Practical Tips for In-House Counsel From Recent Cybersecurity Decisions

“The possibility of a cybersecurity incident—and ensuing litigation—is a fact of life for almost every business. Even companies that do not process or handle consumer information collect personal information about their employees that can be targeted by hackers or phishing scams or even inadvertently disclosed, exposing the company to potential liability,” warns Seth Harrington, Michelle Visser and David Cohen in Orrick’s blog.

“While eliminating cybersecurity litigation risk entirely likely is not feasible, recent cases do highlight some steps that companies seeking to reduce potential exposure to cybersecurity litigation can take:
(1)  Recognize that pre-incident statements about the company’s cybersecurity measures can be used to sustain deception-related claims.
(2)  Assess the “reasonableness” of your cybersecurity, despite the difficulty of doing so.
(3)  Pay attention to how you structure cybersecurity initiatives to protect related documents and communications based on the attorney-client privilege and work product protection.
(4)  Recognize that your statements about a cybersecurity incident may be relied on by courts to sustain plaintiffs’ claims.
(5)  Consider arbitration clauses, but do so cautiously.
(6)  Consider opportunities to contractually allocate or disclaim liability.”

Read the article.




Threat From Within: Inside Counsel’s Role In Defending Against Data Breaches

“While organizations make significant investments in protecting their data from outside infiltration, they can often overlook the serious threats that exist within their own workforce. According to a 2020 study released by the Ponemon Institute, the biggest threat in terms of disclosure of sensitive information comes from so-called “insider threats,” in the form of employees who disclose protected information or provide a means of access to that information to third parties, either unwittingly or otherwise. That threat has only grown in recent years, increasing by 47% in the last two years alone,” reports Risa B. Boerner in Fisher Phillips Newsletters.

She further breaks down her article into the following sections:

  • The Costs Can Be Staggering
  • Why The Recent Surge?
  • First Steps: Awareness + Training
  • Advanced Tactics

Read the article.




Ransomware Attacks Hit Three Law Firms in Last 24 Hours

“Five U.S. law firms — three in the last 24 hours — have been among the companies and organizations targeted by a new round of ransomware attacks. In two of the cases, a portion of the firms’ stolen data has already been posted online, including client information.” reports Robert J. Ambrogi in LawSites blog.

“Hackers have stolen data from at least five law firms, using the threat of releasing the data to extort payment from the firms, Callow said. In the two cases in which hackers already posted law firm data, they published it on the clear web where it can be viewed by anybody.”

Read the LawSite’s article.




The Rise of Disruptionware and High-Impact Ransomware Attacks

“Disruptionware is defined by the Institute for Critical Infrastructure Technology (ICIT) as a new and “emerging category of malware designed to suspend operations within a victim organization through the compromise of the availability, integrity and confidentiality of the systems, networks and data belonging to the target.” New forms of disruptionware can be a more crippling form of cyber-attack than other more “garden-variety” malware and ransomware attacks.” warns an article in JDSupra.

“Generalized forms of ransomware attacks – designed to block access to the victim’s computer systems until money is paid – are continuing to represent a more prevalent threat to government agencies, healthcare providers and educational institutions … another publication has noted the rise of ransomware attacks since the beginning of 2019 finding that there have been at least 621 reported successful ransomware attacks against U.S.-based corporations. Of these attacks, at least 491 were targeted against healthcare providers, while another 68 of the attacks were directed at county and municipal institutions, and 62 of the attacks were focused on school districts.”

“The FBI’s PSA serves as a warning to businesses that they should have a plan in place to respond efficiently and appropriately in the event of high impact ransomware and disruptionware attacks.”

Read the article.

 




What If a Border Agent Seeks Your Smartphone That Includes Client Secrets?

JD Supra discusses what an attorney is “to do if a customs agent asks to peruse the attorney’s smart phone? Or if a customs agent asks the attorney to identify the clients that attorney is meeting or working on behalf of in the foreign country? Such questions can create a tension for attorneys between their duty to comply with international travel directives and their duty to preserve confidential or privileged client information in their possession.”

“Trips abroad are becoming more common across various practices.”

“Notably, attorneys are not required by the rules of professional conduct to comply with” ABA recommendations. “Whether attorneys adopt these recommendations in their own practices will depend on the type of information attorneys have in their possession, as well as the reasonableness of taking certain precautions.”

Read this article for some traveling tips.




Download: Comprehensive Guide to the CCPA

Exterro has published a comprehensive guide to the California Consumer Privacy Act and made it available for downloading from the company’s website.

