*This post was originally distributed as a privacy and cybersecurity client alert on Monday, May 15, 2017. Sign up for our privacy and cybersecurity distribution list here.
As you likely will have heard, there is an ongoing major cyber-attack involving the WannaCry ransomware. It is affecting businesses across the world and across sectors, including financial services firms, healthcare entities and even manufacturers. We are actively advising clients on cybersecurity matters, and we have recently guided clients through ransomware attacks. We have also recently authored a major report on improving transatlantic cybersecurity in collaboration with the US Chamber of Commerce.
Following the WannaCry attack, many companies and their counsel will need to consider and coordinate the following: (more…)
On Thursday, May 11, President Trump signed an executive order aimed at strengthening the cybersecurity of federal networks and critical infrastructure. The order is expected to prompt a broad examination of cybersecurity vulnerabilities at federal agencies and re-orient federal cybersecurity efforts toward modernization and shared services. The order also reaffirms the previous administration’s approach to cybersecurity protections for critical infrastructure – with increased emphasis on the power grid – and seeks to promote the growth and sustainment of the nation’s cybersecurity workforce in the public and private sectors. (more…)
On April 18 in the DC office, Sidley hosted the firm’s third annual Privacy and Cybersecurity Roundtable for over 70 clients. Speakers included a senior representative of the European Data Protection Supervisor, senior officials from the Office of the New York State Attorney General and the Federal Trade Commission, legal, policy and compliance leaders from Facebook and Gannett, along with several members of the firm’s privacy, securities law and governance groups. (more…)
Washington, D.C. – Sidley Austin LLP is pleased to announce that Timothy J. Muris has joined the firm as senior counsel in its Antitrust/Competition practice. Mr. Muris, a former chairman of the Federal Trade Commission (FTC), has substantial experience in every aspect of antitrust enforcement as well as in key consumer protection issues, including advertising, consumer finance and privacy regulation.
Cybersecurity compliance is becoming increasingly complicated with multiple regulators across the globe weighing in on your legal requirements to manage cyber risk. If you have wondered how others are approaching their compliance strategy, you are not alone.
You are invited to participate in a brief survey regarding your business’s approach to cybersecurity legal requirements. Specifically, the purpose of this survey is to learn how businesses like yours are responding to cybersecurity legal requirements under the European Union’s General Data Protection Regulation (GDPR) and Network and Information Security Directive (NIS Directive). In particular, we are interested in whether and if so, how businesses in the U.S. and the EU and elsewhere are applying the U.S. National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity to comply with these EU cybersecurity requirements. Understanding which standards business are applying in order to comply with these requirements could be helpful in encouraging consistency of cybersecurity frameworks in the U.S., the EU and other regions.
Please use the link provided below to access the survey which will take very few minutes to complete. We plan to publish the results in approximately six weeks. Please note that no individuals or specific businesses will be identified in any published results without their express consent.
CLICK HERE to begin the survey.
Thank you for your participation.
*This article first appeared in Bloomberg BNA Corporate Law & Accountability Report on February 23, 2017
On Jan. 12, 2017, the National Association of Corporate Directors (NACD) released its new “NACD Director’s Handbook on Cyber-Risk Oversight.” The NACD has suggested that directors can use this Cyber-Risk Oversight Handbook as a resource to “[l]earn foundational principles for board-level cyber-risk oversight” and gain insight into issues including how to:
- “allocate cyber-risk oversight responsibilities at the board level”;
- address “legal implications and considerations related to cybersecurity”;
- “set expectations with management about the organization’s cybersecurity processes”;
- “improve the dialogue between directors and management on cyber issues”; and,
- “improve and enhance boardroom practices.”
Following the establishment of the E.U. – U.S. Privacy Shield last summer, Switzerland has now agreed to a similar framework facilitating the transfer of personal data from Swiss companies to companies based in the United States (hereinafter “Swiss – U.S. Privacy Shield” or “Privacy Shield”) that will allow companies to certify adherence to the framework as of 12 April 2017.
The potential liability from a material cyber-attack is wide-ranging. Accordingly, companies that experience network intrusions, system disruptions or unauthorized access to information databases must be prepared for a variety of potential consequences, each attended by its own costs…[read more]
2016 was a year of seismic changes in the global data protection and privacy landscape. Here, we look back at the top ten events and issues that shaped 2016, and are poised to shape the year ahead as well.
Year In Review
1. GDPR Adoption
On April 14, the European Parliament voted to adopt the long-awaited EU General Data Protection Regulation (GDPR), formally completing adoption of the GDPR. The GDPR was published in the Official Journal of the EU on May 25, 2016, giving companies and Member States until the May 25, 2018 effective date to implement the Regulation fully. In the wake of its adoption, businesses should have planning under way for implementation of the significantly expanded Regulation by evaluating whether they are subject to the expanded jurisdiction, and if so, completing an internal gap analysis of current data protection practices as compared with the new requirements and rights under the Regulation. Some of the key aspects to consider include data breach response planning under the new 72-hour notice requirement, reviewing existing data protection notices and consents for the more robust obligations, identifying current profiling activities and existing data protection and retention policies and procedures, ensuring privacy impact assessments are carried out where required, and evaluating whether there is an obligation to appoint a data protection officer. Despite the time until the effective date, the extensive preparation necessary to comply presents a challenge as companies around the world refocus resources to develop compliance plans.
2. Political Cyber Warfare
There is a new front in geopolitical battles. (more…)
The National Institute of Standards & Technology (NIST) has issued a revised draft version of its Cybersecurity Framework. The document is issued as “Version 1.1″ of the existing framework, redlined to show changes from the original framework issued almost three years ago. It is a draft, seeking comment. No period for public comment is specified, except that NIST expects to hold a public workshop on the revised draft “around the fall of 2017.”