Tag Archives: cybersecurity

From the Server Room to the Board Room: D&O and Cybersecurity Emerging Trends

With breaches of nearly 150 million Americans’ personal information flooding the news the last few weeks, followed by the filing of more than 50 class action lawsuits to date, and the announcement of an FTC investigation, cybersecurity is squarely on the minds of and on the table in boardrooms across the country. On September 14, … Continue Reading

Delaware Amends Data Breach Notification Law to Require Reasonable Data Security and Expand the Scope of Personal Information Requiring Notice

On August 17, 2017, Delaware Governor John Carney signed into law House Substitute 1 for House Bill 180, making the first significant amendment to Delaware’s data breach notification law since 2005.  The bill, scheduled to go into effect April 14, 2018, requires private organizations to maintain reasonable security policies and procedures; expands the definition of … Continue Reading

UK government posts new NIS Directive consultation addressing cybersecurity threats

The security and reliability of the UK’s IT infrastructure remains a key priority for the government. In August 2017, the Department for Digital, Culture, Media and Sport launched a public consultation on its plans to transpose the Network and Information Systems Directive (‘NIS Directive’) into UK legislation. (As we reported earlier this year, the UK has … Continue Reading

President Trump Signs Executive Order on Cybersecurity Focusing on Critical Infrastructure, Federal Networks and Public Cybersecurity Policy

On Monday, May 11, 2017, President Donald Trump signed an Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”  The Executive Order comes after Trump had postponed signing a similar executive order on cybersecurity on Feb. 1, and another draft executive order had been circulated Feb. 10. The final Executive Order aligns … Continue Reading

UK government publishes digital strategy to create and support a secure and thriving data economy

On 1 March 2017, the UK government published its Digital Strategy (“Strategy”) for a “world-leading digital economy that works for everyone.”. The Strategy contains a number of statements that bring some certainty to the direction of regulation in the UK following its withdrawal from the European Union. Unlocking the data economy The Strategy notes the … Continue Reading

NIS Directive to be implemented in UK despite Brexit

In January, the UK government confirmed that it will be implementing the EU’s Network and Information Security Directive (NIS Directive) regardless of Brexit. EU countries have until 9 May 2018 to implement the Directive into their national laws. Given Brexit, the UK government confirmed in its Cyber Security Regulation and Incentives Review that details of the … Continue Reading

The new Cybersecurity Law of China: What does it mean for the International Market?

On 7 November, the government of the People’s Republic of China passed the much-anticipated Cyber Security Law of China, which will come into force 1 June 2017. After first and second drafts were put out for public consultation in June 2015 and May 2016, respectively, it was a third draft issued in October 2016 that … Continue Reading

European Commission Publishes Communication on Cybersecurity

On 5 July, the European Commission (“EC”) published a communication outlining measures to improve resilience to cyber incidents, improve cooperation and information sharing, and promote innovation and competition in the European cybersecurity industry.   The communication highlights the EC’s intention to take cooperation, knowledge, and capacity to the next level, particularly through the imminent introduction … Continue Reading

Are You Prepared for Your Vendor’s Data Breach?

Ever since the Target and Home Depot breaches were traced to intrusions at their vendors, the management of cybersecurity at third-party vendors has been a focus of companies and regulators. The FTC has flagged the issue, as has the SEC. The DoD has imposed strict cybersecurity requirements for contractors that “flow down” to sub-contractors. But despite an … Continue Reading

Cybersecurity & Other Risks: OCC Outlines Key Examination Areas for 2016

As the technology world is on the upswing, organizations may be at an increased risk for data breaches and cybersecurity incidents. “The Office of the Comptroller of the Currency examiners will be using the agency’s new Cybersecurity Assessment Tool in conjunction with information security and operational risk supervisory activities to determine an institution’s ability to … Continue Reading

Cyber-Hacking and Cyberterrorism Are Bringing More Attention to Technology Firms and Software Manufacturers

Should “cyber products” be added to the United States Munitions List (USML)? Cyber-hacking and cyberterrorism are growing concerns for the national security of the United States, so this question could not go unanswered. The Defense Trade Advisory Group (DTAG) decided that “cyber products” should not be added to the USML. The addition of this broad … Continue Reading

New York Department of Financial Services Previews Upcoming Cybersecurity Regulations for Banks and Insurers

