Invitation: SCCE’s Compliance & Ethics Institute

The Society of Corporate Compliance and Ethics will present its 17th Annual Compliance & Ethics Institute, October 21-24, 2018, in Las Vegas, with top industry experts and professionals from around the world.

At this four-day networking and educational event, participants will gain information they need to effectively manage their compliance programs and mitigate risk, the SCCE says on its website.

At the Compliance & Ethics Institute, participants will:

  • Network with over 1,800 professionals from all industries and 40 countries.
  • Choose from 10 learning tracks, 100+ sessions, and over 150 speakers.
  • Get up-to-date on issues relevant to your current challenges, including global antitrust compliance, cyber security, anti-corruption, and harassment and discrimination prevention.
  • Leave with practical solutions you can immediately put into practice at your organization.

This conference is for compliance and risk professionals and those who work with them in an advisory or partnership capacity. Positions include: in-house and outside counsel, audit managers and officers, consultants, corporate executives, human resource managers, privacy officers, researchers and policy makers, risk managers, staff educator and trainers, and more.

Get more information.



$17M Target Data Breach Settlement Affirmed on Second Try

Image by Mike Mozart

Target Corp.’s $17 million class settlement to resolve consumer claims over a 2013 data breach passed Eighth Circuit scrutiny on its second trip to the appeals court, reports Bloomberg Law.

The court rejected an objector’s challenge that the named plaintiffs weren’t adequate representatives for the whole class because they received compensation while others didn’t, according to reporter Perry Cooper.

He explained:

“All class members had the ability to register for credit monitoring, and all of the compromised payment cards undoubtedly were canceled and replaced by the issuing banks,” Judge Bobby E. Shepherd wrote for the U.S. Court of Appeals for the Eighth Circuit.

“Any risk of future harm is therefore entirely speculative,” the court said.

Read the Bloomberg Law article.



In-House Forum: Guard Your Company Against Internal Cybersecurity Threats

The 4th annual Bloomberg Law In-House Forum will Explore the steps that general counsel need to take to mitigate the internal cybersecurity threat.

The event will be Wednesday, June 27, 2018, at the Grand Hyatt San Francisco, 345 Stockton Street, San Francisco 94108.

Specifically, the event will dissect one of the most pressing issues affecting the modern corporate workplace: cybersecurity threats from its own employees. Participants will learn how general counsel can effectively partner with other teams at the organization to guard against this growing risk.

Speakers will guide the discussion, outlining how corporate counsel can build relationships between IT and Human Resources in order to act in a leadership role, crafting an effective risk avoidance plan that includes auditing, training, and both preemptive and post-breach initiatives.

Register for the event.



Dismiss Big Law Malicious Prosecution Suit, Judge Recommends

Bloomberg Law is reporting that a federal magistrate judge recommended the dismissal of a lawsuit that accuses Reed Smith LLP and Clark Hill PLC of using baseless lawsuits, discovery delays—and even thuggish private eyes—to help a client conceal its criminal activities.

Reporter Samson Habte writes that the recommendation could bring an end to one of several high-stake lawsuits that LabMD Inc. is pursuing against cybersecurity firm Tiversa Inc. and some of the nation’s largest law firms.

In a lawsuit, LabMD accused former U.S. Attorney Mary Beth Buchanan and Bryan Cave Leighton Paisner LLP of trying to prevent a whistleblower from revealing Tiversa hacked LabMD with “FBI surveillance software” it got from Buchanan.

The suit also claimed that Reed Smith and Clark Hill helped Tiversa cover up Tiversa’s allegedly criminal activities. “The firms allegedly did so by bringing baseless defamation suits that drained LabMD’s resources, and by using private investigators to intimidate and silence the whistleblower,” according to Habte.

Read the Bloomberg article.



