Washington, D.C. – Sidley Austin LLP is pleased to announce that Christopher Fonzone, former National Security Council (NSC) legal adviser and deputy assistant and counsel to President Obama, has joined the firm as a partner in its Washington, D.C. office. He will be a member of Sidley’s global Privacy and Cybersecurity practice. (more…)
On 10 October 2017, Jamaica introduced into its House of Parliament a comprehensive Bill for privacy and data protection, entitled “An Act to Protect the Privacy of Certain Data and for Connected Matters.” The new law would cover personal data, including data in an “accessible record” such as a health record or an educational record. If passed, the new law will be named the “Data Protection Act, 2017.” (more…)
Sidley is delighted to announce that The National Law Journal named Boston and Washington, D.C. senior counsel Cameron F. Kerry to its third annual “Cybersecurity and Data Privacy Trailblazers” special supplement. (more…)
*Article first appeared in Corporate Board Member on November 7, 2017
At a time when a major cybersecurity incident can cost a company millions, it’s crucial that acquiring companies give cybersecurity the same level of scrutiny as they do more traditional risks and opportunities in the M&A due diligence process. Yet too many deals suffer from superficial consideration of these issues.
Why the disconnect? Unlike other areas where companies face legal and regulatory implications, in-house and outside legal teams often lack well-developed methods to analyze cybersecurity risks, too often considering them technical issues beneath the notice of the bankers and lawyers. In many cases, deal teams lack the skill sets to analyze the issues effectively and cannot even speak the language of the CIOs and CISOs well enough to spot “alternative facts.” Boards need to ensure that they or their advisers—preferably both—have sufficient skills to assess cybersecurity risks and ask the right questions. (more…)
On 6 November 2017, the Dutch Data Protection Authority (‘”DPA”) issued a statement in which it confirms that controllers subject to Dutch data protection law will – in most cases – no longer need to notify their data processing activities to the DPA. The General Data Protection Regulation (“GDPR”), which becomes applicable on 25 May 2018, abolishes the system of DPA notifications and replaces it with the requirement to keep internal records of data processing operations. Until that date, controllers can still submit notifications if they wish to do so, but in general the DPA will no longer enforce compliance with the notification requirement in the law.
*This post originally appeared in BNA’s Corporate Law & Accountability Report on November 6, 2017.
Cyberattacks and data breaches are increasingly the subject of front-page headlines and can have material effects on our personal lives. And yet, reports suggest that many corporate directors and managers remain relatively unaware of important cybersecurity issues, risks, and strategies that directly relate to their organizations.
For example: imagine that your company has fallen victim to a successful cyberattack and customer data was stolen. In the aftermath, the securities plaintiffs’ bar undoubtedly will be searching for stockholders to(among other things) pursue claims for violations of state and federal securities laws and/or for breaches of fiduciary duty against the company’s board. Are you, your colleagues, managers, and directors prepared to respond to and manage this type of incident and the subsequent litigation and regulatory investigations? Have you documented your diligence in governing cybersecurity risk? For many, the answer may be no.
This article discusses the scope of this problem, how it can directly impact you and your company, and steps you can take now to help prepare for the unknown. It is certainly true that even the best cybersecurity programs cannot guarantee deterrence of all attacks. But such programs unquestionably mitigate the risk of a breach, support organizational resilience, and help control the fallout should one occur.
The EU-U.S. Privacy Shield has survived its infancy, although the October 18, 2017 European Commission report on its first annual review of the functioning of the EU-U.S. Privacy Shield (the “Report”) leaves uncertainty as to the long-term future of EU-U.S. Privacy Shield if the U.S. is unwilling or unable to adopt further Commission “recommendations”. The Report details the Commission’s findings on the implementation and enforcement of the Privacy Shield during its first year of operation. (more…)