Anthony Albanese, the head of the New York Department of Financial Services, issued a letter to more than 20 federal and state regulators outlining proposed cybersecurity regulations for banks and insurance companies operating in New York. While the letter is a request for comment from fellow regulators, it represents a preview of several cybersecurity measures … Continue Reading

New challenges created by China’s new draft cybersecurity law

In July 2015, China released its new draft cybersecurity law (the ‘Law’), which will potentially have far-reaching consequences for network operators and companies doing business in China. The Law regulates cross-border data transfers and gives individuals greater protection over their personal data, including granting them increased rights to access and amend their personal information. The … Continue Reading

European Parliament publishes its proposals for the security of the EU

On 9 July 2015 the European Parliament published its European agenda on security, setting out the current situation of security in the European Union before identifying three key areas upon which efforts should be focused: terrorism, radicalism and cybercrime. Cybercrime The European Parliament recognises the significant threat that cybercrime poses to both businesses and individuals … Continue Reading

A Checklist for In-House Counsel: Cyber Security for Medical Devices

Medical device companies and manufactures of other connected devices need to be attentive to the ever-increasing risk of a cybersecurity breach affecting their own devices and the hospitals and other health care organizations where their devices are connected. Taking these challenges into consideration, the FDA has issued several guidance documents concerning cybersecurity for medical devices.  … Continue Reading

Virginia Launches First State-Level Information Sharing and Analysis Organization

On April 20, Virginia Gov. Terry McAuliffe announced that the state is establishing the nation’s first state-level Information Sharing and Analysis Organization (“ISAO”), intended to enhance the voluntary sharing of critical cybersecurity threat information in order to confront and prevent potential cyberattacks. In the face of recent high-profile data breaches affecting both private and public … Continue Reading

PCI Security Standards Council Announces Revisions to the use of SSL

The Payment Card Industry (PCI) Security Standards Council has released a bulletin on impending revisions to version 3.0 Payment Application Data Security Standards (PA-DSS) and version 3.0 of the PCI Data Security Standard (PCI-DSS), which we reported on in January 2014. To ensure the continued protection of consumers’ payment data, the PCI Security Standards Council … Continue Reading

PCI Seeks to Help Organisations Educate Staff on Information Security with New Guidance

In October, the Payment Card Industry (“PCI”) Security Standards Council published the Best Practices for Implementing a Security Awareness Program Information Supplement (“Supplement”) to help organisations educate their employees on the importance of protecting, the care in handling, and the risks of mishandling sensitive information. The PCI Special Interest Group (“PCI SIG”) developed the Supplement … Continue Reading

PCI Addresses Payment Security Risks with New Guidance

In August, the Payment Card Industry (“PCI”) Security Standards Council published the Third Party Security Assurance Information Supplement (“Supplement”) to help organisations reduce their risk by better understanding their respective roles in securing card data. The Supplement was developed by the PCI Special Interest Group (“PCI SIG”) consisting of merchants, banks and third-party service providers, … Continue Reading

The Final NIST Cybersecurity Framework Document Is Out: Now What?

This post was written by Timothy J. Nagle. The year-long process – led by the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) – of conducting outreach to the private sector, issuing drafts, receiving and evaluating input, and facilitating interagency coordination, ended with the publication last week of the “Framework … Continue Reading

OIG Report Indicates OCR Not Overseeing and Enforcing HIPAA Security Rule

A November 21, 2013 report published by the Office of the Inspector General (OIG) concluded that The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is not fully enforcing the HIPAA Security Rule and laid out recommendations for the OCR to implement. The OIG’s report also concluded separately that OCR is … Continue Reading

UK ICO criticises elements of the proposed EU cybersecurity Directive

Last month, the Information Commissioner’s Office (ICO) published a response to the government’s call for views and evidence on the draft EU Directive on Network and Information Security (NIS Directive). The ICO’s criticism stemmed from its experience with mandatory data breach notifications from the telecoms sector and included suggestions for modifying the proposed NIS Directive. … Continue Reading

ENISA Cybersecurity Annual Report

ENISA, the European Union Agency for Network and Information Security, issued its Annual Incidents Report 2012. The report has been issued under Article 13a of the Common Regulatory Framework Directive (1009/140/EC) for electronic communications networks and services. The report highlights that 18 European Union countries reported 79 significant incidents during 2012. Only 9 countries reported … Continue Reading
LexBlog