Category Archives: Cybersecurity

Amended Washington Data Breach Law Requires Attorney General Notification, Imposes 45-Day Notice Time Limit

Written by
Earlier this year, Washington passed an amended version of its data breach notification law, which goes into effect Friday July 24, 2015.  Washington’s updated breach notification statute will now, among other things, require compromised entities to notify the state Attorney General (AG) in some circumstances, and require notification to both consumers and, as applicable, the state AG within 45 days of discovering a breach.  Washington’s amended statute adds to the chorus of states that have updated their breach notification laws in 2015, including Connecticut, Montana, Nevada, North Dakota, [...] Read more

PCI Security Standards Council Issues New Supplementary Compliance Requirements for the Data Security Standard

Written by
The Payment Card Industry (“PCI”) Security Standards Council (“SSC”) recently published a supplement to the PCI Data Security Standard (“DSS”) that will require certain Designated Entities to comply with an additional set of compliance-based requirements.  The additional requirements, called the “Designated Entities Supplemental Validation,” or DESV, are designed to “help organizations make payment security part of everyday business practice” and are “intended to provide greater assurance that PCI DSS controls are maintained effectively and on a continuous basis through validation [...] Read more

Peter Swire Testifies Before Senate Judiciary Committee on Encryption

Written by
Alston & Bird Senior Counsel Peter Swire testified today before the Senate Judiciary Committee as part of its hearing entitled, Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy.  The hearing, held on July 8, 2015, featured Sally Quillian Yates, Deputy Attorney General, and James B. Comey, Jr., Director of the Federal Bureau of Investigation, on the first panel, and Cyrus Vance, District Attorney of New York County, Herbert Lin of Stanford University, and Swire on the second panel.  The hearing focused on the seemingly competing interests of law enforcement/national [...] Read more

FFIEC Issues Optional Cybersecurity Assessment Tool

Written by
On June 30, 2015, the Office of the Comptroller of the Currency (OCC) announced that the Federal Financial Institutions Examination Council (FFIEC) has issued an optional Cybersecurity Assessment Tool (Assessment) for banking institutions (“institution”) to use to evaluate risks and cybersecurity maturity (i.e., level of preparedness).  OCC also announced that it would “gradually incorporate the Assessment into examinations of national banks, federal savings associations, and federal branches and agencies.”  This arises out of a 2014 pilot cybersecurity examination work program at more [...] Read more

Rhode Island Updates Identity Theft Protection Act; Requires Notice Within 45 Days of Data Breach

Written by
In the absence of action by the U.S. Congress to pass a national data breach notification law, many states stepped into the breach to update their laws this year to add more specific notice guidelines, a requirement to notify the state’s attorney general or another state official, and to require entities that maintain personal information to implement risk-based data security standards. Rhode Island has now joined that group. On June 26, Rhode Island Governor Gina Raimondo signed Senate Bill 0134, the Rhode Island Identity Theft Protection Act of 2015 (the “2015 Act”), which substantially [...] Read more

Alston & Bird Issues an International Trade & Regulatory/Cybersecurity Advisory on Proposed New Export Requirements for Cybersecurity Products and Technologies

Written by
Alston & Bird recently issued an Advisory on a new regulation proposed by the Department of Commerce’s Bureau of Industry Security (BIS), which would require certain developers, manufacturers, and users of cybersecurity intrusion and surveillance items to obtain export licenses before conducting business and performing their work—even when working with their affiliated companies or with business partners in the most closely allied countries.  The new requirement is being implemented pursuant to the United States’ commitments under the Wassenaar Arrangement on Export Controls for Conventional [...] Read more

Alston & Bird Attorneys Honored with 2015 Burton Award

Written by
Partners Kimberly Peretti and Jessica Corley, Senior Associate Kelley Barnaby, and Associate Lauren Tapson were honored with a 2015 Burton Award for Legal Achievement for their analysis of the corporate governance risks associated with cyber-attacks and the critical role played by boards of directors in addressing those risks. William Burton, author of Burton’s Legal Thesaurus, started the Burton Awards in 1999 to honor clarity, knowledge, and innovation demonstrated in a published legal article.  The winners are chosen from entries submitted by the nation's 1,000 largest and most prestigious [...] Read more

Kim Peretti and Jason Wool co-author CIO Insight article on Cyber-Risk Management

Written by
Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, and Jason Wool, an associate in the firm’s Technology and Privacy Group and Security Incident Management & Response Team, along with Kiersten Todt and Roger Cressey of Liberty Group Ventures, LLC, coauthored the CIO Insight article, “Five Steps to Strengthening Cyber-Defenses.” In the article, Peretti et al discuss five risk management steps that companies can take to better manage cyber-risk and reduce their liability exposure after a breach occurs.  These steps include changing corporate culture [...] Read more

Oregon Updates and Expands Data Breach Statute

Written by
Oregon has updated its data breach notification statute to broaden the definition of personal information that will trigger notice to individuals and add the requirement to notify the state’s Attorney General of certain breaches. Oregon Governor Kate Brown signed into law SB601 on June 10, and it was enrolled on June 15. The bill updates the Oregon Consumer Identity Theft Protection Act of 2007 (the “Act”). The changes to the Act become effective on January 1, 2016 and apply only to data breaches that occur on or after that date. The expanded definition of “personal information” that [...] Read more

The Supreme Court To Resolve Whether a Violation of a Statutory Right Confers Article III Standing

Written by and
The Supreme Court’s recent decision to hear the appeal in Spokeo, Inc. v. Robins may have significant implications for data breach litigation in particular and consumer class action litigation generally. At issue is whether a plaintiff who has suffered no actual injury or harm nonetheless has standing under Article III of the United States Constitution to seek recovery in federal court based on an alleged violation of a statutory right. Depending on how the Supreme Court resolves the issue, companies defending data breach lawsuits and other consumer class actions may find it tougher to obtain [...] Read more