Category Archives: Cybercrime & Cybersecurity

NIST Releases an Updated Version of its Cybersecurity Framework

by Sabastian V. NilesMarshall L. Miller, and Jeohn Salone Favors

Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released an updated Cybersecurity Framework that revises NIST’s baseline recommendations for the design of cybersecurity risk management programs.  In announcing its release, Commerce Secretary Wilbur Ross described the updated Framework as “a must do for all CEOs” and recommended that “every company” adopt the Framework as its “first line of defense.”  As with the prior version, the updated NIST Framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and will impact how regulators evaluate cybersecurity programs and incident responses across sectors. Continue reading

Hacking Global Reputations

by Pat Akey, Stefan Lewellen, and Inessa Liskovich

Corporations have reputations, just like individuals. However, the costs of protecting a corporate reputation, or the costs of losing one, are not well understood. Negative reputation shocks can be costly, and recent scandals at well-known firms such as News Corp. and Volkswagen have reaffirmed the fragility of corporate reputations. However, corporations can also invest in technologies such as corporate social responsibility (CSR) to build their reputations or to provide insurance against a future reputation shock. In a recent paper, we find that negative reputation shocks are at least partially insurable through CSR and that firms actively invest in CSR as the result of a negative reputation shock. Continue reading

Maximizing Value and Avoiding Pitfalls when Purchasing Cyber Insurance

by Ian Boczko, Marshall L. Miller, and Timothy C. Sprague

In recent years, companies have heightened their focus on cybersecurity issues, dedicating substantially more resources to mitigating escalating cyber risks.  Increasingly, these efforts include purchasing some form of cyber insurance.   

Any cyber insurance policy should supplement, rather than replace, a cybersecurity risk mitigation program.  While such a policy may be a useful element of a multifaceted strategy, cyber insurance is far from a panacea.  First, the size and types of damages resulting from a catastrophic cyber incursion can exceed even significant policy limits.  Additionally, cyber insurance coverage is unlikely to extend to reputational losses or intellectual property theft.  Moreover, the cyber insurance market is relatively young and policy forms are still evolving.  Thus, cyber insurance does not have the same claims history or established understanding of policy terms that can be found in more mature insurance markets.    Continue reading

Cyberspace is the New Battlespace

by Jeh Charles Johnson

[Following personal reflections on his return to private life from public service, former U.S. Secretary of Homeland Security Jeh Charles Johnson delivered the following keynote address at the Global Cyber Threats: Corporate and Governmental Challenges to Protecting Private Data cybersecurity conference held by the Program on Corporate Compliance and Enforcement at New York University School of Law on April 6, 2018.]

Like millions of other Americans, my world was rocked by the terrorist attack that occurred a few blocks from here on September 11, 2001.  Like many of you, I am a New Yorker, and was in Manhattan that day.  September 11 also happens to be my birthday.  I have a vivid recollection of the day, both before and after 8:46 a.m., when the first plane hit the World Trade Center.  At 9:59 a.m., when the first tower collapsed, it was perhaps the only time in my life when my mind could not believe what my eyes were seeing.  Neither would I have been able to comprehend then that 15 years later, there would be something called the Department of Homeland Security, that I would lead it, and that the Secretary’s New York office would occupy the 50th floor of a taller, stronger World Trade Center tower standing in the same place. Continue reading

Congress Passes CLOUD Act Governing Cross-Border Law Enforcement Access to Data

by David Bitkower and Natalie Orpett

On March 23, 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), amending key aspects of U.S. surveillance law and providing a framework for cross-border data access for law enforcement purposes.  The Act addresses two problems that have been the subject of heated debate for the past five years.  First, by amending the Stored Communications Act, 18 U.S.C. §§ 2701 et seq. (SCA), the CLOUD Act clarifies that American law enforcement authorities can compel providers of electronic communication services — such as major email service providers and social media networks — to produce data stored outside the United States.  Second, the Act establishes new rules facilitating foreign law enforcement access to data stored inside the United States.  In short, this new legislation impacts any provider that may receive either U.S. or foreign orders to produce data in furtherance of criminal investigations. Continue reading

SEC Releases New Guidance on Cybersecurity Disclosures and Controls

by John F. Savarese, David A. Katz, Wayne M. Carlin, David B. Anders, Sabastian V. Niles, Marshall L. Miller, and Jonathan Siegel

Yesterday, in keeping with a heightened governmental focus on cybersecurity, as exemplified by the Justice Department’s formation of a new Cyber-Digital Task Force earlier this week, the Securities and Exchange Commission announced new guidance on cybersecurity disclosures by public companies (the Guidance”).

