For defense contractors, January 1, 2018 brought with it not only a new year, but also a new era – an era in which contractors must comply with the entire set of more detailed cybersecurity requirements under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. As we have flagged before on Data Matters, this DFRAS provision applies to all Department of Defense (DOD) contracts (except for those involving commercial, off-the-shelf items) and places a number of substantial obligations on contractors, including that they comply with the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” and report certain cyber incidents to DOD. (more…)
Changes to data breach notification laws continue to pop up across the country this Spring. The latest comes from a new law signed by Arizona Governor Doug Ducey that amends the state’s data breach standards. Although much of the Arizona law has remained the same, the new law updates a few key provisions, including the definition of personal information, the requirements for the content of the data breach notice, the timing of notice, and the capping of penalties. (more…)
*This article first appeared in In-House Defense Quarterly on April 3, 2018
The growing volume and severity of cyber-attacks directed against public companies has caught the attention of federal regulators and investors. Recent guidance from the Securities and Exchange Commission (SEC) on disclosure and enforcement actions by the Federal Trade Commission (FTC) make clear that cybersecurity is no longer a niche topic, but a concern significant enough to warrant the oversight of corporate boards of directors. A high-profile cyber incident may cause substantial financial and reputational losses to an organization, including the disruption of corporate business processes, destruction or theft of critical data assets, loss of goodwill, and shareholder and consumer litigation. More and more, directors are viewing cyber-risk under the broader umbrella of corporate strategy and searching for ways to help mitigate that risk. Increasingly, thought leaders, professional organizations, and government agencies are beginning to provide answers. (more…)
*This article first appeared on Law360 on April 17, 2018
On April 17, the National Institute for Standards and Technology (NIST) released an updated version of its standard-setting Cybersecurity Framework. Commerce Secretary Wilbur Ross announced the new release with a statement saying the “Cybersecurity Framework should be every company’s first line of defense” and “adopting version 1.1 is a must do for all CEO’s.” Version 1.1 is dated April 16, 2018. (more…)
Sidley hosted the firm’s fourth annual Privacy and Cybersecurity Roundtable in the DC office on Monday, March 26, 2018.
Following an introduction by Sidley partner Alan Raul, Giovanni Buttarelli, European Data Protection Supervisor, and Helen Dixon, Data Protection Commissioner for Ireland, discussed the EU General Data Protection Regulation which will go into effect on May 25, 2018. Both Helen Dixon and Giovanni Buttarelli shared their insights on preparation for, and life after May 25. Following their remarks, Sidley Partner and Privacy practice Co-Leader, Ed McNicholas (D.C.) moderated a lively discussion that included Cam Kerry, Senior Counsel (D.C./Boston) and new Sidley Partner, Wim Nauwelaerts (Brussels). (more…)
And then there were none. Alabama has joined the ranks of the other 49 states with breach notification requirements by enacting the Alabama Data Breach Notification Act of 2018 (the “Act”). The Act, which was signed into law by Alabama Governor, Kay Ivey on March 28, 2018, requires companies to provide Alabama residents with notification of a breach within 45 days of discovery. Notification is triggered by a determination of a breach that poses a risk of harm to impacted individuals. Alabama exempts from the definition of breach the good faith acquisition of sensitive personally identifying information by an employee or agent of a covered entity, unless the information is used for a purpose unrelated to the business or subject to further unauthorized use. Companies must notify the state AG in the same period if the breach requires notification of more than 1,000 “individuals” (defined as Alabama residents whose “sensitive personally identifiable information” was, or is reasonably believed to have been, accessed as a result of the breach). In addition, if more than 1,000 individuals are notified at a single time, companies must provide notice to consumer reporting agencies “without unreasonable delay.” Third parties who are contracted to process sensitive personally identifiable information must provide notice of a breach to the owner of that information within ten days of discovering the breach. Notice from a third party then triggers the 45-day notification period for the covered entity.
On March 21, Governor Daugaard of South Dakota signed SB 62, making South Dakota the 49th state to enact a data breach notification statute (leaving only Alabama without a state data breach law). South Dakota’s attorney general issued a statement after the law was signed, observing that the connected economy comes with “an increased risk of theft and fraud,” and “we need the tools to combat these breaches and thefts of our personal information.” (more…)
On March 7, 2018, the U.S. Senate’s Homeland Security and Governmental Affairs Committee approved a new version of a bill (SB 2825) reauthorizing the Homeland Security Act of 2002 and including key cybersecurity provisions affecting the Department of Homeland Security (DHS). The bill is considered a critical piece of legislation that many expect will need to pass before the Congressional recess in August 2018. It already passed the U.S. House of Representatives in July 2017, and will now be considered by the full Senate. (more…)
On February 21, 2018, the U.S. Securities and Exchange Commission issued interpretive guidance (the Guidance) to assist public companies in drafting their cybersecuritydisclosures in SEC filings. See 83 FR 8166 (Feb. 26, 2018). In his public statement accompanying the issuance of this guidance, SEC Chairman Jay Clayton said he believed that “providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”1 In this new guidance, the SEC is likely intending to signal how it may focus future enforcement concerning the cybersecurity disclosure obligations of public companies, and their underlying disclosure controls, procedures and certifications. (more…)
Few would describe 2017 as a quiet year. But it actually was a period of relative calm with respect to at least one important topic. After supporters and opponents of mandated government access to encrypted communications publicly feuded for much of 2016, reprising arguments they’ve had since at least the days of the “Clipper Chip,” these “encryption debates” seemed to quiet down for much of last year. The same tensions likely simmered beneath the surface, to be sure, but they didn’t boil over and there was accordingly less attention directed at the issue than there had been previously. (more…)