“Recent reports suggest that somewhere between 45% and 86% of companies will are not ready for the California Consumer Privacy Act (CCPA),” the company says. “Organizations preparing for the CCPA must ready themselves for Data Subject Access Requests from consumers, have an organized data management system that allows them to find and remediate that data within 45 days.”

The Exterro guide covers:

  • Why the changing regulatory landscape means that getting your data house in order is of the utmost importance
  • Tips from subject matter experts for complying with the law based on the regulations that were published
  • Answers to major questions that GCs and corporate legal departments that could mean the difference between confident compliance and fines

Download the free guide.

 

 




Do Companies Need a Written Security Information Plan?

“As of January 1, 2020, California became the first state to permit residents whose personal information is exposed in a data breach to seek statutory damages between $100-$750 per incident, even in the absence of any actual harm, with the passage of the California Consumer Privacy Act (“CCPA”). The class actions that follow are not likely to be limited to California residents, but will also include non-California residents pursuing claims under common law theories.” advises Jena M. Valdetero in Bryan Cave Leighton Paisner’s Insights.

“A successful defense will depend on the ability of the breached business to establish that it implemented and maintained reasonable security procedures and practices appropriate to the nature of the personal information held.  The more prepared a business is to respond to a breach, the better prepared it will be to defend a breach lawsuit.”

She provides a list that the organization’s WISP should include at a minimum.

Read the article.




Webinar: Top 2020 Risk & Compliance Trends

A NAVEX Global webinar will address the top 10 risk and compliance trends for 2020.

The complimentary event will be Wednesday, Jan. 15. 2020, at 10 a.m. PT/1 p.m. ET.

In 2020, several critical issues are sure to impact the business landscape, including: election year turmoil, updates to regulatory requirements, digital environment impact, new agency guidance, data privacy, workplace behavioral shifts, and more, NAVEX says in its invitation.

Participants in the webinar will hear how experts are predicting these upcoming trends will provoke, shape and inspire organizational shifts and program improvements.

Register for the webinar.

 

 




26 Data Privacy Questions for Corporate Legal Departments

Exterro has published “26 Data Privacy Questions for Corporate Legal Departments,” a new guide designed to determine if the necessary people, processes and technology are in place to ensure compliance and avoid costly future litigation over data privacy issues.

The guide can be downloaded from Exterro’s website at no charge.

“With the EU’s General Data Protection Regulation (GDPR) in effect and the California Consumer Privacy Act (CCPA) arriving in 2020 along with numerous other states following suit, businesses must meet new obligations around finding, reviewing and producing/deleting personal consumer data when requested,” the company says.

Download the guide.

 

 

 

 




On-Demand: The Role of In-House and External Counsel in Managing Open Source

Flexera has posted a complimentary on-demand webinar discussing the role of in-house and external counsel in managing open source software in the business environment.

“Having some best practice guidelines that more clearly define your role and help you guide companies through license compliance and risk management only reinforces and bolsters one of your most important responsibilities as a legal advisor,” the company says in its invitation to view the event.

Speakers are Amy Chun, partner in Knobbe Martens, and Marty Mellican, vice president and associate general counsel of Flexera.

Some of the topics covered include:

  • Key data points that emphasize there’s a lack of understanding regarding the amount of OSS companies are using
  • The range of OSS risk and what that means to you
  • Actionable steps and tips for managing OSS risk including available tools, how to flag issues, implement policy, and update agreements

Watch the webinar.

 

 




Hunton Andrews Kurth Partner Speaks on Key Global Data Protection Issues in China

Hunton Andrews Kurth LLP partner Lisa J. Sotto was the featured speaker at a recent AmCham China U.S.-China Energy Cooperation Program event, outlining key privacy and data security issues in the United States and European Union to representatives of more than 50 Chinese companies.

Sotto, head of Hunton Andrews Kurth’s global privacy and cybersecurity practice, also presented to several other groups in China earlier this month, including a group of more than 50 in-house counsel organized by Data Protection Officer, an organization of legal counsel from leading Chinese and global technology, media and telecommunications companies.

She also was invited to present to a group of legal counsel and cybersecurity scholars and researchers at the Law School of Beihang University. Sotto separately addressed a group of 100 employees (including legal counsel, engineers and business personnel) of 360 Corporation, China’s top provider of internet and mobile security products and services.

“Given the ubiquity of data, there is an urgent need for international alignment on guiding principles related to data privacy and cybersecurity standards,” Sotto said. “I am pleased to have had the opportunity to promote this awareness and to provide guidance and assistance toward that end.”

