Tag Archives: Michael R. Roberts

Data Minimization – Recent Enforcement Actions Show Why Some Companies Need to Get Rid of Old Electronic Records

by Avi GesserJohanna Skrzypczyk, and Michael R. Roberts

Since we last wrote about data minimization, there have been several regulatory developments that illustrate the increasing operational and regulatory risks of keeping large volumes of old data. As cyber threats continue to grow, and consumers gain more privacy rights over their personal data, businesses need robust data minimization programs that can significantly reduce the amount of sensitive data they collect and maintain. In this post, we discuss recent enforcement actions and regulatory requirements for getting rid of old data and offer six tips for complying with these developing obligations.

Continue reading

Time to Update Cyber Incident Response Plans, Especially for Banks Subject to the New 36-Hour Breach Notification Rule

by Luke Dembosky, Avi GesserJohanna SkrzypczykMichael R. RobertsAndy Gutierrezand Michelle Huang

As cyberattacks continue to plague U.S. companies, cybersecurity remains a core risk, even for businesses that have invested heavily in technical measures to protect their systems.  As a result, cybersecurity best practices have evolved to include not only preventative measures, but also robust preparations for responding to cyber incidents, so that companies can improve their resilience, decrease the time it takes to detect and effectively respond to an attack, and reduce the overall damage.  Because nearly every company will at some point face a successful attack, regulators, insurers, auditors, and investors view an incident response plan (“IRP”) as a key element of a reasonable cybersecurity program.

Part of the value of an IRP comes from the process of drafting it, which involves making decisions about how an incident will be handled (e.g., who should be drafting communications to impacted employees, who has the authority to shut down parts of the network, which incidents will be escalated to senior management, etc.).  Determining these issues over the course of several weeks while drafting the IRP and consulting with the relevant individuals is much better than working through them for the first time under the stress and time constraints of an actual incident.  Well-drafted IRPs also provide checklists of things to do when an incident occurs (e.g., preserve evidence, contact the FBI, notify the insurer, draft a public statement, determine a point-of-contact for external inquiries, etc.).

Continue reading

Regulatory Risks of the Log4j Vulnerability: FTC Warns Companies to Take Reasonable Steps to Protect Consumer Data

by Luke Dembosky, Avi Gesser, and Michael R. Roberts

Be prepared for increasing scrutiny from the Federal Trade Commission (“FTC”) and other regulators regarding the Log4j vulnerability. The attention of the cybersecurity community has been captured by the recently disclosed critical vulnerability in the widely used, open-source Java logging package, Log4j (CVE-2021-44228), and other subsequently announced related vulnerabilities, which is reportedly being “widely exploited” by attackers and “poses a severe risk,” according to the Cybersecurity & Infrastructure Security Agency (“CISA”) and other technical experts. CISA issued Emergency Directive 22-02 on December 17, 2021, which directs federal civilian executive branch agencies to address Log4j vulnerabilities immediately through patching or other mitigation measures. And now regulators, most notably the FTC, have begun to issue positions on the need for companies and their vendors to remediate the Log4j vulnerability and the enforcement risks that could be presented if a company or its vendors fail to do so.

Continue reading

Getting Ready for 2023: What Companies Can Do Now to Prepare for New Privacy Laws

by Jeremy Feigelson, Avi GesserJohanna Skrzypczyk, Michael Bloom, Michael R. Roberts, Tricia Reville, and Kate Saba

The Virginia Consumer Data Protection Act (“VCDPA”) and amendments to the California Consumer Privacy Act (“CCPA”)—enshrined in the California Privacy Rights Act (“CPRA”)—take effect on January 1, 2023.  In addition, the Colorado Privacy Act (“ColoPA”) takes effect on July 1, 2023.  These developments have companies understandably concerned about complying with a patchwork of state laws.

How can companies prepare?

Continue reading