Category Archives: Advisories

Alston & Bird Issues Advisory on Six Myths of Breach Response

Written by
Alston & Bird recently issued an Advisory entitled “Six Myths of Breach Response,” authored by Jim Harvey. As data breaches are on the rise, so are the challenges that businesses face in handling these security incidents. This Advisory identifies six strategic pitfalls to avoid when responding to breaches. The Advisory addresses the true significance of public notification, common mistakes in preserving attorney-client privilege, and tough choices regarding the selection of public relation, investigative, and legal counsel. Jim Harvey co-chairs Alston & Bird’s Cybersecurity Preparedness [...] Read more

Alston & Bird Issues Cyber Alert on the EU Network Information Security Directive

Written by
This morning, Alston & Bird partners Jim Harvey and Jan Dhont issued an Advisory on the EU’s forthcoming Network Information Security Directive (“NIS Directive”).  National laws passed to implement the NIS Directive will impose substantial new compliance responsibilities on providers of “essential services,” as well as on a broad range of “digital service providers”—potentially even if a digital service provider's only EU presence is a website.  Companies subject to the NIS Directive will be obligated to implement internal cybersecurity measures.  Moreover, the NIS Directive [...] Read more

HHS/OCR Announces Launch of HIPAA Audit Program Phase 2

Written by
Today, the U.S. Department of Health & Human Services’s (HHS) Office for Civil Rights (OCR) announced the launch of Phase 2 of its HIPAA Compliance Audit Program. (OCR’s announcement can be accessed at Audit Phase 2 Announcement and further information about Phase 2 can be accessed at Audit Phase 2 Information.) In this phase, OCR will review the policies and procedures that covered entities and business associates have adopted and implemented to meet certain standards and implementation specifications of the HIPAA Privacy, Security, and/or Breach Notification Rules. Phase 2 will consist [...] Read more

The Importance of Strategic Vendors in Breach Response

Written by and
Alston & Bird recently issued an Advisory, co-authored by Jim Harvey and Karen Sanzaro, on the complexities of managing a data breach that implicates strategic third party vendor relationships. Cybercrime and data security incidents are on the rise.  Security breaches and the ensuing investigation and remediation process can be costly and complex.  The process is further complicated if the breach implicates a company’s third party service provider, or the services provided by such third party, particularly where the services or the service provider are strategic or essential to a company’s [...] Read more

Information Sharing Law Finally Passed

Written by
After years of vigorous debate and numerous bills aimed at incentivizing cyber threat intelligence sharing having failed to become law, on December 18, 2015, President Obama signed an omnibus spending bill containing the Cybersecurity Information Sharing Act of 2015 (“CISA”). The statute is located in Title I of Division N of the bill, beginning on page 1728. Passage of CISA is a major victory for cybersecurity proponents in Congress and the private sector, many of whom have called for information sharing legislation for years. Although the Act raises some significant privacy concerns, the [...] Read more

The EU General Data Protection Regulation – Europe Adopts Single Set of Privacy Rules

Written by , and
On December 15, 2015, following four years of close, sometimes contentious, review, the EU institutions agreed upon the text of the General Data Protection Regulation (the “GDPR”).  One of the most important EU legislative initiatives in recent years, the GDPR is also a landmark in privacy regulation worldwide. As from the time the GDPR takes effect – most likely in early 2018 – data protection regulation for most of Europe will largely proceed from a single set of rules. The GDPR will replace the Data Protection Directive (95/46/EC) (the “Directive”), adopted in 1995, which was [...] Read more

Alston & Bird Issues an International Trade & Regulatory/Cybersecurity Advisory on Proposed New Export Requirements for Cybersecurity Products and Technologies

Written by
Alston & Bird recently issued an Advisory on a new regulation proposed by the Department of Commerce’s Bureau of Industry Security (BIS), which would require certain developers, manufacturers, and users of cybersecurity intrusion and surveillance items to obtain export licenses before conducting business and performing their work—even when working with their affiliated companies or with business partners in the most closely allied countries.  The new requirement is being implemented pursuant to the United States’ commitments under the Wassenaar Arrangement on Export Controls for Conventional [...] Read more

Alston & Bird issues a Privacy and Security ADVISORY on Russia’s new Data Localization Law

Written by and
Today, Alston & Bird issued a Privacy and Security ADVISORY on Russia’s new Data Localization Law will take effect in September, 2015.  Penalties for non-compliance can be severe, including suspension of offending websites. Our Privacy & Data Security Group gives details on the law, the compliance challenges facing U.S. companies, and the solutions available to them. The Privacy and Security ADVISORY can be found on our website at:, and as a pdf at: Russia Data Localization Law Advisory. [...] Read more

EU’s Article 29 Working Party Releases Opinion on Internet of Things Protections

Written by
The European Union’s Article 29 Data Protection Working Party (WP29) adopted an opinion (the Opinion) on September 16, 2014 regarding data protection within the Internet of Things (IoT). Recognizing the rapid growth of the IoT, the Opinion responds to emerging data privacy concerns within the IoT, and provides recommendations for stakeholder compliance with EU data protection laws. The IoT is made up of the universe of “smart” devices and applications that communicate with each other electronically. The Opinion focuses on a subset of three IoT applications: 1) “wearable [...] Read more

HIPAA/HITECH Act Accounting of Disclosures NPRM: Redux?

Written by
In May 2011, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS) issued a proposed rule to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information (PHI). The proposed rule would have implemented the HITECH Act’s requirement for covered entities and business associates to account for disclosures of PHI to carry out treatment, payment and health care operations if the disclosures are through an electronic health record (EHR). HHS also proposed to expand the accounting provision to provide individuals with [...] Read more