Category Archives: Cybersecurity

New York State Financial Services Regulator Issues Proposed Cybersecurity Regulations

Written by
On September 13, 2016, Governor Andrew Cuomo announced the issuance of proposed “first-in-the-nation” cybersecurity regulations for entities regulated by the New York Department of Financial Services (DFS), including jurisdictional banks, insurance companies, and other financial institutions.  The proposed regulation will be subject to a 45-day comment period prior to being issued as a final rule.  Once finalized, the regulation would become effective on January 1, 2017, at which point a 180 day "transitional period" would go into effect, during which entities would need to come into compliance [...] Read more

Report Suggests Organizations Still Vulnerable to Credential Management and Network Segmentation Attacks

Written by
The Multi-State Information Sharing and Analysis Center (MS-ISAC) published its 2016 mid-year review on August 22, 2016, highlighting large incidents of malware infections, with particular emphasis on ransomware and click fraud malware.  In contrast to the MS-ISAC report, however, an August 2016 report suggests most organizations would benefit from addressing issues of credential management and network segmentation.  The report is based on data collected over the course of 100 internal penetration tests (i.e., tests assuming one user on the network has already had their account compromised) on [...] Read more

FTC seeks public comment on Safeguards Rule and proposed changes

Written by
On August 29, 2016, the FTC announced it is seeking public comment on its Safeguards Rule as part of a systematic review of all FTC rules and guides. The Safeguards Rule came into force in 2003 after the Gramm-Leach-Bliley Act (GLBA) required that the FTC and other agencies establish administrative, technical, and physical information security standards for financial institutions. Of particular note is the FTC’s call for comments on whether it should reference or incorporate other standards, such as PCI-DSS or NIST standards, which may signal a shift from the FTC’s previous resistance toward [...] Read more

FERC Takes Action on Cybersecurity in Response to Ukrainian Cyber Attacks

Written by
The Federal Energy Regulatory Commission (“FERC”) issued a Notice of Inquiry (“NOI”) and Final Rule at the end of July to address several urgent cybersecurity issues affecting the bulk electric system.  FERC is taking these actions in the face of increasingly sophisticated threats to our power grid, including in response to an actual cyber-attack against Ukraine’s electricity system last year. In the NOI, the Commission seeks comments on possible modifications to the Critical Infrastructure Protection (“CIP”) Reliability Standards developed and managed by the North American [...] Read more

President Obama Issues Directive on Government Cyber Incident Response

Written by
Last week, President Obama issued a new Presidential Policy Directive (PPD) establishing principles to govern the federal government’s response to cyber incidents, “whether involving government or private sector entities.”  Titled “PPD-41,” the document also designates the lead federal agencies for so-called significant cyber incidents and creates an “architecture for coordinating the broader Federal Government response” to significant cyber incidents that is further described in an attached Annex. PPD-41 defines a cyber incident as: An event occurring on or conducted through [...] Read more

Alston & Bird Issues Advisory on Six Myths of Breach Response

Written by
Alston & Bird recently issued an Advisory entitled “Six Myths of Breach Response,” authored by Jim Harvey. As data breaches are on the rise, so are the challenges that businesses face in handling these security incidents. This Advisory identifies six strategic pitfalls to avoid when responding to breaches. The Advisory addresses the true significance of public notification, common mistakes in preserving attorney-client privilege, and tough choices regarding the selection of public relation, investigative, and legal counsel. Jim Harvey co-chairs Alston & Bird’s Cybersecurity Preparedness [...] Read more

Kim Peretti Named to Cybersecurity Docket’s “Incident Response 30”

Written by
Kim Peretti, partner and co-chair of Alston & Bird’s Cybersecurity Preparedness & Response Team, has been named to Cybersecurity Docket’s inaugural “Incident Response 30.” Described by the publication as the “30 best and brightest data breach response lawyers,” the list “honors incident response attorneys and compliance professionals who not only have the right stuff to manage a data breach response, but are also the kind of professionals who are critical to have on speed-dial when the inevitable data breach occurs.” Cybersecurity Docket is a comprehensive and timely [...] Read more

Alston & Bird Expands Privacy, Data Security Capabilities with New Partner in Los Angeles

Written by
Alston & Bird has announced the expansion of its Privacy & Data Security Practice in Los Angeles with partner, Michael Zweiback.  Zweiback, a former federal prosecutor, has rejoined the firm as partner in its Privacy & Data Security Practice and Government & Internal Investigations Group, bringing not only extensive experience in cybersecurity, but also an exceptional background in white collar criminal defense and government enforcement litigation. He arrives from Arent Fox LLP, where he was a partner and co-leader of its Cybersecurity and Data Protection Group. Zweiback has [...] Read more

HHS/OCR Announces Launch of HIPAA Audit Program Phase 2

Written by
Today, the U.S. Department of Health & Human Services’s (HHS) Office for Civil Rights (OCR) announced the launch of Phase 2 of its HIPAA Compliance Audit Program. (OCR’s announcement can be accessed at Audit Phase 2 Announcement and further information about Phase 2 can be accessed at Audit Phase 2 Information.) In this phase, OCR will review the policies and procedures that covered entities and business associates have adopted and implemented to meet certain standards and implementation specifications of the HIPAA Privacy, Security, and/or Breach Notification Rules. Phase 2 will consist [...] Read more

FCC Proposes New Privacy Rules for Internet Service Providers

Written by
On March 10, 2016, the Federal Communications Commission (“FCC”) proposed new privacy and data security rules for Internet service providers (“ISPs”) that, if passed, would regulate how ISPs collect, use, share, and protect customers’ data. The notice of proposed rulemaking (“NPRM”) that FCC Chairman Tom Wheeler circulated for consideration by the full Commission is previewed in a three-page fact sheet that sets forth the proposed rules, which are built on the three core principles of choice, transparency, and security. In order to “provide the tools consumers need to make smart [...] Read more