Biglaw Firm, Former U.S. Attorney Accused of Hacking Cover-Up

Bloomberg Law is reporting that a little-noticed lawsuit filed in New York federal court accuses a former federal prosecutor of unethically preventing a whistleblower from telling the FTC that he hacked an embattled company’s files using “FBI surveillance software” that the prosecutor gave him.

The allegations are in a suit against former U.S. Attorney Mary Beth Buchanan and Bryan Cave Leighton Paisner LLP, the global megafirm where she is now a partner, according to reporter Samson Habte.

Plaintiff LabMD Inc., a cancer-screening firm, says it went out of business after falling victim to a “shakedown scheme” by a cybersecurity firm that hacked the lab’s files—and then reported it to the FTC when it refused to pay for “remediation” services.

LabMD’s complaint alleges Buchanan gave FBI surveillance tools to Tiversa Inc., which then allegedly used the tool to hack LabMD. It also alleges Buchanan unethically represented the whistleblower in FTC proceedings to keep him from divulging how Tiversa received the hacking tool.

Read the Bloomberg article.



Michael Best Expands Privacy & Cybersecurity Practice with Addition of Velvet Johnson

Michael Best announced that Velvet Johnson has joined the firm’s Privacy & Cybersecurity Practice Group as senior counsel in Washington, D.C.

In a release, the firm said Johnson’s arrival comes on the heels of other recent hires to the group, including partners Ryan Sulkin and Elizabeth Rogers in Chicago and Austin, respectively.

Johnson concentrates her practice advising clients on various matters of internet policy, regulatory compliance, privacy and cyber-related issues, in addition to providing counsel on numerous cross-border business issues.

“Velvet has an incredibly strong background on cybersecurity matters from her time working in the government,” said Adrienne Ehrhardt, Chair of Michael Best’s Privacy & Cybersecurity Practice Group. “Her reputation and breadth of experience in Washington, D.C. will certainly enhance our group’s ability to address client’s needs, particularly as it relates to policy assessment and legal frameworks. Her addition comes at a key period in time as well with the European Union’s enforcement of the General Data Protection Regulation beginning later this month.”

Prior to joining Michael Best, Johnson spent nearly a decade in various legal and policy advisory roles both within the U.S. Congress and the U.S. Department of Defense (DoD). Much of her time was spent advising on matters related to federal cybersecurity legislation, the National Institute of Standards and Technology Framework for Improving Critical Infrastructure, and national security law guidelines. In her latter role, she represented the DoD in multiple National Security Council-led Cybersecurity Interagency Committees, Working Groups, and senior-level policy forums. After her time with the government, she spent two years as a cyber strategy consultant with a global management consulting firm where she was responsible for managing and executing security and risk programs on behalf of her clients.

“We’re thrilled that Velvet has decided to join us here in Washington, D.C.,” said Kevin Barner, Michael Best’s Washington, D.C. Office Managing Partner. “Her addition will help our clients navigate the complex regulatory and compliance challenges they will inevitably face.”

Johnson received her J.D. from the University of Maryland School of Law and her B.S. from the University of Richmond. In addition to her university degrees, Johnson also earned a cybersecurity certification from Georgetown University and the Certified Information Privacy Professional/United States (CIPP/US) credential through the International Association of Privacy Professionals (IAPP).



Webinar: What Every Lawyer Needs to Know About Open Source Software

Flexera will present a complimentary webinar about the basics of open source licensing, vulnerabilities, trends and expectations for compliance.

The event will be Wednesday, April 18, at noon Central time.

Data shows that most companies are significantly under-counting their use of open source software (OSS), leading to potential legal and security concerns that need to be respected, monitored, and — if needed — resolved. Additionally, your customers are expecting higher levels of compliance. This begs the question, what is your legal team’s role in managing compliance and security vulnerabilities associated with OSS?

