & McKenzie recently enhanced its London data protection and privacy practice with the appointment of Dyann Heward-Mills as a partner.  She was previously global senior privacy counsel for GE Capital.

    Read full article …