Tag: Cybersecurity

DOD Issues Interim Rule Addressing New Requirements for Cyber Incidents and Cloud Computing Services

On August 26, 2015, the Department of Defense (DoD) issued an interim rule that imposes expanded obligations on defense contractors and subcontractors with regard to the protection of “covered defense information” and the reporting of cyber incidents occurring on unclassified information systems that contain such information.  Nearly three years in the making, this interim rule replaces the DoD’s prior Unclassified Controlled Technical Information (“UCTI”) Rule, imposing new baseline security standards and expanding the information that is subject to safeguarding and can trigger the reporting requirements.  Additionally, the interim rule implements policies and procedures for safeguarding data and reporting cyber incidents when contracting for cloud computing services.

Article By Susan B. CassidyAlejandro L. SarriaPatrick Stanton & Catlin M. Meade of Covington & Burling LLP

© 2015 Covington & Burling LLP

U.S., U.K. Governments Seek Cyber Innovations from Private Sector

The private sector is likely to produce critical cyber innovations—at least, that is what the U.S. Defense Advanced Research Projects Agency (“DARPA”) and the U.K. Centre for Defence Enterprise (“CDE”) would like to see.

In the United States, although the internet may have been invented at DARPA, DARPA is turning to a private sector competition to protect it.  In March 2014, DARPA solicited a “Cyber Security Grand Challenge”: an open competition to devise automated security systems that can defend against cyberattacks as fast as they are launched.  DARPA pitched the Grand Challenge as a “first of its kind,” “capture the flag”-style competition for computer security experts in academia, industry, and the broader security community.  Over 100 teams registered to compete.  Some likely saw the cash prizes—$2 million for first place, $1 million for second, and $750,000 for third—as nominal incentives compared to the value of shaping future cybersecurity efforts.  On July 8, 2015, DARPA announced its selection of seven finalists for the final round of the competition.  The finalists include computer security experts from industry, start-up incubators, and academia.

Not one of DARPA’s Grand Challenge finalists?  Take heart: DARPA is said to be developing technology that would allow spectators to watch the final contest in real time.  Or better yet, look to the United Kingdom, where the CDE has an open competition seeking “novel approaches to human interaction with cyberspace to increase military situational awareness.”  CDE is asking for “revolutionary approaches” to “rapidly convey” cyberspace information, events, and courses of action to military commanders, analysts, and decision-makers.  Just as DARPA officials acknowledged the limitations of existing cybersecurity strategy and technology, CDE officials have recognized that “the traditional human-computer interface” is inadequate for “current military information processing and sense-making in the cyber domain.”  Up to £500,000 in research funding will be awarded.  A July 9, 2015 presentation given by CDE is available online; slides from a July 16, 2015 webinar soon could be available, as well.  The competition closes on September 3, 2015.  Proposals must be submitted through CDE’s online portal.

ARTICLE BY Jade C. Totman & Alan A. Pemberton of Covington & Burling LLP

© 2015 Covington & Burling LLP

Federal Trade Commission: Start with Security

On June 30, 2015, the Federal Trade Commission (FTC) published “Start with Security: A Guide for Businesses”(the Guide).

The Guide is based on 10 “lessons learned” from the FTC’s more than 50 data-security settlements. In the Guide, the FTC discusses a specific settlement that helps clarify the 10 lessons:

FTC_FederalTradeCommission-Seal

  1. Start with security;

  2. Control access to data sensibly;

  3. Require secure passwords and authentication;

  4. Store sensitive personal information securely and protect it during transmission;

  5. Segment networks and monitor anyone trying to get in and out of them;

  6. Secure remote network access;

  7. Apply sound security practices when developing new products that collect personal information;

  8. Ensure that service providers implement reasonable security measures;

  9. Implement procedures to help ensure that security practices are current and address vulnerabilities; and

  10. Secure paper, physical media and devices that contain personal information.

The FTC also offers an online tutorial titled “Protecting Personal Information.”

We expect that the 10 lessons in the Guide will become the FTC’s road map for handling future enforcement actions, making the Guide required reading for any business that processes personal information.

