Cybersecurity Compliance Just Got Tougher

While cybersecurity risks have increased, government regulation has traditionally lagged behind. Recently, some government entities have tried to catch up by mandating that companies take a proactive approach toward protecting personal and competitively sensitive data. The move is a departure from the traditional reactive response of simply notifying consumers after their personal data is breached.

With this shift in emphasis, companies are asking the obvious questions: “What are we expected to do and what is a proactive cybersecurity compliance program?”

Both on the state level and through federal regulatory agencies, the government is beginning to dictate a comprehensive compliance approach to data protection. Late last year, the U.S. Securities and Exchange Commission’ s Cybersecurity Examination Initiative directed broker-dealers to “further assess cybersecurity preparedness in the securities industry.” Thus, the SEC announced that it “will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.”

Guidance for Incident Response Plans  

Author: Melissa Krasnow Organizations are preparing for data incidents and breaches by developing, updating, implementing, and testing incident response plans. This article provides a checklist of key components of an incident response plan. Following are items from state and federal sources of guidance: “Best Practices for Victim Response and Reporting of Cyber Incidents”(April 2015) issued… Read More

Washington State Significantly Expands Data Breach Notification Requirements

Washington State Governor Jay Inslee signed legislation making Washington among the five US states with the most rigorous data breach notification laws enacted to date. Washington joins Florida, Ohio, Vermont, and Wisconsin in imposing strict and specific obligations on any business that has suffered a data breach. The new law is effective July 24, 2015.

California Privacy Laws Change: Identity Theft and Mitigation Services

Continuing the trend of changes in state breach notification and related laws, Cal. A.B. 1710 amends California’s breach notification, security procedures, and Social Security number (SSN) laws in the wake of significant data breaches, particularly in the retail sector. (See “Changes in State Breach Notification Laws.”)

Changes in State Breach Notification Laws

As data breaches continue to occur, breach notification laws are being amended or enacted. In the United States, state and federal breach notification laws should be monitored carefully regarding changes, as should breach notification laws in other countries (e.g., Canada).

As of July 15, 2014, 47 states (other than Alabama, New Mexico, and South Dakota) plus the District of Columbia, Guam, Puerto Rico, and Virgin Islands have breach notification laws. This article addresses changes in state breach notification laws.

The Conflicting Rulings on Employee Data Theft

In all jurisdictions the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, the federal computer crime statute, applies to former employees who steal data from the company computer, but in two federal circuits it does not apply when the theft occurs during employment. The difference in jurisdictions is significant to employers because the CFAA provides a civil remedy for damages and injunctive relief for a company that “suffers damage or loss” by reason of a violation of the CFAA. 18 U.S.C. 1030(g).
Last year the U.S. Court of Appeals for the Ninth Circuit in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), disagreed with certain of its sister circuits and narrowly interpret-ed what it means to access the company computer “without authorization,” effec-tively eliminating a company’s ability in that jurisdiction to use the CFAA against current employees. This column will review the conflicting interpretations of the CFAA that distinguishes between current and former employees and the strategies and options companies can employ to navigate this conflict.

Massachusetts Privacy Reg Now Effective

What Is Required and How to Comply Contributed by: Melissa J. Krasnow, Dorsey & Whitney LLP The Massachusetts Office of Consumer Affairs and Business Regulation (“MOCABR”) recently issued the final version of the Massachusetts privacy regulation (Regulation).  This article provides a summary of this Regulation, which applies to each person or entity that owns or… Read More