Cybersecurity Advice to CEOs and Boards “Take more responsibility”!

Posted in Cyber, eCommerce
The White House and its top security advisors are regularly advised about cyberintrusions and as a result the “time has come for CEOs and Boards to take personal responsibility for improving their companies’ cyber security” according to Former White House Senior Director for Cybersecurity Sameer Bhalotra.  In the recent report from LogRhythm entitled “The Cyber Threat Risk – Oversight Guidance for CEOs and Boards” Bhalotra went to say:

Global payment systems, private customer data, critical control systems, and core intellectual property are all at risk today.

As cyber criminals step up their game, government regulators get more involved, litigators and courts wade in deeper, and the public learns more about cyber risks, corporate leaders will have to step up accordingly.

If you company does not have the CIO and CISO at the table with the CEO and Board to work on cybersecurity together, it’s time to start.

Peter S. Vogel is a trial partner at Gardere Wynne Sewell LLP, where he is Chair of both the eDiscovery Practice and Internet, eCommerce, and Technology Industry Team. From 1997 until 2009, Peter served as the founding chair of the Texas Supreme Court on Judicial Committee on Information Technology, which is responsible for helping automate the Texas court system and creating the eFiling system in Texas courts.


Cybersecurity Compliance Just Got Tougher

Companies need specific, well-executed plans to meet growing demands of federal and state agencies.

By:  Nick Akerman and Dan Goldberger

While cybersecurity risks have increased, government regulation has traditionally  lagged behind.   Recently, some government  entities have tried to catch up by mandating that companies take a proactive approach toward protecting personal and competitively sensitive data. The move is a departure from the traditional reactive response of simply notifying consumers after their personal data is breached.

With this shift in emphasis, companies are asking the obvious questions:  “What are we expected to do and what is a proactive cybersecurity compliance program?”

Both on the state level and through federal regulatory agencies, the government is beginning to dictate a comprehensive compliance approach to data protection.   Late last year, the U.S. Securities and Exchange Commission’ s Cybersecurity Examination Initiative directed broker-dealers to “further  assess cybersecurity preparedness in the securities industry.”  Thus, the SEC announced that it “will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.”

In January, the Financial Industry Regulatory Authority announced that in reviewing a securities firm’s approaches to cybersecurity risk management its examinations may include “governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training.”  On the state level, Massachusetts is the only state thus far to require all businesses that store personal data of its residents to secure that data through a compliance program modeled after the federal sentencing guidelines.

The framework under the federal sentencing guidelines is the gold standard for an effective compliance program.  Having expanded well beyond its original goal of detecting and preventing criminal activities, it is fast becoming the corporate  framework to protect data.  These guidelines establish seven steps for companies to follow:  first, promulgate standards and procedures; second, establish high-level corporate oversight including the board of directors that must provide adequate funding  of the program in proportion to the size of the company and the risk; third, place responsibility with individuals who do not pose a risk for unethical behavior;  fourth, communicate the program to the entire workforce; fifth, conduct periodic audits of the effectiveness of the program; sixth consistently enforce the polices; seventh establish mechanisms for reporting violations.


Because a compliance program must be tailored to an organization’s culture, it is critical to its success that all data-protection stakeholders collaborate in its creation and daily operation.  This means that data compliance is not just an issue for information-technology security.  Other stakeholders include human resources and legal, which are responsible for company rules, employee agreements and training,  and may assist in responding to company data breaches; risk management, which may determine, along with legal, the adequacy of the company’s cyber insurance; and compliance, which is often the logical focus of the company’s data protection efforts.

Stakeholders in turn should focus on six areas of risk when developing a company-specific compliance program to minimize the risks posed by each area.

First, hiring is the time to explain to new employees the rules in place to protect the company’s data.  Additionally, companies must approach hiring defensively, ensuring new employees do not bring into the workplace data that belongs to a competitor that  can result in civil or criminal liability.

Second, company rules and policies should spell out what  employees can and cannot do with the company network and form the  foundation of top-to-bottom workforce training.  At least one court has recognized that such “explicit policies are nothing but security measures employers may implement to prevent individuals from doing things in an improper manner on the employer’s computer systems.”  ( American Furukawa v. Hossain).

