Privacy & Information Security Law Blog

Hunton & Williams announces the formation of a cross-disciplinary legal team dedicated to guiding companies through the minefield of regulatory and cyber-related risks associated with high-stakes corporate mergers and acquisitions. 

On March 9, 2017, AllClear ID will host a webinar with Hunton & Williams partner and chair of the Global Privacy and Cybersecurity practice Lisa J. Sotto on the new cybersecurity regulations from the New York State Department of Financial Services (“NYDFS”).

China’s new Cybersecurity Law will impose new restrictions on information flows from operators of key information infrastructure, and will become effective in June 2017. Hunton & Williams LLP will host a webinar on China’s New Cybersecurity Law on March 7, 2017, at 12:00 p.m. EST.

On February 13, 2017, the Parliament of Australia passed legislation that amends the Privacy Act of 1988 (the “Privacy Act”) and requires companies with revenue over $3 million AUD ($2.3 million USD) to notify affected Australian residents and the Australian Information Commissioner (the “Commissioner”) in the event of an “eligible data breach.”

On February 4, 2017, the Cyberspace Administration of China published a draft of its proposed Measures for the Security Review of Network Products and Services (the “Draft”). Under the Cybersecurity Law of China, if an operator of key information infrastructure purchases network products and services that may affect national security, a security review is required. The Draft provides further hints of how these security reviews may actually be carried out, and is open for comment until March 4, 2017.

On February 1, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a $3.2 million civil monetary penalty against Children’s Medical Center of Dallas (“Children’s”) for alleged ongoing violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules, following two consecutive breaches of patient electronic protected health information (“ePHI”). This is the third enforcement action taken by OCR in 2017, following the respective actions taken against MAPFRE Life Insurance of Puerto Rico and Presence Health earlier in January.

On January 19, 2017, the North American Electric Reliability Corporation (“NERC”) released a draft Reliability Standard CIP-013-1 – Cyber Security – Supply Chain Risk Management (the “Proposed Standard”). The Proposed Standard addresses directives of the Federal Energy Regulatory Commission (“FERC”) in Order No. 829 to develop a new or modified reliability standard to address “supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.” 

On January 18, 2017, the Department of Homeland Security (“DHS”) issued an updated National Cyber Incident Response Plan (the “Plan”) as directed by Obama’s Presidential Policy Directive 41, issued this past summer, and the National Cybersecurity Protection Act of 2014.

On January 10, 2017, the National Institute of Standards and Technology (“NIST”) released proposed updates to the Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”). The proposed updates, which are found in Version 1.1 of the Cybersecurity Framework, are derived from feedback received by NIST regarding the first version, including from responses to a December 2015 request for information and discussions at a workshop held in April 2016.

Last month, the Standing Committee of the National People’s Congress of China published a full draft of the E-commerce Law (the “Draft”) and is giving the general public an opportunity to comment on the draft through January 26, 2017.

On January 3, 2017, the Office of Management and Budget (“OMB”) issued a memorandum (the “Breach Memorandum”) advising federal agencies on how to prepare for and respond to a breach of personally identifiable information (“PII”). The Breach Memorandum, which is intended for each agency’s Senior Agency Official for Privacy (“SAOP”), updates OMB’s breach notification policies and guidelines in accordance with the Federal Information Security Modernization Act of 2014 (“FISMA”).

On December 28, 2016, the New York State Department of Financial Services (“DFS”) announced an updated version of its cybersecurity regulation for financial institutions (the “Updated Regulation”). The Updated Regulation will become effective on March 1, 2017.

On December 14, 2016, the FTC announced that the operating companies of the AshleyMadison.com website (collectively, the “Operators”) have settled with the FTC and a coalition of state regulators over charges that the Operators deceived consumers and failed to protect users’ personal information. The FTC worked with a coalition of 13 states, the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner to resolve this matter, which was initiated in the wake of the website’s July 2015 data breach.

The Privacy team at Hunton & Williams has authored several chapters of the recently published 2017 guide to data protection and privacy for Getting the Deal Through. The publication covers data privacy and data protection laws in 26 jurisdictions across the globe. Wim Nauwelaerts, Privacy team partner in the firm’s Brussels office, served as the contributing editor of the guide and co-authored the Belgium chapter and the EU overview.

Hunton & Williams LLP is proud to announce our Privacy & Information Security Law Blog has been named the top Cybersecurity and Information Privacy blog by The Expert Institute and #2 overall Best AmLaw Blog of 2016. All of our lawyers and contributors thank you for your support in making the blog a success.