Much of the Guidance tracks 2011 interpretive guidance from the SEC’s Division of Corporation Finance and retains a focus on “material” cyber risks and incidents.  However, the expanded details and heightened pressure to disclose indicated in the Guidance, along with its issuance by the Commission itself, signal that the SEC expects public companies to consider more detailed disclosure of cyber risks and incidents, and to maintain “comprehensive” policies and procedures in this area.  The SEC is also encouraging, though not requiring, forward-leaning approaches, such as with respect to disclosures about the company’s cyber risk management programs and the engagement of the board of directors with management on cybersecurity issues.  SEC Chairman Jay Clayton has also directed SEC staff to monitor corporate cyber disclosures. Continue reading

Deliberate Data Breaches: Consequences for Companies Just Got Even Tougher

by Kelly Hagedorn, Tracey Lattimer, Emily Bruemmer, and Jennifer Yun

In today’s world, data breaches are a regular occurrence.  The size and scale varies, and they have different causes, but those matters are irrelevant if you are a data subject affected – you just want the situation resolved and compensation for any losses you suffer.  Who should be responsible for those breaches?  Where a company has not taken sufficient steps to safeguard personal data, the answer is obvious.  But what about where a rogue employee leaks personal data with the deliberate intention of harming his employer?  The English High Court has recently decided that even in that instance, the employer is liable to data subjects.  Although there is no specific case on this point, we believe that a similar outcome would be reached in an action under US law. Continue reading

White Collar and Regulatory Enforcement: What to Expect in 2018

by John F. Savarese, Ralph M. Levene, Wayne M. Carlin, David B. Anders, Jonathan M. Moses, Marshall L. Miller, Louis J. Barash, and Carol Miller

Introduction

In our memo last year, we acknowledged that it was close to impossible to predict the likely impact that the newly elected Trump administration would have on white-collar and regulatory enforcement.  (White Collar and Regulatory Enforcement: What to Expect in 2017)  Instead, we set out a list of initiatives we urged the new administration to consider, including clarifying standards for when cooperation credit would be given, reducing the use of monitors, and giving greater weight to a company’s pre-existing compliance program when exercising prosecutorial discretion, among other suggestions.  While the DOJ under Attorney General Jeff Sessions has, for example, taken some steps toward clarifying the applicable standards for cooperation and increasing incentives to disclose misconduct in the FCPA area, few other policy choices or shifts in approach have been articulated or implemented.  Continue reading

Draft GDPR Transparency Guidelines Issued: What Does Your Privacy Policy Need to Contain?

by Jeremy Feigelson, Jane Shvets, Dr. Thomas Schürrle, Ceri Chave, Dr. Friedrich Popp, and Christopher Garrett

Late last year, the Article 29 Working Party (the “Working Party”) issued detailed draft guidance (the “Guidelines”) on transparency under the EU General Data Protection Regulation (the “GDPR”), which comes into force in May 2018. These Guidelines, which will be finalized following a consultation process, contain the Working Party’s interpretation of the mandatory transparency information that must be provided to a data subject by way of privacy policy or other disclosures.

One of the express requirements of the GDPR relates to how businesses communicate their use of a data subject’s personal information to that data subject at the point of data collection or consent, typically via a privacy policy or notice. Getting this right is crucial. Businesses will need to examine their current privacy policies and other disclosures closely, and consider whether these need revising not just in the light of the GDPR, but also to factor in the requirements listed in the Guidelines, which elaborate on existing GDPR provisions. While the Guidelines will not be binding, data protection authorities may take a dim view of businesses which fail to comply with the Guidelines without good reason, given that representatives from all of the EU data protection authorities are part of the Working Party. Businesses that fail to comply with the information duties under the GDPR will face fines of up to the higher of 4% of annual worldwide turnover or EUR 20 million. Continue reading

Securities Fraud Class Action Suits following Cyber Breaches: The Trickle Before the Wave

by Michael S. Flynn, Avi Gesser, Joseph A. Hall, Edmund Polubinski III, Neal A. Potischman, Brian S. Weinstein, Peter Starr and Jessica L. Turner

Overview

Large-scale data breaches can give rise to a host of legal problems for the breached entity, ranging from consumer class action litigation to congressional inquiries and state attorneys general investigations.  Increasingly, issuers are also facing the specter of federal securities fraud litigation.[1]

The existence of securities fraud litigation following a cyber breach is, to some extent, not surprising.  Lawyer-driven securities litigation often follows stock price declines, even declines that are ostensibly unrelated to any prior public disclosure by an issuer.  Until recently, significant declines in stock price following disclosures of cyber breaches were rare.  But that is changing.  The recent securities fraud class actions brought against Yahoo! and Equifax demonstrate this point; in both of those cases, significant stock price declines followed the disclosure of the breach.  Similar cases can be expected whenever stock price declines follow cyber breach disclosures.  Continue reading