In the aftermath of Equifax’s data breach, a federal court recently found that allegations of poor cybersecurity coupled with misleading statements supported a proper cause of action. In its decision, the U.S. District Court for the Northern District of Georgia allowed a securities fraud class action case to continue against Equifax. The lawsuit claims the company issued false or misleading statements regarding the strength and quality of its cybersecurity measures. In their amended complaint, the plaintiffs cite Equifax’s claims of “strong data security and confidentiality standards” and “a highly sophisticated data information network that includes advanced security, protections and redundancies,” when, according to the plaintiffs’ allegations, Equifax’s cybersecurity practices “were grossly deficient and outdated” and “failed to implement even the most basic security measures.” The court found that data security is a core aspect of Equifax’s business and that investors are likely to review representations on data security when making their investment decisions.
Continue Reading Court Finds Cybersecurity-Related Claims Sufficient in Securities Class Action

The U.S. Government is increasingly taking the initiative to alert companies to the cybersecurity risks of certain foreign corporations. Whether by issuing binding directives on agencies, passing laws or promulgating regulations that include prohibitions on the use of these companies’ products – including by government contractors, the Government is becoming less reluctant to interfere in the private market in favor of warning American companies of the cybersecurity dangers out there.
Continue Reading When the U.S. Government Declares Companies Cyber-Insecure, We Should All Pay Attention

The Federal Trade Commission recently issued a cyber guide that, while intended for small businesses, can be of help for all businesses. The purpose of the guide, which includes various modules, is to help smaller businesses address data security threats. These modules follow guidance the FTC issued in April, stressing the importance of cyber security preparedness and the help the FTC intended to give to small businesses on that front.
Continue Reading FTC Cyber Guidance for Small Business has Tips Helpful to All

As many of you have no doubt seen, the Justice Department recently released the report of the Attorney General’s Cyber Digital Task Force, a body the Attorney General had created in February. In the report, the Task Force, chaired by Deputy Attorney General Rod Rosenstein, seeks to answer the question: “How is the Department responding to cyber threats?” On the off chance that you’re not dying to read all 144 pages, we have provided a short summary and a couple of takeaways below.
Continue Reading DOJ Report Suggests Direction For Addressing Cyber Threats

On May 15, the Department of Homeland Security released its long-awaited Cybersecurity Strategy.

The Strategy aims to reduce cybersecurity risk through “an innovative approach that fully leverages our collective capabilities across the Department and the entire cybersecurity community.” It sets a course of cybersecurity policy for the Department for the next five years and signals a more assertive approach to cyber vis a vis other agencies by setting forth clearer consequence for agencies that don’t adopt best practices. It also fleshes out an initiative for DHS to engage the private sector more actively and share cybersecurity tools directly with industry, especially critical infrastructure sectors such as hospitals, information technology, health care, transportation systems and chemical plants.
Continue Reading DHS Releases New Cybersecurity Strategy

New York Attorney General, Eric. T. Schneiderman, stated in a recent press release that 9.2 million New Yorkers had their personal data compromised in 2017. Such data compromises were mainly due to large scale data hacks, such as the Equifax and Game Stop hacks. According to the NYAG office’s report, 1,583 data breaches were reported to the NYAG in 2017. This was quadruple the number from 2016. While hacking was the most likely culprit the AG indicated, a large number of breaches resulted from negligence.
Continue Reading NY Issues Data Breach Report

In our final installment on privacy, cyber security, and your board, we look at privacy and cyber issues in M&A. So you are thinking about acquiring a new entity? Divesting of current one? Due diligence will need to be conducted to best understand and evaluate privacy and data security issues and risks. Your board will expect this of you, especially as more and more data security issues receive top billing in the news. The board will want to make sure buyers have done their jobs and have looked at and understand the type of personal information the target acquisition collects and stores, how it protects such personal information, and the details surrounding any prior data security breaches suffered by the target. If divesting a company, expect that the other side will ask similar questions about privacy and data security. Boards, in thinking about their duty of care and oversight of privacy and data security matters, will want to make sure that these issues are not forgotten in the M&A process. For our prior post on this topic, click here for day one, here for day two, here for day three, and here for day four.
Continue Reading Privacy, Data Security, and Your Board: Day Five

In our ongoing conversation about privacy, data security and your board, we turn next to cyber insurance and vendor management. Boards, when executing their duty of care, should keep in mind that while there may be some coverage for data incidents under a company’s CGL and D&O policies, there may be significant gaps in coverage as well. Knowing what those gaps are is important. And just as it is important to have a broker with cyber experience, it is also important to seek assistance from cyber counsel during the application process to avoid overstatements or misstatements and to ensure the company is purchasing the appropriate cyber policy based on the company’s cyber risk levels. In addition to cyber insurance coverage, another third party issue that often comes up in the privacy and data security space is vendor management. Board oversight of vendor management has become the new normal. What should boards expect? What are practical aspects of effective vendor management?  Limiting vendor access to critical network segments, setting cybersecurity policies and standards for your vendors, ensuring your vendor contracts comprehensively address privacy and data security risks, incidents, liability, and insurance are all things boards should be increasingly focused on. For our prior post on this topic, click here for day one and here for day two.
Continue Reading Privacy, Data Security, and Your Board: Day Three

In our continuing series about privacy, data security and your board, we next turn to how to best educate a board. Yesterday we mentioned about how board members have a duty of care. Part of that duty includes effectively overseeing matters relating to privacy and data security (or the often-used buzzword “cybersecurity”). How can board members best address this? Boards will need to understand what their organizations are doing to address and respond to privacy and data security risks, threats, and incidents. They will need to be regularly informed of such efforts, and should monitor compliance. Simply assuming the Company’s IT/IS department has it handled will no longer suffice. For our prior post on this topic, click here.
Continue Reading Privacy, Data Security, and Your Board: Day Two