On December 6, 2016, Hunton & Williams announced the release of the second edition treatise Privacy and Cybersecurity Law Deskbook (Wolters Kluwer Legal & Regulatory U.S.) by lead author Lisa J. Sotto, head of the firm’s Global Privacy and Cybersecurity practice. The Deskbook has become an essential tool for those involved in managing privacy and cybersecurity law issues. “The treatise provides a roadmap to comply with global data protection laws, navigate and comply with state breach notification requirements, and stay informed on emerging legal trends,” said Sotto. Members of the global practice group also contributed to the Deskbook. 

On December 1, 2016, the nonpartisan Commission on Enhancing Cybersecurity (the “Commission”), established in February 2016 by President Obama as part of a $19 billion Cybersecurity National Action Plan, issued its Report on Securing and Growing the Digital Economy (the “Report”), which includes recommended actions that the government and private sector can take over the next 10 years to improve cybersecurity.

On November 14, 2016, Lincoln Financial Securities Corp. (“LFS”), a subsidiary of Lincoln Financial Group, entered into a settlement (the “Settlement”) with the Financial Industry Regulatory Authority (“FINRA”), requiring LFS to pay a $650,000 fine and implement stronger cybersecurity protocols following a 2012 hack into its cloud-based server.

On November 14, 2016, the National Institute of Standards and Technology (“NIST”) published guidance on cybersecurity for internet-connected devices, Systems Security Engineering: Considerations for A Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems (the “Guidance”). Citing “the continuing frequency, intensity, and adverse consequences of cyber-attacks,” the Guidance “addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems.”

On November 7, 2016, Adobe Systems Inc. (“Adobe”) entered into an assurance of voluntary compliance (“AVC”) with 15 state attorneys general to settle allegations that the company lacked proper measures to protect its systems from a 2013 cyber attack that resulted in the theft of the personal information of millions of customers. Under the terms of the AVC, Adobe must pay $1 million to the attorneys general and implement new data security policies and practices.

As reported on the Insurance Recovery blog, earlier this week, retailer Tesco Plc’s (“Tesco”) banking branch reported that £2.5 million (approximately $3 million) had been stolen from 9,000 customer bank accounts over the weekend in what cyber experts said was the first mass hacking of accounts at a western bank. The reported loss still is being investigated by UK authorities, but is believed to have occurred through the bank’s online banking system. The loss, which is about half of what Tesco initially estimated, is still substantial and serves as a strong reminder that ...

On October 25, 2016, the United States Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued an advisory entitled Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (the “Advisory”), to help financial institutions understand how to fulfill their Bank Secrecy Act obligations with regard to cyber events and cyber-enabled crime. The Advisory indicates that SAR reporting is mandatory for cyber events where the financial institution “knows, suspects or has reason to suspect a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions….” Implementing this new guidance will require increased collaboration between AML and cybersecurity or IT departments in large institutions, and may create challenges for smaller banks that are more likely to outsource their cybersecurity functions.

On November 7, 2016, the Standing Committee of the National People’s Congress of China enacted the final Cybersecurity Law after it held its third reading of the draft Cybersecurity Law on October 31, 2016. The first draft of the Cybersecurity Law was published for comment more than a year ago, followed by the second draft in July this year. The final Cybersecurity Law will apply from June 1, 2017.

On October 31, 2016, the Standing Committee of the National People’s Congress of China held a third reading of the draft Cybersecurity Law (the “third draft”). As we previously reported, the second draft of the Cybersecurity Law was published for comment in June. The National People’s Congress has not yet published the full text of the third draft of the Cybersecurity Law.

This post has been updated. 

On October 27, 2016, the Federal Communications Commission (“FCC”) announced the adoption of rules that require broadband Internet Service Providers (“ISPs”) to take steps to protect consumer privacy (the “Rules”). According to the FCC’s press release, the Rules are intended to “ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs.” 

The National Highway Safety Administration (“NHTSA”) recently issued non-binding guidance that outlines best practices for automobile manufacturers to address automobile cybersecurity. The guidance, entitled Cybersecurity Best Practices for Modern Vehicles (the “Cybersecurity Guidance”), was recently previewed in correspondence with the House of Representatives' Committee on Energy and Commerce (“Energy and Commerce Committee”).

On October 25, 2016, the Federal Trade Commission released a guide for businesses on how to handle and respond to data breaches (the “Guide”). The 16-page Guide details steps businesses should take once they become aware of a potential breach. The Guide also underscores the need for cyber-specific insurance to help offset potentially significant response costs.

