Cybersecurity

Subscribe to Cybersecurity via RSS

ThinkstockPhotos-87341406-webThis article is the third in a series of articles that discuss the importance of privacy and data security considerations in the transactional context.

In any transaction in which an entity invests in or acquires another business or its assets, the investing or acquiring entity (the “Acquiror”) should fully evaluate its counterparty (the “Company”), the Company’s assets, and the Company’s liabilities and risks prior to the consummation of the transaction. A spate of significant data security incidents and exposés in the past few years has raised awareness across industries of the need to adequately contemplate privacy concerns and appropriately secure data systems. Businesses, acquirors, and investors increasingly understand that expensive data security incidents, lawsuits, and government investigations can result from basic failures to comply with applicable privacy laws or data processing contracts or, with regard to information security, well-established industry best practices.
Continue Reading Privacy and Data Security Due Diligence

Historically, businesses have called for greater connection between the legal requirements of European data protection law and the requirements of information technology standards. The new International Organization for Standardization (ISO) standard for securely processing personal information in cloud computing environments, ISO 27018, could be a significant and major first step toward creating technical standards that take privacy legal requirements into account.1 While its effects on compliance under the forthcoming EU General Data Protection Regulation (GDPR) remain to be seen, ISO 27018 offers a promising look at what a more harmonized data protection regime might look like.
Continue Reading Technical Standards Open New Avenue to EU Data Protection Compliance

Companies have been pressing the Federal Trade Commission (FTC) for additional guidance on data security, and the agency recently delivered. On August 10, 2015, the FTC issued a public closing letter to Morgan Stanley Smith Barney LLC (Morgan Stanley) regarding the agency’s investigation into concerns that the company “fail[ed] to secure, in a reasonable and appropriate manner, account information related to Morgan Stanley’s Wealth Management clients.”1 In the context of data security investigations, closing letters—which explain why FTC staff opted to close an investigation—have the potential to offer helpful insights on what security measures the FTC considers to be reasonably designed to protect the privacy and security of personal information. Knowing what factors influenced the FTC staff’s decision to close an investigation in one instance is equally instructive as knowing why the staff decided to pursue an enforcement action in another.
Continue Reading FTC Closing Letter Confirms the Importance of Implementing Employee Access Controls

Cyber attacks can result in significant monetary and reputational damage to a wide range of businesses. Recently, the U.S. Department of Justice (DOJ) increased its efforts to engage businesses on cybersecurity issues. Earlier this year, as part of that effort, the department published a new resource for companies victimized by a cyber attack. The guidance, “Best Practices for Victim Response and Reporting of Cyber Incidents,” is targeted at smaller organizations, but it provides beneficial insights for companies of all sizes, including best practices for preparing for, responding to, and recovering from cyber incidents that are applicable to all organizations.1
Continue Reading DOJ Issues Guidance for Responding to Cyber Attacks

ThinkstockPhotos-504041382-webThe Federal Communication Commission’s (FCC’s) newly promulgated Open Internet rules (2015 rules)—also known as the net neutrality rules—went into effect on June 12, 2015.1 The new rules apply specifically to broadband Internet access service providers, and not to Internet content, application, and device providers (edge providers). Nonetheless, by design, the rules will have a potentially far-reaching impact on edge providers’ and consumers’ rights and the avenues for redress in the face of harm inflicted by broadband providers. To date, the FCC has yet to receive any formal complaints from companies, though those may well be in the offing, according to some media reports and public statements.2
Continue Reading FCC Open Internet Rules Contain Important New Privacy, Data Security, and Transparency Measures

On April 1, 2015, President Obama issued an executive order declaring “cyber-enabled malicious activities” a national emergency due to the “increasing prevalence and severity” of such attacks originating from or directed by persons outside the United States.1 The executive order gives the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, the power to impose economic sanctions on certain designated individuals and entities that have been directly or indirectly involved in malicious cyberattacks against U.S. networks, critical infrastructure, as well as those involving the theft of economic resources or personal and financial information, or the misappropriation of trade secrets.
Continue Reading President Obama Creates New Sanctions Regime to Combat Foreign Cyberthreats