Earlier this year, Sotto was invited by U.S. government officials and the U.S. Chamber of Commerce to travel to Brazil as a member of a delegation that met with Brazilian government agencies and industry representatives in the process of developing the country’s cybersecurity strategy. Her visit followed the release of a report proposing a framework for effective data breach notification legislation across the globe.

 

 




Discover Drexel’s Online LLM Programs

Drexel University’s online LLM programs from the Thomas R. Kline School of Law can provide a legal practitioner with the expertise needed to become a specialist in either cybersecurity and data privacy or health care and pharmaceutical compliance.

Kline School of Law representatives will answer questions about the program at an online open house on Tuesday, Oct. 22, 2019, at 6 p.m. ET.

The university offers the program online on either a full- or part-time basis.

With a focus on topics like EU data privacy and internet law, this specialized LLM program will help fill a knowledge gap that’s needed in the cyber law and data privacy field, the university says on its website. Participants can tailor elective courses to specific fields such as health care, finance or higher education.

The health care and pharmaceutical industry is increasingly complicated and ever-changing, and Drexel’s LLM program provides insider knowledge needed to successfully navigate the system. Participants can focus on either health care compliance or pharmaceutical compliance or take classes in both areas, according to the university.

Learn more about the LLM program.

 

 

 




Webinar: HIPAA Compliance and Cybersecurity in Business

WebinarCompliancy Group will present a webinar on HIPAA compliance and cybersecurity on Wednesday, Oct. 23, 2019, at 2 p.m. Eastern time.

Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA), established industry standards that every healthcare organization is required to adhere to. Throughout the years, HIPAA regulation has been modified, as such it is essential to keep up-to-date with the latest regulatory changes. Since its inception, HIPAA law has become part of an organization’s culture, affecting how to do business and how a practice is run. Learn the ins and outs of HIPAA compliance and cybersecurity.

Webinar presenters will discuss how HIPAA compliance and cybersecurity go hand-in-hand and will simplify HIPAA compliance. They will walk viewers through the full extent of the regulation, including the revisions and amendments that have been added over the years.

Register for the webinar.

 

 




Do We Have A Contract? What Delta’s Win Tells Us About Privacy Policies

Computer - cybersecurity -privacyA legal victory for Delta Air Lines this year is unique in that it is the first time that a court has determined that a business owes no obligation of privacy to a customer because its privacy policy explicitly disclaims any type of contractual relationship between the business and its customers, writes Sunrita Sen in the Frost Brown Todd fbtTech Blog.

The case involved a breach of contract claim over the data breach suffered by the airline in 2017.

A U.S. district judge dismissed the claim, agreeing with Delta that the Airline Deregulation Act preempted the plaintiff’s breach of contract claims.

Read the article.

 

 




Former Comcast VP, Deputy General Counsel and Privacy Officer Joins BakerHostetler

BakerHostetler announced that Daniel A. Pepper, most recently a senior legal and privacy executive with Comcast, has joined as a partner in the firm’s Privacy and Data Protection team. He will work in the firm’s Philadelphia office.

At Comcast, Pepper concurrently served as a vice president, deputy general counsel and deputy privacy officer. He was responsible for developing comprehensive global privacy and data security programs to minimize risk and promote compliance with all applicable laws and regulations in the U.S. as well as internationally. This included reviewing potential problem areas across all business units and recommending solutions for compliance with policy and legal requirements.

Prior to Comcast, Pepper was assistant general counsel for information technology, information security, and global clearance and compliance at Verizon Communications, where he served as executive legal liaison for the company’s chief information security officer, chief technology officer and chief information officer. He also was founder and managing member of the Pepper Law Group, which provided outside counsel to numerous Fortune 500 and privately held companies, advising on information technology, security and data privacy, commercial transactions, intellectual property, internet law, digital marketing/advertising, corporate governance, strategic partnerships, and IT and business process outsourcing. Pepper also held legal counsel roles at BEA Systems and Oracle Corp.

Pepper received his B.A. from Rutgers College and his J.D. from the Duquesne University School of Law. He also completed the executive leadership program at Tuck School of Business at Dartmouth. Pepper holds the designation of Certified Information Privacy Professional (CIPP/US) from the International Association of Privacy Professionals (IAPP), where he is also a board member. Pepper is also member of the Rutgers University Big Data Advisory Board.

 

 




Arent Fox Adds Privacy, Cybersecurity & Data Protection Partner Julia B. Jacobson

Arent Fox LLP announced the expansion of its Privacy, Cybersecurity & Data Protection practice with the addition of partner Julia B. Jacobson. Jacobson joins the Boston office, where she will continue to advise clients on data privacy and protection issues, as well as marketing and technology transactions.

