While cybersecurity risks have increased, government regulation has traditionally lagged behind. Recently, some government entities have tried to catch up by mandating that companies take a proactive approach toward protecting personal and competitively sensitive data. The move is a departure from the traditional reactive response of simply notifying consumers after their personal data is breached.
With this shift in emphasis, companies are asking the obvious questions: “What are we expected to do and what is a proactive cybersecurity compliance program?”
Both on the state level and through federal regulatory agencies, the government is beginning to dictate a comprehensive compliance approach to data protection. Late last year, the U.S. Securities and Exchange Commission’ s Cybersecurity Examination Initiative directed broker-dealers to “further assess cybersecurity preparedness in the securities industry.” Thus, the SEC announced that it “will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.”
In two independent and much-anticipated actions, separate EU entities took actions which will continue to complicate the ability of US companies to do business in Europe.
By: Chris Koa and Walter Impert With the shift from traditional hard copy paper documents towards electronic records stored Cloud Computing-based software and services (eg, iCloud, Dropbox, Google Drive, etc.), access to and use of digital assets by fiduciaries after death or incapacitation of the owner has emerged as a key estate planning consideration…. Read More
By: Barry Glazer, Ron Moscona and Chris Koa Significant uncertainty and concern regarding US companies’ ability to process and use personal data received from the EU has loomed since the October 2015 decision by Europe’s highest court invalidating the EU-US Safe Harbor. US and EU regulators earlier this week announced conceptual agreement regarding a new… Read More
By: Ron Moscona, Partner Dorsey & Whitney On 6 November 2015, The EU Commission published a communication addressed to the European Parliament and the EU Council, in an attempt to reduce current legal uncertainties surrounding the transfer of personal data from European Union countries to the U.S. The communication follows on the decision of the… Read More
A recent ruling shows that plaintiffs must act fast when using a federal criminal statute for a civil suit.
The U.S. Court of Appeals for the Second Circuit in August addressed the proper application of the statute of limitations to a civil action—in the context of allegations of malicious statements made on the Internet over a broken romance and sexual misconduct—brought under the federal computer crime statute, the Computer Fraud and Abuse Act (CFAA). The case was Sewell v. Bernardin.
By: Ron Moscona, a partner in Dorsey & Whitney’s London Office The Court of Justice of the European Union (“CJEU”) held yesterday, in its decision in Schrems v. Data Protection Commissioner, that the decision of the European Commission of July 2000 which provides the legal basis under EU law for the “Safe Harbor” scheme is… Read More
Author: Melissa Krasnow Organizations are preparing for data incidents and breaches by developing, updating, implementing, and testing incident response plans. This article provides a checklist of key components of an incident response plan. Following are items from state and federal sources of guidance: “Best Practices for Victim Response and Reporting of Cyber Incidents”(April 2015) issued… Read More
Washington State Governor Jay Inslee signed legislation making Washington among the five US states with the most rigorous data breach notification laws enacted to date. Washington joins Florida, Ohio, Vermont, and Wisconsin in imposing strict and specific obligations on any business that has suffered a data breach. The new law is effective July 24, 2015.
The duty of a board to monitor and oversee organizational risk includes cyberrisks. As cyberrisks and incidents proliferate, boards are seeking to enhance the information they receive about cyberrisks and incidents. One development boards should be aware of is the decision in the Palkon v. Holmes directors and officers (D&O) litigation (2014 U.S. Dist. LEXIS 148799 (D.N.J. Oct. 20, 2014)).