The White House and its top security advisors are regularly advised about cyberintrusions and as a result the “time has come for CEOs and Boards to take personal responsibility for improving their companies’ cyber security” according to Former White House Senior Director for Cybersecurity Sameer Bhalotra. In the recent report from LogRhythm entitled “The Cyber Threat Risk – Oversight Guidance for CEOs and Boards” Bhalotra went to say:
Global payment systems, private customer data, critical control systems, and core intellectual property are all at risk today.
As cyber criminals step up their game, government regulators get more involved, litigators and courts wade in deeper, and the public learns more about cyber risks, corporate leaders will have to step up accordingly.
While cybersecurity risks have increased, government regulation has traditionally lagged behind. Recently, some government entities have tried to catch up by mandating that companies take a proactive approach toward protecting personal and competitively sensitive data. The move is a departure from the traditional reactive response of simply notifying consumers after their personal data is breached.
With this shift in emphasis, companies are asking the obvious questions: “What are we expected to do and what is a proactive cybersecurity compliance program?”
Both on the state level and through federal regulatory agencies, the government is beginning to dictate a comprehensive compliance approach to data protection. Late last year, the U.S. Securities and Exchange Commission’ s Cybersecurity Examination Initiative directed broker-dealers to “further assess cybersecurity preparedness in the securities industry.” Thus, the SEC announced that it “will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.”
In two independent and much-anticipated actions, separate EU entities took actions which will continue to complicate the ability of US companies to do business in Europe.
Company Computers Under Attack: Big Dollars and Private Data Are Being Stolen Every Day: What Are You Doing About It? Join Us for a Cybersecurity Breakfast Briefing Cutting Edge Use of the Civil Remedy in the Federal Computer Crime Statute — the Computer Fraud and Abuse Act Thursday, April 14,… Read More
By: Chris Koa and Walter Impert With the shift from traditional hard copy paper documents towards electronic records stored Cloud Computing-based software and services (eg, iCloud, Dropbox, Google Drive, etc.), access to and use of digital assets by fiduciaries after death or incapacitation of the owner has emerged as a key estate planning consideration…. Read More
By: Barry Glazer, Ron Moscona and Chris Koa Significant uncertainty and concern regarding US companies’ ability to process and use personal data received from the EU has loomed since the October 2015 decision by Europe’s highest court invalidating the EU-US Safe Harbor. US and EU regulators earlier this week announced conceptual agreement regarding a new… Read More
In December, a divided panel of the U.S. Court of Appeals for the Second Circuit in U.S. v. Valle interpreted the Computer Fraud and Abuse Act to exclude employees who access their employer’s computers. The upshot is that if you are an employee in the Second Circuit and steal data from your employer to commit identity theft or to provide it to a competitor, you cannot be prosecuted by the Department of Justice or sued by your employer under the CFAA.
By: Ron Moscona, Partner Dorsey & Whitney On 6 November 2015, The EU Commission published a communication addressed to the European Parliament and the EU Council, in an attempt to reduce current legal uncertainties surrounding the transfer of personal data from European Union countries to the U.S. The communication follows on the decision of the… Read More
A recent ruling shows that plaintiffs must act fast when using a federal criminal statute for a civil suit.
The U.S. Court of Appeals for the Second Circuit in August addressed the proper application of the statute of limitations to a civil action—in the context of allegations of malicious statements made on the Internet over a broken romance and sexual misconduct—brought under the federal computer crime statute, the Computer Fraud and Abuse Act (CFAA). The case was Sewell v. Bernardin.
By: Ron Moscona, a partner in Dorsey & Whitney’s London Office The Court of Justice of the European Union (“CJEU”) held yesterday, in its decision in Schrems v. Data Protection Commissioner, that the decision of the European Commission of July 2000 which provides the legal basis under EU law for the “Safe Harbor” scheme is… Read More