ARTICLE BY Julia Jacobson & Jennifer S. Geetter of McDermott Will & Emery
© 2015 McDermott Will & Emery

June 24th – Healthcare Quarterly Update: Cybersecurity and Health Data Privacy by Bloomberg BNA

Washington, DC

Join Bloomberg BNA for this essential event that explores concerns relating to cyber-security and health data privacy. Healthcare industry experts Kirk Nahra and David Holtzman will join HHS’s Iliana Peters for a comprehensive examination of:
• Big data in the healthcare sector and how to protect information
• Protecting patient and organization information
• Federal enforcement of HIPAA Privacy, Security, Data Breach rules
• Practical up to date information on current issues
• And so much more.

Click here to register today!

Identify actionable issues, secure your organization, and earn CLE credits.

A breakfast panel with accomplished scholars and an HHS representative. This conversation will address practical considerations for ensuring that patient’s data is being properly handled in full compliance with all regulations and ethical responsibilities. Healthcare practitioners are increasingly required to address concerns of Data privacy and Cyber-security; attending this panel will assist you in identifying actionable points in the law common to many legal practices.

Healthcare Quarterly Update: Cybersecurity and Health Data Privacy by Bloomberg BNA

Washington, DC

Join Bloomberg BNA for this essential event that explores concerns relating to cyber-security and health data privacy. Healthcare industry experts Kirk Nahra and David Holtzman will join HHS’s Iliana Peters for a comprehensive examination of:
• Big data in the healthcare sector and how to protect information
• Protecting patient and organization information
• Federal enforcement of HIPAA Privacy, Security, Data Breach rules
• Practical up to date information on current issues
• And so much more.

Click here to register today!

Identify actionable issues, secure your organization, and earn CLE credits.

A breakfast panel with accomplished scholars and an HHS representative. This conversation will address practical considerations for ensuring that patient’s data is being properly handled in full compliance with all regulations and ethical responsibilities. Healthcare practitioners are increasingly required to address concerns of Data privacy and Cyber-security; attending this panel will assist you in identifying actionable points in the law common to many legal practices.

Executive Order Provides Sanctions Aimed at Fighting Cyberattacks

On April 1, the president signed Executive Order 13694, which created a new sanctions regime for fighting cyberattacks. This creates opportunities for companies that are facing or may face cyberattacks. The Executive Order provides additional tools for victims of cyberattacks to punish the perpetrators by working with the government. The Executive Order creates framework to allow the government to take action in response to attacks on private companies and take all measures necessary to punish co-conspirators. The Executive Order also creates several issues that individuals and companies with international dealings should consider taking into consideration to avoid potential liability.

The Executive Order grants the Secretary of the Treasury authority to “block” the assets of anyone who conducts or aids “cyber-enabled activities . . . reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States . . . .” The Executive Order also grants the power to sanction any individual or entity that gives support to, assists in anyway, or sponsors such a cyber-attacker. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) will work in coordination with other U.S. government agencies to identify individuals and entities that engage in prohibited cyber activities and designate them for sanctions. Persons designated under this Executive Order will be added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List). U.S. persons are prohibited from engaging in most all transactions with designated individuals and entities named on the SDN List or entities owned by such designated persons. Additionally, designated persons sanctioned under the Executive Order will be blocked from entering the United States.

Given the growing nature of cyberattacks and the Executive Order’s potentially broad reach, individuals and companies with international business should consider taking steps to ensure their business partners do not meet the criteria of cyberattackers. For example, payments from persons designated as cyberattackers will be blocked by U.S. financial institutions and U.S. persons that engage in transactions with such persons could be subject to substantial penalties. Accordingly, U.S. businesses engaged in international transactions should consider updating their compliance programs and screening procedures to ensure they are not dealing with any persons designated on the SDN List, or that are owned 50 percent or more by such designated persons.

The Executive Order represents a turning point for the administration. It signals that the administration will take a more active role in fighting attacks that are often diffuse and difficult to investigate. Barnes & Thornburg has worked with the government to track down hackers who have levied corporate cyberattacks. In light of the Executive Order, there can be little doubt that the government will redouble its efforts to help victim companies, presenting opportunities for companies to work with the government in its efforts to track down and stop the perpetrators. This is good news for fighting cyberattacks.

ARTICLE BY

Scott N. Godes & Karen A. McGee of Barnes & Thornburg LLP
© 2015 BARNES & THORNBURG LLP

 

Register for the Thomson Reuters Legal Executive Institute 5th Annual Law Firm CFO/CIO/COO Forum – NYC June 3

The 5th Annual Law Firm CFO/CIO/COO Forum
Data Privacy, Security & the Globalized Law Firm

Early Bird Rate Ends 5-14!

