Tag Archives: Jeohn Salone Favors

Cybersecurity Oversight and Defense – A Board and Management Imperative

by John F. Savarese, Sarah K. Eddy, Sabastian V. Niles, and Jeohn Salone Favors 

This past weekend, criminal ransomware cyberattacks drove the shutdown of one of America’s largest pipelines for refined gasoline, diesel fuel, and jet fuel as a precautionary means of containing the impact of the breach, highlighting the vulnerability of the nation’s energy infrastructure. Recent reports indicate that more than two dozen other company victims across a range of industries were targeted by these ransomware attacks, with worse damage blocked thanks to close and rapid coordination between federal authorities and private sector partners to identify and swiftly shut down servers being used in the attack. Earlier this month, a California- based regional hospital operator had to take healthcare IT systems offline following a cyberattack, significantly disrupting care, forcing medical personnel to use back-up paper records and raising concerns about vulnerabilities in the healthcare system as the nation continues to battle the Covid-19 pandemic.

Continue reading

FTC Discusses Management and Board Roles as Core Elements of Revised Data Breach Enforcement Model

by Andrew R. Brownstein, Steven A. Rosenblum, John F. Savarese, Marshall L. Miller, and Jeohn Salone Favors

In a blog post published this week, the Director of the FTC’s Consumer Protection Bureau detailed recent changes to the FTC’s baseline approach to remedial orders in data breach enforcement actions.  The changes were spurred in part by a 2018 Court of Appeals decision (PDF: 125 KB) that found an FTC order’s requirement that a company implement “reasonable” data security measures to have been too vague to be enforceable.  The FTC has reworked its routine enforcement practice to ensure that remedial data security orders include significantly greater specificity about compliance expectations for companies subject to enforcement action and for third-party assessors engaged to conduct FTC-mandated monitoring and audits of targeted companies’ data security practices.

Continue reading

State-Level Actors on the Frontlines of U.S. Cybersecurity and Data Privacy Regulation and Enforcement

by John F. Savarese, Marshall L. Miller, and Jeohn Salone Favors

While the General Data Protection Regulation (GDPR) significantly expanded the powers of European national data protection authorities in 2018, legislative and enforcement developments in the United States over the last year showcased the growing role and importance of state attorneys general and other state regulators in the realm of cybersecurity and data privacy.

In 2018, California passed a data privacy law akin to the GDPR and enacted legislation addressing internet-based bot activity and security of devices connected to the Internet of Things.  With passage of legislation in Alabama in March 2018, all 50 states now have data breach notification laws, with requirements as to notification content, timing, and recipients varying across jurisdictions.  And prescriptive cybersecurity regulations promulgated by New York State’s Department of Financial Services continued to take effect in rolling fashion.  Absent preemptive legislation at the federal level, where proposals are stalled in Congress, we can expect data protection and privacy laws and regulations to proliferate at the state level, as state legislatures and regulators vie for the mantle of lead cybersecurity enforcer. Continue reading

NIST Releases an Updated Version of its Cybersecurity Framework

by Sabastian V. NilesMarshall L. Miller, and Jeohn Salone Favors

Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released an updated Cybersecurity Framework (PDF: 1,038 KB) that revises NIST’s baseline recommendations for the design of cybersecurity risk management programs.  In announcing its release, Commerce Secretary Wilbur Ross described the updated Framework as “a must do for all CEOs” and recommended that “every company” adopt the Framework as its “first line of defense.”  As with the prior version, the updated NIST Framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and will impact how regulators evaluate cybersecurity programs and incident responses across sectors. Continue reading