Marty Mellican, VP and Associate General Counsel at Flexera, will discuss the need for process and lawful management of OSS. This webinar will cover:

  • The basics of intellectual property (IP) law and how open source licenses are built on top of those principles
  • The most common licenses, including the GPL, AGPL, BSD, Apache, and MIT to name a few
  • How to work effectively and securely with OSS both as a consumer and a creator of OSS
  • Trends in OSS license enforcement in the last year
  • Expectations for compliance and what compliance looks like
  • How GDPR will affect your open source use and management

Register for the webinar.




Webinar Recording Available on SEC Cybersecurity Guidance

Hunton & Williams LLP has posted an on-demand webinar discussing the Securities and Exchange Commission’s recently released cybersecurity guidance.

For the first time since its last major staff pronouncement on cybersecurity in 2011, the SEC has released new interpretive guidance for public companies that will change the way issuers approach cybersecurity risk, the firm says on its website.

Presenters are partners Lisa Sotto, Aaron Simpson and Scott Kimpel, and senior associate Brittany Bacon. They discuss the new guidance, along with changes in regulatory obligations under EU law with respect to the upcoming GDPR and historical SEC enforcement actions related to cybersecurity.

Watch the on-demand webinar.



Webinar: Data Privacy: The Current Legal Landscape

Computer - cybersecurity -privacyTroutman Sanders will host a complimentary webinar that will cover the legal landscape surrounding data based products. The event will be Thursday, March 22, 2018, 3-4 p.m. Eastern time.

“In the last few years, the right to privacy has been hotly debated in the United States. What critics do not understand or appreciate is that the next technological paradigm is completely dependent on improvements both to the quality and quantity of data,” the firm says on its website.

Webinar speakers will cover the ongoing evolution of the legal landscape for data-based products, so that organizations can continue to succeed in their development of data-based products.

Register for the webinar.



Memo to Law Firms: Raise Cybersecurity Bar or Risk Client Losses

Data- privacy - lock - cyber- securityLaw firms may not be the safe repository of client confidences—such as trade secrets and merger plans—that they once were, as hackers recognize firms as prized vaults of proprietary corporate data, warns Bloomberg Law. And clients are starting to view law firm data breaches as serious business considerations.

Daniel R. Stoller talked with Christopher Dore, privacy partner at plaintiff-side firm Edelson PC in Chicago, who told him that “if hackers want to get data from Alphabet Inc.’s Google, the best path may be through a law firm rather than directly from the company, because the law practice likely has an almost ‘unlimited variety of data.'”

And Lucian T. Pera, legal ethics partner at Adam and Reese LLP in Memphis, Tenn. and former treasurer of the American Bar Association, told Stoller: “Cybersecurity protections are becoming a serious factor in client decision-making,” at law firms, and large firms stand to lose business if they don’t take care of cybersecurity.

Read the Bloomberg article.




FTI Consulting’s Advice from Counsel Study Examines Data Privacy and Security

FTI Consulting, Inc. announced findings from its Technology segment’s 12th Advice from Counsel study of e-discovery, information governance (IG), privacy and security trends. The study explores how issues of data security and privacy impact in-house legal teams at Fortune 1000 corporations and reveals the top concerns and emerging best practices across three key and intersecting topics: the General Data Protection Regulation (GDPR), IG and data security and remediation.

“A clear and recurring theme is that in-house legal teams are under greater pressure to meet ever-changing and increasing data-related challenges,” said Chris Zohlen, a managing director in the Technology segment at FTI Consulting and co-author of the study. “This year’s Advice from Counsel study shares their practical advice on a range of topics, from securing executive buy-in to benchmarking against peers or auditing the security practices of service providers.”

Data privacy, security challenges and threats were top priorities for virtually every large organization around the globe. Respondents had dozens of suggestions for proactive ways to address IG and data protection, including addressing the human element and creating a culture of awareness in achieving strong security. While billions of dollars have been spent on technology to strengthen security, several participants said that they do not believe their organizations are safer than they were five years ago, because the human element has not been adequately addressed. Other organizations reported working with outside experts to focus equally on implementing technology solutions and creating a culture of awareness to address continually evolving data privacy and security challenges.

