In our continuing series about privacy, data security and your board, we next turn to how to best educate a board. Yesterday we mentioned about how board members have a duty of care. Part of that duty includes effectively overseeing matters relating to privacy and data security (or the often-used buzzword “cybersecurity”). How can board members best address this? Boards will need to understand what their organizations are doing to address and respond to privacy and data security risks, threats, and incidents. They will need to be regularly informed of such efforts, and should monitor compliance. Simply assuming the Company’s IT/IS department has it handled will no longer suffice. For our prior post on this topic, click here.
Continue Reading Privacy, Data Security, and Your Board: Day Two

On February 21, the Securities and Exchange Commission issued new Interpretive Guidance regarding disclosures of cybersecurity-related information by publicly traded companies. This guidance comes in the context of public pressure on the SEC to update its 2011 Division of Corporation Finance guidance regarding cybersecurity risks and incidents. According to SEC Chairman Jay Clayton’s statement, this new document serves to reinforce and expand the prior guidance. It lays out principles that companies should follow in determining when cybersecurity information should be disclosed, and what should be disclosed.
Continue Reading SEC Takes Baby Steps on Cyber, but Signals Greater Vigilance

On February 20, the Department of Justice announced that Attorney General Sessions had created a new, cross-departmental Cyber-Digital Task Force. He directed the Task Force to advise him on the most effective ways for DOJ to confront cyber threats and keep Americans safe. Specifically, the Task Force is charged with canvassing the work the Department is already doing on cyber, and making recommendations on “how federal law enforcement can more effectively accomplish its [cyber] mission.” He asked for a report from the Task Force by June 30.
Continue Reading Justice Department Creates Cyber-Digital Task Force

While they may disagree in other areas, one thing that former FBI Director James Comey, current Deputy Attorney General Rod Rosenstein, and current FBI Director Christopher Wray all have in common is their distaste for strong encryption that prevents the government from accessing information. In 2016, Comey and the Justice Department went to court to try to force Apple to help the government decrypt messages sent by the San Bernardino terrorist attackers. A few months ago, Rosenstein picked up that torch, discussing the need for government access to encrypted information in two separate speeches in October, then repeating his views in the wake of November’s mass shooting at a church in Texas. On January 10, Wray raised the subject in a speech, referring to it as “an urgent public safety issue.” At the same time, as tech companies are quick to point out, the rising tide of information snooping by foreign governments and private actors makes the need for strong encryption greater than ever. The Trump Administration’s strong law-and-order stance, and relative lack of sympathy for tech companies and civil libertarians, mean that 2018 could lead to new developments in this area.
Continue Reading The Encryption Battle Will Continue in 2018

It’s fair to say that ransomware exploded in 2017. After inflicting an estimated $350 million in damage in 2015 and $850 million in 2016, at least one source estimates that it hit $5 billion last year. Most prominent among these were WannaCry, which shut down computers in 80 organizations affiliated with Britain’s National Health Service among many other infections, and Not Petya, which attacked many international companies’ computer systems.
Continue Reading 2017 Saw Ransomware on the Rise – 2018 Will See Even More

You hopefully already know that Maryland’s amendment to its data breach notification law went into effect this week (on January 1, 2018). We anticipate that other states may follow one of Maryland’s modifications, namely its expansion of the definition of personal information. Under the amended law “personal information” now includes an expanded definition of biometric information. Biometric information is defined as any automatically generated biologic measurements, rather than just specifically listed items like fingerprints (the definition prior to the amendment). A handful of states have laws —like Maryland— that include biometric information in the definition of personal information. Those include Illinois, Nebraska, Nevada, North Carolina, Wisconsin, and Wyoming. We expect other states may join these. We also expect that states may otherwise continue to expand the definition of personal information in their breach notice laws.
Continue Reading How Will Breach Laws Develop in 2018?

As might be expected, the first year of the Trump Administration saw a lot of activity on the cybersecurity front. In May, the Administration issued its “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” As we discussed in an analysis we issued shortly thereafter, the Order brought more accountability to agencies for monitoring their own cybersecurity, and required them all to implement the NIST Cybersecurity Framework. In September, the Department of Homeland Security banned the use of products, solutions or services offered by Kaspersky Labs. And of course, cybersecurity continues to play an important role in ongoing investigations and political activities relating to the hacking of the Democratic National Committee.
Continue Reading Cybersecurity in the First Year of the Trump Administration

Government contractors have until December 31 to implement security requirements from NIST Special Publication (SP) 800-171 (here) as mandated by the Defense Federal Acquisition Regulation Supplement (DFARS). The requirements include provisions for protecting Controlled Unclassified Information (CUI) (government sensitive but unclassified information; see the CUI Registry here) in nonfederal systems and compliance is expected soon to be required under civilian agency contracts through a forthcoming FAR case. How to implement these requirements has caused some confusion. In response, on November 28, 2017, NIST released its highly-anticipated draft publication providing assessment procedures.
Continue Reading NIST’s Highly-Anticipated Security Requirements Draft Impacts Government Contractors’ Treatment of CUI

In this, our last post about learnings from cyber awareness month, we focus on developing the next generation of cybersecurity experts and increasing its size. According to a study by the Center for Cyber Safety and Education, within five years there will be a shortage of 1.8 million data security workers. This means companies will find it increasingly difficult to hire and retain qualified employees to protect their data systems. Cyber Awareness Month included programs encouraging students and others to explore jobs in cybersecurity, and emphasized programs such as the National Cyber Collegiate Defense Competition and the U.S. Cyber Challenge.
Continue Reading Lessons Learned from Cyber Awareness Month – Part Four