In a release, the firm said Jacobson counsels clients on how to comply with federal, state, and international laws and industry standards, monetize data, and address privacy and security issues that arise during business transactions. She advises clients on compliance with GDPR, ePrivacy Directive, New York Department of Financial Services Cybersecurity Regulations and preparations for compliance with the California Consumer Privacy Act, and other evolving privacy and cybersecurity laws.

In addition, Jacobson assists clients with the design and development of privacy-sensitive policies for use and protection of personal data, cybersecurity incident response, information governance, and vendor management.

Prior to joining Arent Fox, Jacobson was a partner in the Technology Transactions practice at an AmLaw 50 firm.

 

 




Michael Best Adds Former Walgreens In-House Counsel

Rebecca Gerard has joined Michael Best’s Privacy & Cybersecurity Practice Group as an associate in Chicago.

Gerard focuses her practice on helping clients protect their data assets and comply with complex regulations. She has experience with regulations including the Federal Trade Commission Act, the Health Insurance Portability and Accountability Act, the California Consumer Privacy Act, the California Online Privacy Protection Act, the Controlling the Assault of Non-Solicited Pornography And Marking Act, the Telephone Consumer Protection Act, the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, and the European Union’s General Data Protection Regulation, Data Protection Directive and ePrivacy Directive, among other data breach notification laws, and federal, state and international guidelines.

Prior to joining Michael Best, Gerard served as commercial and regulatory counsel at Walgreen Co., where she advised several business units on matters in connection with marketing, private label brands, and retail products. She was responsible for enforcing privacy regulations for the company’s U.S. and European entities, drafting and negotiating a variety of contracts and agreements, and collaborating with the company’s public policy team to promote initiatives to further the company’s interests.

Gerard earned both her LL.M. and her J.D. from The John Marshall Law School and her B.A. from Purdue University.

 

 




Court Holds Delta’s Privacy Policy Isn’t a Contract

Delta Air Lines scored a victory when a California federal court granted the company’s motion to dismiss a putative class action based on a data breach, primarily by arguing that its publicly posted privacy policy is not a contract and Delta did not have any enforceable obligation to keep the plaintiff’s data secure, reports Manatt, Phelps & Phillips.

A Delta passenger sought to represent a nationwide class of consumers alleging breach of contract after the airline suffered a data breach, explains Jesse M. Brody.

The court found that the plaintiff could not assert a breach of contract based on Delta’s privacy policy, because it expressly disclaimed that it constitutes a contract, stating, “This Privacy Policy is not a contract and does not create any legal rights or obligations.”

Read the article.

 

 




Download: Cyber-Risk Oversight: Current and Emerging Practices

The NACD Risk Oversight Advisory Council has published a complimentary briefing of “Current and Emerging Practices in Cyber-Risk Oversight.”

The briefing can be downloaded from the National Association of Corporate Directors website.

“Cyber events have become so prevalent in today’s business world that it’s not a matter of if a company is affected, it’s a matter of when,” the association warns. “In a recent NACD survey, directors selected cybersecurity threats as one of the trends most likely to have the greatest effect on their companies in the next 12 months.”

This resource will help directors stay on their toes in the global cybersecurity struggle—ensuring that they are prepared to respond to cyber events, fulfill corporate risk oversight expectations, and reduce overall risk exposure.

Download the briefing.

 

 




Preparing for the CCPA: Reviewing and Updating Privacy Policies and Agreements for Compliance

Duane Morris will present a complimentary webinar on the California Consumer Privacy Act (CCPA) on Thursday, June 20, 2019, at 9:30 a.m. Pacific time.

Led by an interdisciplinary team of Duane Morris attorneys, the California Consumer Privacy Act of 2018 Webinar Series offers an in-depth discussion and analysis of the CCPA, along with timely and practical strategies to prepare your business for compliance with this complex rule, the firm said in a release.

The CCPA of 2018 is the strictest privacy law in the United States and has national impact for anyone doing business in California. The new law takes effect Jan. 1, 2020, and gives consumers greater control over their personal information while establishing stringent rules and significant penalties for the companies that handle consumer information.

The second session topics include:

– Brief CCPA overview
– Examination of the CCPA requirements for privacy policies and third-party agreements
– Practical strategies for reviewing and updating your privacy policies and third-party agreements to comply with the CCPA

The first session of the series, Understanding the New California Consumer Privacy Act: Why The CCPA Applies to You and Practical Steps You Can Take Now to Comply, can be viewed on the firm’s website.

Register for the June 20 webinar.