Additional key findings and takeaways in the study include:

• The investment required to ensure GDPR compliance was a top concern among the 80 percent of organizations that confirmed they will be impacted by the regulation. However, they were divided on whether they should wait to see how the regulation will be enforced before acting, vs. working to get ahead of penalties proactively.
• For those evaluating an IG strategy to better protect data, respondents agreed on the importance of seeking outside experts. They repeatedly made clear that data security is an area that is evolving quickly and teams need to work with technical experts to stay apace and handle it effectively.
• The growth of cloud storage and machine learning is making it easier for organizations to identify trends and realize monetary benefits from enterprise data. Finding the right balance between Big Data and over-preserving is a common challenge. Organizations know they are creating and saving too much data, and more than half of respondents reported successfully conducting data remediation projects. Others were hampered by limited resources, lack of engagement from cross-department teams or failure to obtain C-level buy-in to move projects forward.

“In today’s business climate, all organizations are challenged to better protect enterprise data, which is a complicated effort that requires dedicated resources across multiple departments,” said Jake Frazier, Head of the Information Governance, Privacy & Security practice and a senior managing director in the Technology segment at FTI Consulting. “Overcoming the initial barriers of securing buy-in and approval from top company leadership can be overwhelming but will make all the difference in setting projects up for success from the outset. Our clients and the respondents in the Advice from Counsel study have found that working with internal and external partners to conduct data protection assessments, identify priorities and execute a plan custom-built for the company’s risk profile are the most effective steps to address budget issues and the broader landscape of challenges.”

About the study
For the past nine years, FTI Technology has partnered with Ari Kaplan Advisors to publish the annual Advice from Counsel study, a quantitative and qualitative view into e-discovery best practices for corporate counsel. The study was conducted through phone interviews with 30 in-house lawyers at Fortune 1000 corporations with responsibilities that included some aspects of e-discovery and information governance. Of this year’s participants, 79 percent develop and implement e-discovery processes while 89 percent develop and implement information governance processes. Eighty percent of participating organizations had total annual revenues greater than $5 billion and 67 percent had over 10,000 employees. In terms of litigation events over the past 12 months, 33 percent reported managing 100 to 500 litigation events, and 33 percent reported managing more than 500 litigation events.




Download: Are You Ready For The GDPR?

Zapproved has published “GDPR Readiness: A Quick Start Guide” about the European Union’s General Data Protection Regulation (GDPR) which is set to go live on May 25, 2018.

Zapproved says that half of all affected businesses won’t be ready for the May launch of the GDPR. This guide is intended to help those struggling with compliance so companies can avoid fines, which can be as much as 4 percent annual corporate turnover, or €20 million — whichever is greater.

“If you collect or maintain data about EU residents or conduct business in the EU, you will need to understand and comply with the data collection, security, access and erasure provisions of the GDPR or face unprecedented penalties,” the company warns.

This complimentary quick guide explains why GDPR exists and how it’s likely to conflict, at least initially, with U.S. discovery principles. It includes a short checklist for the first steps to take to get started with GDPR readiness.

Download the guide.



Webinar: Open Source Security and Compliance – Lessons Learned

Flexera will present a complimentary webinar on how open source security and compliance have grown to be a big part of the cybersecurity and legal portfolio.

Presenter Jeff Luszcz, vice president of product management for Flexera, also will share special insights from Flexera’s open source auditing team for the past year.

The event will be Wednesday, Feb. 21, 2018, beginning at 11 a.m. Central time.

Topics will include:

  • Open source vulnerabilities and licenses that made the news in 2017.
  • Closing the risk window – How long do you really have to mitigate a vulnerability once it is discovered?
  • How do GDPR laws affect your use of open source?
  • How you can improve your open source security and compliance process.

Register for the webinar.