Third, agreements with employees and other third parties are a key component of data protection.  Employee agreements are an opportunity to reinforce the lack of an expectation of privacy in using company computers and define the scope of authorized  access.  When company data is outsourced to a cloud provider, agreements formalize the responsibilities of that third party to protect the company’s data.

Fourth, technology can be employed not only to secure data but to define who is authorized to access what portion of the network and provide admissible evidence of a breach.  Information-technology security, working with legal, can prepare mechanisms to capture audit trails in the network that can be used to identify the source and scope of a breach.

Fifth, effective termination procedures are critical.  This is when insiders are most likely to steal company data to use at their next  job.  This is also the last opportunity to remind departing employees of their post employment obligations to maintain the secrecy of company data, to return  all company data and for the company to inventory the data returned.

Finally, if a breach occurs, it is important to have protocols in place to quickly determine the scope of the breach and the appropriate response.  Companies must therefore have in place an overarching plan to investigate suspected  breaches and to mobilize internal and external resources.

For a data-compliance program to work consistently, it must be a collaborative effort among all stakeholders and comprehensively focus on mitigating the risks to the company’s data from multiple and unexpected sources.


US Companies Face Increasing Privacy Challenges in Europe

By:  Bob Cattanach

In two independent and much-anticipated actions, separate EU entities took actions which will continue to complicate the ability of US companies to do business in Europe.

Privacy Shield Provisions Found Lacking by Working Group 29

First, the EU’s Working Group 29 rejected as inadequate the new Privacy Shield that had been negotiated between the officials of the European Commission and the US Department of Commerce. Although WG 29’s lack of enthusiasm for the Privacy Shield was a poorly kept secret, their 58-page opinion detailed a comprehensive list of commercial and national security deficiencies that will make it extremely challenging to resurrect the hoped for replacement of the Safe Harbor Agreement between the US and the EU.

For a large number of US companies, Safe Harbor offered the only efficient way to transfer data on EU citizens from the EU to the US — and indispensable feature of most multi-national companies utilizing US-based servers to manage HR and similar information on a company-wide basis.  The path for adoption of the Privacy Shield was never expected to be easy, as court challenges loomed regardless of the outcome of the WG 29’s considerations, but the breadth and specificity of the shortcomings perceived by that body will make subsequent legal attacks significantly more likely to succeed even if further negotiations between the US and EU can find ways to address the problems raised by WG 29.

And, it is far from certain that even the most committed negotiations will produce a solution.  While the commercial aspects of the claimed deficiencies typically can be addressed, albeit with even more red tape facing US companies, the continued concerns expressed regarding national security implications, including the bulk collection of data, and the need for truly independent oversight of enforcement will be much more challenging to solve.  In theory the negotiators could take their chances by trying to defend the current version before the European Court of Justice, but that court has already once expressed skepticism over the efficacy of the proposed solutions when it struck down Safe Harbor.  Regardless of the path next taken, one thing is clear: a cloud of uncertainty will hang over the fate of any attempt to transfer EU citizen personal data through a negotiated process for months, and probably years, to come.

European Parliament Adopts General Data Protection Regulation

The European Parliament today adopted in plenary session the EU Data Protection Regulation, which will become law 20 days after its publication in the EU Official Journal, scheduled for July. It will officially become effective in all Member States two years after that date.

Jan Philipp Albrecht (Greens, DE), who steered the legislation through Parliament, observed: “The general data protection regulation makes a high, uniform level of data protection throughout the EU a reality. This is a great success for the European Parliament and a fierce European ‘yes’ to strong consumer rights and competition in the digital age. Citizens will be able to decide for themselves which personal information they want to share.”  Key provisions include:

  • the right to be forgotten
  • the right to transfer one’s data to another service provider
  • the right to know when one’s data has been compromised
  • the right to have privacy policies explained clearly
  • the obligation of obtain clear affirmative consent before processing a person’s data
  • fines up to 4% of firms’ total worldwide annual turnover

Each EU Member State will be required to adopt its own regulations that comply with the significantly more proscriptive provisions of the GDPR within the two-year deadline in 2018.  Unlike prior EU Directives, which allowed Member States significantly more leeway in implementing EU privacy provisions, the GDPR will require not only stricter, but more uniform, privacy protections throughout the EU.

Company Computers Under Attack: 
Big Dollars and Private Data Are Being Stolen 
Every Day: What Are You Doing About It? 

