On July 19, 2018, Attorney General Jeff Sessions announced the public release of the first report produced by the Department of Justice’s (DOJ) Cyber-Digital Task Force, which the Attorney General established in February to combat cyber-enabled threats confronting the United States and, specifically, to answer two fundamental questions: First, what is the DOJ doing to address global cyber threats? And second, what can the DOJ do to accomplish this mission more effectively? In discussing the report at the Aspen Security Forum on July 19, Deputy Attorney General Rod J. Rosenstein explained that the Report answers the first question, “providing a detailed assessment of the cyber threats confronting America and the Department’s efforts to combat them.” Continue reading
With the EU General Data Protection Regulation (“GDPR”) in force for less than two months, many companies are already experiencing an increase in requests from individuals seeking to obtain a copy, or request correction or erasure, of their personal data under Articles 15 to 17 of the GDPR.
Do we have to respond?
Yes. A response is required even if the response is that the company will not honour the request because a relevant exemption applies. Continue reading
The recent convictions of two traders for using hacked press releases and the settlement of SEC insider trading charges against a former Equifax manager highlight the significant insider trading risks companies face when dealing with a cyber event. These risks come in two forms.
First, there is the risk that someone (either inside or outside the company) has gained unauthorized electronic access to material nonpublic information (“MNPI”) about the company or one of its business or transaction partners, and will use that information for illegal securities trading purposes. On July 6, a jury in Brooklyn convicted two traders for securities fraud, money laundering and computer intrusion for using hacked press releases to trade on MNPI. To reduce that risk, companies can adopt various cybersecurity measures such as two-factor authentication, access controls, encryption, phishing training, network segmentation, and system monitoring. Davis Polk’s Cyber Portal 2.0, which is now available to our clients, provides detailed checklists and other resources to help companies reduce cybersecurity risks. Continue reading
Security breaches and hacking cost publicly traded companies billions of dollars annually in stolen assets, lost business, and damaged reputations. Although detailed data are difficult to collate, the 2017’s annual Cost of Data Breach Study run by the Ponemon Institute for IBM estimated that the average per-capita cost of data breaches reached an all-time high of $225 (a 60% increase over the last decade). This is as much of a concern for businesses as it is for regulators.
As a matter of fact, the knock-on effect of a data breach can substantially affect a company’s reputation, resulting in abnormal customer turnover and loss of goodwill, which in turn affect firms’ policies and ultimately revenues and profits. For this reason, companies are often reluctant to reveal information about security breaches due to fear of both short-term and long-term market reactions.
The Eleventh Circuit Court of Appeals recently vacated a Federal Trade Commission cease-and-desist order that required a medical laboratory company to implement a “reasonably designed” cybersecurity program after customer data on the company’s systems were compromised. LabMD, Inc. v. Federal Trade Commission (PDF: 548 KB). The decision represents a judicial curb on FTC enforcement efforts seeking expansive cease-and-desist orders requiring companies to maintain “reasonable” or “appropriate” data security systems in the wake of cyber incidents. By limiting the FTC to orders that prohibit specific unfair conduct, or that require specific responsive remedial action, this ruling may alter the cyber enforcement landscape and affect the balance between the FTC and companies affected by cyber incidents. Continue reading
Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released an updated Cybersecurity Framework (PDF: 1,038 KB) that revises NIST’s baseline recommendations for the design of cybersecurity risk management programs. In announcing its release, Commerce Secretary Wilbur Ross described the updated Framework as “a must do for all CEOs” and recommended that “every company” adopt the Framework as its “first line of defense.” As with the prior version, the updated NIST Framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and will impact how regulators evaluate cybersecurity programs and incident responses across sectors. Continue reading
Corporations have reputations, just like individuals. However, the costs of protecting a corporate reputation, or the costs of losing one, are not well understood. Negative reputation shocks can be costly, and recent scandals at well-known firms such as News Corp. and Volkswagen have reaffirmed the fragility of corporate reputations. However, corporations can also invest in technologies such as corporate social responsibility (CSR) to build their reputations or to provide insurance against a future reputation shock. In a recent paper, we find that negative reputation shocks are at least partially insurable through CSR and that firms actively invest in CSR as the result of a negative reputation shock. Continue reading
In recent years, companies have heightened their focus on cybersecurity issues, dedicating substantially more resources to mitigating escalating cyber risks. Increasingly, these efforts include purchasing some form of cyber insurance.
Any cyber insurance policy should supplement, rather than replace, a cybersecurity risk mitigation program. While such a policy may be a useful element of a multifaceted strategy, cyber insurance is far from a panacea. First, the size and types of damages resulting from a catastrophic cyber incursion can exceed even significant policy limits. Additionally, cyber insurance coverage is unlikely to extend to reputational losses or intellectual property theft. Moreover, the cyber insurance market is relatively young and policy forms are still evolving. Thus, cyber insurance does not have the same claims history or established understanding of policy terms that can be found in more mature insurance markets. Continue reading
[Following personal reflections on his return to private life from public service, former U.S. Secretary of Homeland Security Jeh Charles Johnson delivered the following keynote address at the Global Cyber Threats: Corporate and Governmental Challenges to Protecting Private Data cybersecurity conference held by the Program on Corporate Compliance and Enforcement at New York University School of Law on April 6, 2018.]
Like millions of other Americans, my world was rocked by the terrorist attack that occurred a few blocks from here on September 11, 2001. Like many of you, I am a New Yorker, and was in Manhattan that day. September 11 also happens to be my birthday. I have a vivid recollection of the day, both before and after 8:46 a.m., when the first plane hit the World Trade Center. At 9:59 a.m., when the first tower collapsed, it was perhaps the only time in my life when my mind could not believe what my eyes were seeing. Neither would I have been able to comprehend then that 15 years later, there would be something called the Department of Homeland Security, that I would lead it, and that the Secretary’s New York office would occupy the 50th floor of a taller, stronger World Trade Center tower standing in the same place. Continue reading
On March 23, 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), amending key aspects of U.S. surveillance law and providing a framework for cross-border data access for law enforcement purposes. The Act addresses two problems that have been the subject of heated debate for the past five years. First, by amending the Stored Communications Act, 18 U.S.C. §§ 2701 et seq. (SCA), the CLOUD Act clarifies that American law enforcement authorities can compel providers of electronic communication services — such as major email service providers and social media networks — to produce data stored outside the United States. Second, the Act establishes new rules facilitating foreign law enforcement access to data stored inside the United States. In short, this new legislation impacts any provider that may receive either U.S. or foreign orders to produce data in furtherance of criminal investigations. Continue reading