Webinar: Contractors and the New Era of Cyber Compliance

Washington Technology will present a complimentary webinar on Jan. 25, 2018, to discuss new compliance requirements for securing government data contractor networks. The webinar will begin at 2 p.m. Eastern time.

Speakers for the one-hour event will be Ron Ross of NIST; Maria Proestou, CEO of Delta Resources; and Susan Cassidy, partner, Covington & Burling.

Government and industry experts will:

  • Offer advice and guidance on what contractors should be doing to ensure compliance.
  • Provide insights on best practices in areas such as training, risk management and planning for in the future.
  • Help to prepare attendees for meeting this requirement and maintaining compliance for their government customers.

Register for the webinar.



2018’s Top 10 Legal Challenges in Privacy and Data Security

In an article for Bloomberg Big Law Business, Wiley Rein LLP’s Kirk Nahra details the top-10 U.S. and international developments in 2018 that companies must be aware of to ensure an effective information security program.

Nahra writes that “it is clear that privacy and data security has moved from an issue impacting primarily healthcare and financial services companies, to an issue that affects, in large and small ways, virtually every company across the globe. These issues affect litigation, mergers and acquisitions, product development, research, corporate strategy, business partnerships, and, in some way most activities of most companies.”

His article covers the European Union’s new General Data Protection Regulation, Privacy Shield and other data transfer obligations, non-EU data transfer programs, cybersecurity, breach litigation, FTC and Office for Civil Rights enforcement, and the role of the states.

Read the Bloomberg article.



New Report Highlights Cyber Threat to US Electric Industry

As evidence that cyberattacks continue to threaten electric infrastructure in the United States, a report issued in December by cybersecurity firm FireEye indicates that critical infrastructure industrial control systems (ICS) could be susceptible to a new type of malware, reports Morgan Lewis in its Power & Pipes blog.

According to the report, a piece of malware called “TRITON” triggered the emergency shutdown capability of an industrial process within a critical infrastructure ICS.

“In 2013, hackers believed to be operating on behalf of a state-actor managed to take partial control of the Bowman Avenue Dam near Rye Brook, New York. More recently, reports emerged this past summer that hackers gained access to the operational grid controls of US-based energy firms,” write J. Daniel Skees and Arjun Prasad Ramadevanahalli.

Read the article.



Lawyer is the First Guy Computer Hackers Call When the FBI Shows Up

Six years ago, former Manhattan lawyer Tor Ekeland traded in his fat paycheck for a not-so-lucrative private practice as one of a handful of defense lawyers who specialize in computer crimes.

Mother Jones profiles the 48-year-old, who says his boring corporate job for leading to alcoholism.

Reporter A.J. Vicens writes that Ekeland has strong feelings about the perceived nefarious intent of the Computer Fraud and Abuse Act. Hackers “scare people. They make them feel vulnerable; there’s a hysteria about it.”

Ekeland has defended hackers against charges ranging from probing the defenses of municipal websites to conspiring to access federal email accounts.

Read the Mother Jones article.



Webinar: The 2017 Open Source Year in Review

Black Duck will present a complimentary webinar reviewing the past year’s legal developments in open source software.

The event will be on Wednesday, Jan. 17, 2018, at 11:30 a.m. Eastern time.

Two of the leading open source legal experts, Karen Copenhaver, partner at Choate Hall & Stewart and counsel for the Linux Foundation, and Mark Radcliffe, partner at DLA Piper and general counsel for the Open Source Initiative, will lead the discussion.

This annual review will highlight the most significant legal developments related to open source software in 2017, including:

  • Current litigation
  • An open source security update
  • Blockchain and its forks
  • Software Package Data Exchange (SPDX) and OpenChain
  • GDPR
  • And more

Register for the webinar.



Download: Greenwald on the Value of Privacy

CybersecurityZapproved has published a complimentary recap of the PREX17 keynote address by Pulitzer Prize-winning journalist Glenn Greenwald, which explores the boundary layer between law and technology in the connected society.

