Cyber Blog

Focused commentary on the latest in cybersecurity preparedness, regulatory compliance and incident response

Momentum is building for federal privacy legislation, with several different proposals circulating in Washington.  Ohio’s new cybersecurity law offers an interesting approach for incentivizing companies to protect their customers’ personal data. We have written previously on two competing models for cybersecurity regulation—“standards” versus “rules.”  The standards-based approach, historically employed by the FTC and certain state laws, imposes broad, flexible requirements that mandate that a company establish a “reasonable” or “industry standard” cybersecurity program,…
Momentum is building for federal data privacy legislation, in large part due to the passage of the California Consumer Privacy Act (CCPA) (which goes into effect in 2020) and other states enacting or considering their own consumer privacy laws.  These developments have businesses concerned that they will face a patchwork of inconsistent and onerous state privacy laws, which is currently the case with breach notification.  Many leading tech companies, trade groups, and the U.S. Chamber…
On November 1, Canada provided the U.S. with another model for a national breach law:  the Personal Information Protection and Electronic Documents Act (“PIPEDA”).  Under that law, companies are required to notify Canada’s Privacy Commissioner and affected individuals as soon as feasible if they experience “any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm…
A recent SEC Order should be a reminder to registered entities, including small- and medium-sized firms, that the SEC is monitoring the reasonableness of their cybersecurity policies and procedures, and that it may take action in the event of a breach, even in the absence of economic harm. The SEC’s $1 million settlement with broker-dealer and registered investment adviser Voya Financial Advisors Inc. followed the theft of personally identifiable information of thousands of Voya’s customers. …
As we have previously discussed, public companies face a variety of legal issues following large-scale data breaches, which increasingly include federal securities class action litigations.  In the past few weeks, two new such actions were filed.  One lawsuit was filed against Chegg, Inc., an education technology company that provides a direct-to-student online learning platform, following its disclosure of the fact that an unauthorized user had gained access to certain customer information.  Another lawsuit was…
In Part 1 of this blog post, we discussed some key contractual provisions that lawyers should consider when entering into agreements with cloud service providers (“CSPs”).  In this Part 2, we discuss some additional contractual considerations to keep in mind, as well as some post-contract practices to consider in order to better protect data in the cloud. As we discussed in Part 1, CSP agreements may contain standard vendor-friendly provisions, such as termination rights and…
Companies have good reasons to limit business-related communications to devices and applications (“apps”) controlled by the company, and to avoid having sensitive company information on the personal devices and apps of employees: Security: The company does not control the cybersecurity and privacy on employees’ personal apps on personal devices, and therefore there is an increased risk of company data being leaked or otherwise compromised. Discovery: When employees communicate on their personal devices, using non-company apps,…
Some of the most significant recent cyber breaches originated at vendors.  We have previously discussed the importance of effective oversight of third parties because vendor breaches can lead to regulatory actions for companies.  Indeed, recent regulatory guidance provides that vendor diligence is an essential part of any cybersecurity program.  This makes sense; there is no point in spending time and resources protecting the data on your network if that same data is unprotected at a…