The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Recent Issue Headlines

Vol. 2, No. 4 (Feb. 17, 2016) Print IssuePrint This Issue

  • Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part One of Three)

    While cyber threats are frequently attributed to outsiders, many breaches are caused, often inadvertently, by company employees. The effective training of employees to keep data secure and respond properly to breaches is a hallmark of any cybersecurity program. The development and implementation of a good training program can be broken down into three phases: (1) designing the training policies and planning the best training approach, considering the type of company and types of employees; (2) conducting the actual training sessions and ensuring the necessary topics are covered effectively; and (3) following up after the training, including certification and evaluating the efficacy of the training. This three-part series will cover each of those phases, respectively, with insight from outside counsel, consultants, and in-house experts. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read full article …
  • Deal Struck to Maintain the Transatlantic Data Flow 

    Two days after the expiration of a deadline set by Europe’s data protection authorities, and after months of negotiations, the European Commission and U.S. Department of Commerce reached an understanding that intends to allow transatlantic transfer of digital data by thousands of companies to continue. With data flows impacting billions of dollars in bilateral trade at stake, the so-called “privacy shield” agreement “makes existing cooperation between the FTC and E.U. DPAs [data protection authorities] more robust, with better enforcement mechanisms and means of redress for E.U. citizens whose privacy rights may have been infringed by E.U.-U.S. cross border transfers,” Davina Garrod, a London-based Akin Gump partner told The Cybersecurity Law Report. However, she added that “the shield is by no means a panacea, and does not fix all of the problems identified by the [E.U. Court of Justice] in the Schrems judgment” that invalidated the previous safe harbor data transfer pact. We discuss the agreement, the important steps that remain before the privacy shield can be finalized, and the immediate impact on companies. See also “Dangerous Harbor: Analyzing the European Court of Justice Ruling” (Oct. 14, 2015).

    Read full article …
  • HIPAA Privacy Rule Permits Disclosures to Firearm Background Check System

    The current firearm background check system just became a little stronger thanks to the Department of Health and Human Services. The Department issued a Final Rule amending the HIPAA Privacy Rule to allow certain covered entities to disclose PHI about individuals prohibited from possessing or receiving firearms to the National Instant Background Check System without the individual’s prior consent. Lynn Sessions, a BakerHostetler partner, spoke with The Cybersecurity Law Report about the Final Rule, its implications and processes covered entities should put in place to mitigate risk. The Final Rule became effective February 6, 2016. See also “Year-End HIPAA Settlements May Signal More Aggressive Enforcement by HHS” (Dec. 9, 2015).

    Read full article …
  • Cybersecurity Preparedness Is Now a Business Requirement

    How can companies make cybersecurity preparedness an integral part of their business practices? During a recent panel at ALM’s cyberSecure event, JoAnn Carlton, general counsel and corporate secretary at Bank of America Merchant Services, Edward J. McAndrew, Assistant U.S. Attorney and Cybercrime Coordinator at the U.S. Attorney’s Office, and Mercedes Tunstall, a partner at Pillsbury, gave their perspectives on steps companies can take to enhance cybersecurity. They discussed how the evolving nature of cyber attacks requires evolving business models. Simply establishing an incident response plan is not enough: companies must build privacy preparedness across the organization and engage in a continuous cycle of planning and response to stay ahead of cyber threats. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); “The Challenge of Coordinating the Legal and Security Teams in the Current Cyber Landscape (Part Two)” (Jul. 15, 2015).

    Read full article …
  • Legal and Regulatory Expectations for Mobile Device Privacy and Security (Part Two of Two)

    Companies are capitalizing on increased personal and professional mobile device use by collecting, storing and sharing mobile-generated information to improve products and services and target advertising. During a recent webinar, WilmerHale partners D. Reed Freeman, Jr. and Heather Zachary examined the latest federal, state and self-regulatory privacy and data security expectations tied to mobile devices. In this second installment of our two-part series, Freeman and Zachary address: how to ensure compliance in the use of cross-device advertising and tracking; Telephone Consumer Protection Act lessons; and key differences in Canada and E.U. regulations. Part one covered how practitioners can navigate the regulatory environment for mobile advertising, including self-regulatory guidance and the increasingly important role of the FCC. See also “FTC Chair Addresses the Agency’s Data Privacy Concerns With Cross-Device Tracking” (Nov. 25, 2015).

    Read full article …
  • White House Lays Out Its Broad Cybersecurity Initiatives

    “Bold action is required to secure our digital society and keep America competitive in the global digital economy,” the White House said as it unveiled the Cybersecurity National Action Plan (CNAP). On February 9, 2016, the president signed two Executive Orders – one creating a commission on cybersecurity and one forming a federal privacy council – and included in his proposed budget a 35% increase in cybersecurity spending to, among other things, boost hiring of security experts (including a federal CISO) and synchronize technology across the federal government. “CNAP really boils down to information security principles that the private sector has had drummed into it for years: don’t use outdated, insecure systems and technology; use secured access such as MFA; hire the best and most skilled information security professionals you can afford; and share your experiences, good and bad, to develop best practices,” Evan D. Wolff, a partner at Crowell & Moring, said. See also “Opportunities and Challenges of the Long-Awaited Cybersecurity Act of 2015” (Jan. 6, 2016).

    Read full article …
  • New York Department of Financial Services Attorney Joins BuckleySandler

    BuckleySandler recently announced that Dana V. Syracuse, former Associate General Counsel of the New York Department of Financial Services (NYDFS) and former Assistant Attorney General in the Office of the New York State Attorney General, has joined the firm as counsel in its New York office. While at the NYDFS, Syracuse helped oversee the department’s strategy regarding emerging payment systems, virtual currency, and blockchain technology; the drafting of New York State’s BitLicense virtual currency regulation; and the chartering of New York State based virtual currency exchanges. See also “The Development of E-Currency and Its Potential Impact on the Future” (Aug. 26, 2015).

    Read full article …
  • Locke Lord Adds Employment and Privacy Lawyer Michele Whitham As Boston Partner

    Locke Lord recently added employment and privacy lawyer Michele Whitham as a partner in the Boston office and a member of the firm-wide labor and employment and privacy and cybersecurity practice groups. She is a former co-managing partner of Foley Hoag. Among her areas of practice is a particular focus on workplace and corporate data security and privacy.

    Read full article …