The legal and regulatory environment involving data breaches, and failures to prepare for those and other cyberthreats is also expanding:
- All 50 states now require some form of breach notification. Some states require only an intrusion (and not an outflow) of Personally Identifiable Information (PII) to trigger notification.
- California’s Consumer Privacy Act of 2018 imposes new online disclosure requirements and grants consumers new opt-out rights
- General Data Protection Regulation – covering sensitive data of residents of the European Economic Area, but has world-wide application and significant monetary penalties
- Shareholder Litigation – for violations of management fiduciary duty
- Federal Trade Commission investigations and penalties
- Federal Food and Drug Administration (for connected medical devices)
- Banking – New York State enacted 23 NYCRR 500 in 2017, which generally requires covered entities regulated by the state’s Department of Financial Services to comply with enhanced cybersecurity requirements, including risk assessment, adequate cybersecurity funding, policy development and reporting. Covered entities include licensed lenders, state-chartered banks, trust companies, service contract providers, private bankers, mortgage companies, insurance companies doing business in New York, and non-U.S. banks licensed to operate in New York.
- Department of Health and Human Services Office of Civil Rights (for HIPAA violation investigations) investigations and penalties
- Securities and Exchange Commission –
- Increased its cybersecurity oversight and investigatory role for public companies, including issuing a Section 21(a) report indicating that companies that fail to have adequate internal controls (which include assessing and addressing cyber-security threats) may be in violation of Section 13(b)(2)(B)
- Increased vigilance in enforcing the Safeguards Rule and the Identity Theft Red Flags Rule, both of which generally requires broker-dealers to adopt written policies and procedures “that address administrative, technical and physical safeguards for the protection of customer records and information,” and the Identity Theft Red Flags Rule.
Addressing cyber-threats must be every company’s new normal.
Each client’s cyber-security needs differ, and while our cyber-security and privacy practice services are comprehensive, we endeavor to tailor them to your needs – keeping in mind a minimum-security baseline, as well as budgeting for immediate, intermediate, and long-term objectives.
Among the services we offer are the following:
- Risk assessment and investigation
- Internal Policy development (cybersecurity, incident response, incident investigation and remediation, etc.)
- Drafting policies, disclosures, and procedures that govern the collection, use, storage, and sharing of sensitive data and use of technology
- Drafting and implementing privacy and security compliance plans around state, national, and international laws and standards
- Reviewing, revising, and preparing contracts and releases with third-parties to ensure compliance and limit liability
- Assisting our clients during transactions with privacy due diligence and protective deal mechanisms
- Advising clients on cyber-insurance policies and other applicable insurance policies
- Advising clients on digital advertising and marketing, virtual currencies, and social media
- Handling data breaches and privacy complaints
- Representing clients during privacy-related matters before federal and state courts, administrative agencies, and professional boards
- Responding to subpoenas and law enforcement inquiries as well as privacy torts / class actions
- Managing eDiscovery and data governance
Our goal is simple: to help our clients reduce their cyber, privacy, and data liability risks. We accomplish this through education and implementing a variety of risk-transfer mechanisms focused on each client’s unique needs. These mechanisms include training, risk assessments, policy creation, contracts, or insurance. While no level of cybersecurity prevention can completely eliminate the risk cyber-risk, the firm’s holistic and pragmatic approach can help reduce the likelihood of occurrence, and in conjunction with cyberforensic experts, help mitigate the legal, liability, and other consequences arising out of a cyber-security incident.
Check out Chair Steven Teppler’s Litigation Intelligence Cyber Security Blog.