Join Us for a Cybersecurity Breakfast Briefing
Cutting Edge Use of the Civil Remedy in the Federal Computer
Crime Statute — the Computer Fraud and Abuse Act

Thursday, April 14, 2016
8:30 – 9:00 a.m. | Breakfast and Registration
9:00 – 10:00 a.m. | Presentation

Dorsey & Whitney LLP
51 W. 52nd Street
New York, NY 10019
To register call 212-415-9217

Nick AkermanPartner, Dorsey & Whitney LLP
Dan GoldbergerPartner, Dorsey & Whitney LLP

This session will cover:

  • An Overview of the statute
  • Recent Judicial Rulings including Updates from the Second Circuit
  • Pitfalls to Avoid
  • Developing Proactive Computer Policies to Protect Company Data
  • Protecting the Company Website
  • Filing a Civil Action against Insiders and Hackers

CLE credit will be provided by
Westchester/Southern Connecticut Association of Corporate Counsel.


Revised Uniform Fiduciary Access to Digital Accounts Act Adopted by Four States

By:  Chris Koa and Walter Impert


With the shift from traditional hard copy paper documents towards electronic records stored Cloud Computing-based software and services (eg, iCloud, Dropbox, Google Drive, etc.), access to and use of digital assets by fiduciaries after death or incapacitation of the owner has emerged as a key estate planning consideration.  As our the world becomes more digital, these so called digital assets encompass an ever broadening array of information, including online financial accounts and account statements, tax records, documents and related correspondence communicated through email accounts, social media accounts, online file cabinets containing potentially decades of photographs and personal documents, and other electronic material of potentially significant personal and monetary value stored online through various Cloud Computing services—

Access to digital assets is governed by a complex, evolving array of privacy, data protection and criminal computer fraud laws and a broad range of potential Cloud service provider terms-of- service agreements.

Since the beginning of March 2016, four states –led by Oregon on March 3 and followed by Wyoming on March 7, Tennessee on March 8 and Florida on March 10– have enacted model legislation based on the Revised Uniform Fiduciary Access to Digital Accounts Act (“Revised UFADAA”), which was originally drafted by the National Conference of Commission on Uniform State Laws.

The Revised UFADAA is designed to ensure that account holders can retain control of their digital property and plan for its ultimate disposition after their death and to avoid circumstances where online service providers delete accounts of decedent account holders without authorization or refuse to hand over access and information to permitted fiduciaries.

The Revised UFADAA facilitates the roles and responsibilities of fiduciaries (including personal representatives of decedents’ estates, conservators, trustees and attorneys-in-fact) to access and take control of digital assets to enable fiduciaries to protect, manage and distribute digital assets to enable proper administration of estates while protecting decedents’ privacy rights after death while balancing administrative burdens on Cloud service provider custodians of digital assets.

Under the Revised UFADAA:

  • Fiduciaries can access and manage certain digital property including electronic files stored in the Cloud (although fiduciaries are not allowed to access digital communications,including email, text messages, and social media accounts, without the account holder’s consent);
  • Planning for the disposition or deletion of digital assets after death or incapacity can be accomplished through the following (in order of relative priority under the Revised UFADAA):
    • use of online tools provided by the Cloud service provider custodians as the clearest possible indication of the user’s intent;
    • instructions in estate planning documents (such as wills, trusts, powers of attorney or other records), a copy of which must be provided to the Cloud service provider when fiduciaries request access;
    • the Cloud service terms-of-service when the user has not otherwise provided direction; or
    • the default rules under the Revised UFADAA when the user has not otherwise provided direction and the Cloud service terms-of-service are silent.
  • Fiduciaries are not able to take actions that the users would not have been able to take under the Cloud service terms-of-service; and
  • Cloud service provider custodians may comply with a request for access to digital records by either allowing the fiduciary to reset the password so that the fiduciary can access the user’s account or may give the fiduciary a copy of the user’s digital assets

From a practical perspective, advance planning can include referencing digital assets in fiduciary documents such as a power of attorney, will, or trust instrument.  It may also be wise to to maintain a secure list of digital assets –including applicable user names and passwords– so that fiduciaries can be informed that the accounts exist and, in cases where the law has not yet caught up to digital reality, gain access to the information contained in those accounts upon incacapity or death.

© Computer Fraud / Data Protection 2021


Cybersecurity Readiness Check List