In the fallout of the Edward Snowden NSA leaks, he explores the reasons why monitoring and evaluating the impact of our technology are crucial and discusses in detail:

  • When weighing the importance of privacy, consider all of your personal information from all of your email accounts, social profiles and medical profiles.
  • Ten years ago technology was the number one way privacy was compromised. Now, technology is the number one leading tool for how privacy is protected.
  • Digital surveillance has become so prevalent and consequential that the NSA’s motto for their citizen surveillance programs is “Collect it all.”

Download the keynote summary.



What Does Ransomware Cost Companies?

King & Fisher Law Group, PLLC

RansomwareIn its 10-Q filing for the quarter ended September 30, 2017, Merck & Co., Inc. stated the following:

On June 27, 2017, the Company experienced a network cyber-attack that led to a disruption of its worldwide operations, including manufacturing, research and sales operations. … [T]he Company was unable to fulfill orders for certain other products in certain markets, which had an unfavorable effect on sales for the third quarter and first nine months of 2017 of approximately $135 million. … In addition, the Company recorded manufacturing-related expenses, … as well as expenses related to remediation efforts … , which aggregated $175 million for the third quarter and first nine months of 2017.

Worth noting, this $310 million amount likely does not include all legal fees, forensic costs, and all other costs, expenses, and losses related to the cyber-attack. Nor does it appear to include other costs, expenses, and losses that may be indirectly revealed elsewhere in Merck’s business or operations. The attack in question is the NotPetya ransomware attack, which impacted countless companies worldwide on June 27 of this year.

Lost Business Resulting from Ransomware
Merck’s announcement is remarkable for several reasons, especially for those who negotiate technology contracts and agreements with data privacy and security implications. First, it’s noteworthy in its relatively clear quantification of lost business resulting from the ransomware attack. That is, often it is difficult to quantify lost business, lost sales, and consequential damages when negotiating liability provisions related to data security and information security in technology agreements and other commercial contracts. This is not to say that Merck’s recitation of these amounts is a new rule-of-thumb or benchmark, but it may start a conversation.

Quantifiable Losses
Second, the loss numbers reported by Merck are not small ones. It is common to discount publicly announced forecasts of ransomware impacts that are viewed as extreme – $75 billion per year, according to one recently cited resource. But the concreteness of Merck’s number and the specificity of the ransomware attack merits attention.

Ransomware is Fact-Specific
Third, the Merck announcement implicitly underscores the criticality of the precise facts surrounding the NotPetya ransomware attack and the unique business and situation of Merck. Not all ransomware or malware attacks can cause the same sort or amount of losses reported by Merck, nor does the same ransomware or other malware give rise to the same quality or quantity of losses for every corporate victim. When negotiating data privacy and data security provisions in commercial technology contracts and similar agreements, it is important for all sides to consider the specific circumstances and risks related to the transaction and parties in question.

Ransomware Impacts Are Not Necessarily Per-Record
And, fourth, the Merck report sheds light on the financial repercussions of ransomware, as opposed to other malware and hacking activities. That is, there are a number of industry and other reports and surveys that speak to the financial and other impacts of data breaches and security breaches on a per-record basis (for example, cost per record, records per breach, etc.). The 2017 Ponemon Institute Cost of a Data Breach Study, Verizon’s 2017 Data Breach Investigations Report, and Gemalto’s Breach Level Index Findings for the First Half of 2017 are just a few. However, in many cases the particular per-record numbers reported do not provide a clear picture of the financial effects of ransomware, which often is not the kind or scope of cyber-attack that can be assessed on a per-record basis.

Merck’s 10-Q for the third quarter of 2017 is definitely not a quick-fix answer to the question of how much a ransomware attack would or could financially impact a company. However, for attorneys, contract professionals, and others who draft and negotiate technology agreements and contracts and, specifically, information and data security and privacy provisions, the Merck quarterly report is potentially meaningful.