LawFirmCFO-CIO-COO-banner

Register Now

The Thomson Reuters Legal Executive Institute proudly presents the 5th Annual Law Firm CFO/CIO/COO Forum on June 3, 2015 in New York City at the Crowne Plaza Times Square Manhattan.

Our program will address the twin specters of data privacy and cyber security and their impact on US and international law firms in 2015. Delegates will hear from non-legal industry CISOs and world-renowned cyber security experts on emerging threats and innovative strategies affecting modern day law firm operations. Come prepared with questions and ideas as you engage both thought leaders and peers throughout a series of collaborative discussions.

This year’s program highlights include:

  • Enemies at the Gate: Responses to Data Security Threats Across Industries
  • Red Corner: The Rise of Corporate Espionage & the Problem with China
  • From Russia with Love: APT28 and the Soviet Spector
  • Preparing for a Client Security Audit: A Peer-to-Peer Workshop
  • A Briefing on Data Security Concerns in the Cloud and Tablet Technology
  • And more

Special Offers

Early Bird Discount: Save 15% when you enter CFO15 at checkout for individual registrations.  Expires 05.14.15

Group Discounts: Save 30% on when you register 2 or more delegates, please call 1-800-308-1700

Why You Should Attend

  • This is the only professional conference in existencedevoted to the unique cyber security concerns of law firms.
  • Stay Informed about the current threats to enterprise security at your firm from our elite faculty of thought leaders.
  • Network across industries as we welcome Chief Information Security Officers (CISOs) from numerous sectors to the Forum.
  • Gain Practical Takeaways for adoption at your firm or organization and build powerful connections with the premier thought leaders in the profession.
  • Be prepared to handle any future incidents at the completion of the Forum.
  • Did you know? Many law firm CIOs and security analysts believe that mobile technology and tablet technology will be the primary target of attacks in 2015. Our forum dispenses crucial advice on how to avoid falling prey to such forces.
  • Did you know? Many analysts believe international law firms will easily double their operation and insurance costs in 2015 as a result of increased data security attacks on US and Western businesses. Are you well-versed in the latest threats from Asia, Russia and beyond?
  • Did you know? The 2015 federal regulatory, legislative and enforcement landscape will force many organizations to thoroughly assess their current security infrastructure and comply with myriad new quality controls. Have you done your proper due diligence?

Join Thomson Reuters Legal Executive Institute for their The 5th Annual Law Firm CFO/CIO/COO Forum Early Bird Rate Ends 5-14!

The 5th Annual Law Firm CFO/CIO/COO Forum
Data Privacy, Security & the Globalized Law Firm

Early Bird Rate Ends 5-14!

LawFirmCFO-CIO-COO-banner

Register Now

The Thomson Reuters Legal Executive Institute proudly presents the 5th Annual Law Firm CFO/CIO/COO Forum on June 3, 2015 in New York City at the Crowne Plaza Times Square Manhattan.

Our program will address the twin specters of data privacy and cyber security and their impact on US and international law firms in 2015. Delegates will hear from non-legal industry CISOs and world-renowned cyber security experts on emerging threats and innovative strategies affecting modern day law firm operations. Come prepared with questions and ideas as you engage both thought leaders and peers throughout a series of collaborative discussions.

This year’s program highlights include:

  • Enemies at the Gate: Responses to Data Security Threats Across Industries
  • Red Corner: The Rise of Corporate Espionage & the Problem with China
  • From Russia with Love: APT28 and the Soviet Spector
  • Preparing for a Client Security Audit: A Peer-to-Peer Workshop
  • A Briefing on Data Security Concerns in the Cloud and Tablet Technology
  • And more

Special Offers

Early Bird Discount: Save 15% when you enter CFO15 at checkout for individual registrations.  Expires 05.14.15

Group Discounts: Save 30% on when you register 2 or more delegates, please call 1-800-308-1700

Why You Should Attend

  • This is the only professional conference in existencedevoted to the unique cyber security concerns of law firms.
  • Stay Informed about the current threats to enterprise security at your firm from our elite faculty of thought leaders.
  • Network across industries as we welcome Chief Information Security Officers (CISOs) from numerous sectors to the Forum.
  • Gain Practical Takeaways for adoption at your firm or organization and build powerful connections with the premier thought leaders in the profession.
  • Be prepared to handle any future incidents at the completion of the Forum.
  • Did you know? Many law firm CIOs and security analysts believe that mobile technology and tablet technology will be the primary target of attacks in 2015. Our forum dispenses crucial advice on how to avoid falling prey to such forces.
  • Did you know? Many analysts believe international law firms will easily double their operation and insurance costs in 2015 as a result of increased data security attacks on US and Western businesses. Are you well-versed in the latest threats from Asia, Russia and beyond?
  • Did you know? The 2015 federal regulatory, legislative and enforcement landscape will force many organizations to thoroughly assess their current security infrastructure and comply with myriad new quality controls. Have you done your proper due diligence?

