Category Archives: Cybersecurity

The Supreme Court To Resolve Whether a Violation of a Statutory Right Confers Article III Standing

Written by and
The Supreme Court’s recent decision to hear the appeal in Spokeo, Inc. v. Robins may have significant implications for data breach litigation in particular and consumer class action litigation generally. At issue is whether a plaintiff who has suffered no actual injury or harm nonetheless has standing under Article III of the United States Constitution to seek recovery in federal court based on an alleged violation of a statutory right. Depending on how the Supreme Court resolves the issue, companies defending data breach lawsuits and other consumer class actions may find it tougher to obtain [...] Read more

DOJ Issues Data Breach Guidance

Written by
On Wednesday, April 29, 2015, the Department of Justice Computer Crime and Intellectual Property Section (CCIPS) Cybersecurity Unit issued new, detailed guidance on data breach incident response best practices.  The document was announced at an invitation-only round table hosted by DOJ and provides guidance on what DOJ regards as “best practices for victims and potential victims to address the risk of data breaches, before, during and after cyber-attacks and intrusions.”  The document was prepared with input from federal prosecutors as well as private sector companies that experienced cybersecurity [...] Read more

Kim Peretti Quoted by CIO on Talking To Boards About Cybersecurity Risks

Written by
Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was quoted in a CIO article on April 27 titled, “Boards are on high alert over security threats.” The risk of a cyberattack is a concern that is fast becoming omnipresent for corporate directors across industries. “It's not just financial services firms or regulated companies--everyone is interested now,” she said. That interest is leading boards to put a high priority on their cyber risk education and preparedness. While it is important that boards are aware of the big picture when it comes to [...] Read more

NAIC Publishes Principles for Effective Cybersecurity

Written by
The National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force adopted Principles for Effective Cybersecurity Insurance Regulatory Guidance on April 16, 2015. The document identifies types of safeguards regulators expect insurers to have in place to protect consumers from cybersecurity breaches. The guiding principles are intended to establish insurance regulatory guidance that promotes coordination and protects insurance consumers. The principles themselves say that “[s]tate insurance regulators should collaborate with insurers, insurance producers and the federal government [...] Read more

DOJ to Host Cybersecurity Roundtable on Data Breaches

Written by
On April 29, 2015, the Department of Justice’s Criminal Division will host a cybersecurity industry roundtable on data breaches. The event, which will include audience question and answer sessions, will focus on a range of recent industry developments. The event will feature a discussion of cybersecurity from the national security perspective by John P. Carlin, Assistant Attorney General in the National Security Division; a conversation on government-industry interaction featuring James C. Trainor, Acting Assistant Director of the Cyber Division at the FBI, and Stuart J. Tryon, Special Agent [...] Read more

SEC Confirms Plans To Issue New Cybersecurity Disclosure Rules

Written by
According to Smeeta Ramarathnam, Chief of Staff to SEC Commissioner Luis Aguilar, the SEC is currently engaging in a comprehensive re-work of its investor disclosure rules, including with respect to rules bearing on cybersecurity incident disclosure. The SEC, which is formally tasked with overseeing issues that concern market integrity and disclosure of material information, revealed its plan to overhaul its disclosure rules during an April 23 panel at the 2015 RSA Conference in San Francisco, during which Ramarathnam stated that the SEC was entering “a time of great change” with respect to [...] Read more

PCI-DSS Standard Updated To Address SSL Vulnerabilities

Written by
On April 15, 2015, the Payment Card Industry Security Standards Council (PCI-SSC) updated the PCI Data Security Standard (PCI-DSS) from version 3.0 to version 3.1. The new version is effective immediately. PCI DSS Version 3.0 will be retired on June 30, 2015. A summary of the changes, along with the updated standard, can be found on the PCI-SSC website. PCI DSS 3.1 updates requirements to remove SSL (a cryptographic protocol designed to provide secure communications over a computer network) and early Transport Layer Security (TLS) as examples of strong cryptography. SSL and early TLS cannot [...] Read more

Kim Peretti and Dominique Shelton Speaking at Georgetown’s 2015 Cybersecurity Law Institute

Written by
Kim Peretti and Dominique Shelton will be featured speakers at the 3rd Annual Cybersecurity Law Institute, hosted by Georgetown Law Continuing Legal Education, and co-sponsored by the American Bar Association Cybersecurity Legal Task Force, Bloomberg BNA, and the Center for Internet Security. The Institute, designed by a national advisory board of professionals, will be held on May 20-21, 2015. This two-day program is a highly-regarded event in the cybersecurity space and will provide in-house and outside counsel with the practical, pragmatic advice they need to effectively address today’s [...] Read more

New York State Regulator to Examine Insurers on Cybersecurity Following Comprehensive Risk Assessments

Written by
On March 26, 2015, Benjamin Lawsky, Superintendent of the New York State Department of Financial Services (DFS), sent a letter to the CEOs, General Counsel, and Chief Information Officers of all insurers doing business in the state to inform them of a mandatory cybersecurity questionnaire and the initiation of targeted cybersecurity examinations.  Approximately 160 insurers will be affected by the initiative. In the letter, Lawsky “encourages all [financial] institutions to view cyber security as an integral aspect of their overall risk management strategy, rather than solely as a subset [...] Read more

FFIEC Issues Warnings on Malware and Cyber Attacks

Written by
The Federal Financial Institutions Examination Council (FFIEC) has issued two joint statements warning of specific cyber risks.  The warnings, which were issued on March 30, 2015, address risks arising from destructive malware, which can destroy sensitive data, and cyber-attacks that compromise user credentials.  In both statements, the FFIEC also provides guidance on how to mitigate these risks. The statement on destructive malware warns financial institutions about the increasing use of malware that successfully compromises databases and destroys the information or renders the system hosting [...] Read more