SEC Continues to Urge Companies to Prioritize Cybersecurity Through Section 21(a) Report


In a new investigative report[1] released this week, the Securities and Exchange Commission (“SEC”) again stressed the need for public companies to prioritize cybersecurity measures. The SEC’s Report signifies the agency’s ongoing emphasis of cybersecurity initiatives this year. For those of you keeping track at home (as I know so many of you are), 2018 thus far has seen the SEC put out interpretive guidance for public companies on cybersecurity disclosure requirements (I wrote about it here) and initiate its first enforcement action against a registered investment-adviser over a violation of the Identity Theft Red Flags Rule. This proactive approach is indicative of the belief put forth by Chairman Jay Clayton earlier this year that “cybersecurity is critical to the operations of companies and our markets,” and as such, calls for the SEC to “continue to evaluate developments in this area and consider feedback about whether any further guidance or […]

Continue Reading

The 10 Things Businesses Must Think About After a Data Breach: Part One


In a perfect world, companies would prepare ahead of time for a problem that on average costs them $7.91 million. This “not if, but when” problem? *Cue Jeopardy response*: What is a “data breach”. In this two-part series, I want to discuss the ten things every organization must consider when dealing with a data breach. This post deals with considerations applicable to what I like to call “data breach triage”. In Part 2 of this series, I’ll conclude with the remaining 5 things companies must think about when putting public data breach response plans into action (PR, notifications, etc). 1. Any suspicion of a data breach should immediately prompt a call to outside counsel Yes, the clock is ticking and time indeed is very precious, but outside counsel as first point of contact accomplishes a number of important objectives. For starters, outside counsel should first assess whether the incident in question […]

Continue Reading

Ohio’s Data Protection Act: A Cooperative Approach to Cyber Legislation


Ohio’s recent enactment of a new cybersecurity law could provide a blueprint for other states to pass similar cyber legislation. In a political climate dominated by the fear of excessive government oversight, an alternative route for states to implement new cybersecurity policy is through voluntary, incentive-based laws. Cooperative versus Coercive Cybersecurity Legislation Jeff Kosseff, in the illuminating article “Defining Cybersecurity Law,” talks about the dichotomy between coercive and cooperative aims underlying cybersecurity legislation. The idea behind coercive lawmaking is legislation intended to deter certain behavior. In the context of cybersecurity, a coercive law would deter inadequate data protection practices. An example of a coercive cybersecurity law is Massachusetts’ data security law (Chapter 93H and 201 CMR 17.00). This law requires all businesses in possession of personal information on Massachusetts residents to enact minimum security standards such as a written information security program (“WISP”). Cyber Legislation based upon the principle of […]

Continue Reading

Is South Carolina’s Adoption of the NAIC Model a Sign of What’s to Come?


I had the pleasure of co-authoring this piece with prolific writer, attorney and sought-after public speaker Judy Selby. Quoted in publications such as the Wall Street Journal, Forbes and Fortune, Judy is one of the preeminent experts on cyber insurance. Through her consulting company, Judy provides strategic advice to companies and corporate boards concerning insurance, cyber risk mitigation and compliance.  In October 2017, the National Association of Insurance Commissioners (NAIC) adopted its Insurance Data Security Model Law (the NAIC Model) to establish standards for data security and the investigation and notification of certain cybersecurity-related events. This law followed the lead of the New York Department of Financial Services, which promulgated its own Cybersecurity Regulation geared towards insurance entities and other financial institutions that do business in New York in March of 2017. On May 3, 2018, South Carolina became the first state to adopt its own cybersecurity statute almost exclusively derived […]

Continue Reading

Time Grows Short(er) in Data Breaches


Congress’s continuous failure to enact any federal data breach standard means states continue to take matters into their own hands on how organizations must legally protect entrusted information. The most recent legislative cycle featured numerous states that amended the timeline for notification. This trend should not go unnoticed by businesses, big or small, as the breach timeline to respond grows shorter by the day. From Ambiguity to Specificity State breach notification laws around the country used to feature timeframes open to interpretation.  Recent amendments signaled a shift in the timeline by which a business must respond, an evolution previously marked with ambiguity to sudden specificity. State laws in Arizona, Colorado and Louisiana formerly required notification “in the most expedient manner possible and without unreasonable delay.” What exactly was expedient? 50 days? What about 100 days from the date of discovery? The Arizona Data Security Breach law now requires notice to […]

Continue Reading