New Data Security Bill Seeks Uniformity in Protection of Consumers’ Personal Information

Morgan, Lewis & Bockius LLP.

Last week, House lawmakers floated a bipartisan bill titled the Data Security and Breach Notification Act (the Bill). The Bill comes on the heels of legislation proposed by US President Barack Obama, which we recently discussed in a previous post. The Bill would require certain entities that collect and maintain consumers’ personal information to maintain reasonable data security measures in light of the applicable context, to promptly investigate a security breach, and to notify affected individuals of the breach in detail. In our Contract Corner series, we have examined contract provisions related to cybersecurity, including addressing a security incident if one occurs.

Some notable aspects of the Bill include the following:

  • Notification to individuals affected by a breach would generally be required within 30 days after a company has begun taking investigatory and corrective measures (rather than based on the date of the breach’s discovery).

  • Notification to the Federal Trade Commission (FTC) and the Secret Service or the Federal Bureau of Investigation would be required if the number of individuals whose personal information was (or there is a reasonable basis to conclude was) leaked exceeds 10,000.

  • To advance uniform and consistently applied standards throughout the United Sates, the Bill would preempt state data security and notification laws. However, the scope of preemption continues to be discussed, and certain entities would be excluded from the Bill’s requirements, including entities subject to existing data security regulatory regimes (e.g., entities covered by the Health Insurance Portability and Accountability Act).

  • Violations of the Bill would be enforced by the FTC or state attorneys general (and not by a private right of action).

ARTICLE BY

Michael L. Pillion
A. Benjamin Klaber
Morgan, Lewis & Bockius LLP

Taking Control of Cybersecurity: A Practical Guide for Officers and Directors

Foley and Lardner LLP

Major cybersecurity attacks of increased sophistication — and calculated to maximize the reputational and financial damage caused to the corporate targets — are now commonplace. These attacks have catapulted cybersecurity to a top priority for senior executives and board members.

To help these decision makers get their arms around cybersecurity issues, Foley Partners Chanley T. Howell, Michael R. Overly, and James R. Kalyvas have published a comprehensive white paper entitled: Taking Control of Cybersecurity — A Practical Guide for Officers and Directors.

The white paper describes very practical steps that officers and directors should ensure are in place or will be in place in their organizations to prevent or respond to data security attacks, and to mitigate the resulting legal and reputational risks from a cyber-attack. The authors provide a blueprint for managing information security and complying with the evolving standard of care. Checklists for each key element of cybersecurity compliance and a successful risk management program are included.

Excerpt From Taking Control of Cybersecurity: A Practical Guide for Officers and Directors

Sony, Target, Westinghouse, Home Depot, U.S. Steel, Neiman Marcus, and the National Security Agency (NSA). The security breaches suffered by these and many other organizations, including most recently the consolidated attacks on banks around the world, combined with an 80 percent increase in attacks in just the last 12 months, have catapulted cybersecurity to the top of the list of priorities and responsibilities for senior executives and board members.

The devastating effects that a security breach can have on an enterprise, coupled with the bright global spotlight on the issue, have forever removed responsibility for data security from the sole province of the IT department and CIO. While most in leadership positions today recognize the elevated importance of data security risks in their organization, few understand what action should be taken to address these risks. This white paper explains and demystifies cybersecurity for senior management and directors by identifying the steps enterprises must take to address, mitigate, and respond to the risks associated with data security.

Officers and Directors are Under a Legal Obligation to Involve Themselves in Information Security

The corporate laws of every state impose fiduciary obligations on all officers and directors. Courts will not second-guess decisions by officers and directors made in good faith with reasonable care and inquiry. To fulfill that obligation, officers and directors must assume an active role in establishing correct governance, management, and culture for addressing security in their organizations.

Download This White Paper

ARTICLE BY

Chanley T. Howell
James R. Kalyvas
Michael R. Overly
OF
Foley & Lardner LLP