On October 18, 2016, the United States Court of Appeals for the Fifth Circuit held in Apache Corp. v. Great American Ins. Co., No 15-20499 (5th Cir. Oct. 18, 2016), that a crime protection insurance policy does not cover loss resulting from a fraudulent email directing funds to be sent electronically to the imposter’s bank account because the scheme did not constitute “computer fraud” under the policy.

Earlier this month, Hunton & Williams announced that Global Privacy and Cybersecurity partner Aaron P. Simpson has switched to London from the firm’s New York office. He will continue his work on behalf of clients as a leader of the firm’s Global Privacy and Cybersecurity practice.

On October 14, 2016, the National Highway Transportation Administration (“NHTSA”) indicated in a letter to Congress that it intends to issue new best practices on vehicle cybersecurity. This letter came in response to an earlier request from the House Committee on Energy and Commerce (“Energy and Commerce Committee”) that NHTSA convene an industry-wide effort to develop a plan to address vulnerabilities posed to vehicles by On-Board Diagnostics (“OBD-II”) ports. Since 1994, the Environmental Protection Agency has required OBD-II ports be installed in all vehicles so that they can be tested for compliance with the Clean Air Act. OBD-II ports provide valuable vehicle diagnostic information and allow for aftermarket devices providing services such as “good driver” insurance benefits and vehicle tracking. Because OBD-II ports provide direct access to a vehicle’s internal network; however, OBD-II ports are widely cited as the central vulnerability to vehicle cybersecurity.

On October 19, 2016, the Federal Deposit Insurance Corporation (“FDIC”), the Federal Reserve System (the “Fed”) and Office of the Comptroller of the Currency issued an advance notice of proposed rulemaking suggesting new cybersecurity regulations for banks with assets totaling more than $50 billion (the “Proposed Standards”).

On October 11, 2016, Group of Seven (“G-7”) financial leaders endorsed the Fundamental Elements of Cybersecurity for the Financial Sector (“Best Practices”), a set of non-binding best practices for banks and financial institutions to address cybersecurity threats. The endorsement was motivated by recent large hacks on international banks, including the February 2016 theft of $81 million from the central bank of Bangladesh’s account at the New York Federal Reserve.

A recent study from the National Institute of Standards and Technology (“NIST”) warns that an overabundance of computer security measures might actually lead users to engage in “risky computing behavior at work and in their personal lives.”

On October 27, 2016, the Federal Communications Commission (“FCC”) will vote on whether to finalize proposed rules (the "Proposed Rules”) concerning new privacy restrictions for Internet Service Providers (“ISPs”). The Proposed Rules, which revise previous versions introduced earlier this year, would require customers’ explicit (or “opt-in”) consent before an ISP can use or share a customer’s personal data, including web browsing and app usage history, geolocation data, children’s information, health information, financial information, email and other message contents and Social Security numbers.

On October 4, 2016, the U.S. Department of Defense (“DoD”) finalized its rule implementing the mandatory cyber incident reporting requirements for defense contractors under 10 U.S.C. §§ 391 and 393 (the “Rule”). The Rule applies to DoD contractors and subcontractors that are targets of any cyber incident with a potential adverse impact on information systems and “covered defense information” on those systems.

Episode 3: Lessons Learned

In the third segment of our 3-part series with Lawline, Lisa J. Sotto, head of our Global Privacy and Cybersecurity practice at Hunton & Williams LLP, discusses the details of the post-mortem following a data breach and the role of boards of directors before, during and after a breach. “We always want to revisit our incident response plan…and make changes to incorporate the lessons learned from a cyber event,” Sotto says. “We seek to ensure senior leadership understands how to prevent these events from happening in the future.”

View the third ...

Episode 2: Response

In the second segment of our 3-part series with Lawline, Lisa J. Sotto, head of our Global Privacy and Cybersecurity practice at Hunton & Williams LLP, discusses data breach notification obligations and actions to take to manage the regulatory onslaught in the aftermath of a breach. Sotto notes that “these investigations are challenging because the threat actors are enormously sophisticated, and in some circumstances we can never figure out what happened.”

View the second segment and the presentation materials.

On September 20, 2016, the Department of Transportation, through the National Highway Traffic Safety Administration (“NHTSA”), released federal cyber guidance for autonomous cars entitled Federal Automated Vehicles Policy (“guidance”).

Episode 1: Identify & Mobilize

In the first segment of our 3-part series with Lawline, Lisa J. Sotto, head of our Global Privacy and Cybersecurity practice at Hunton & Williams LLP, explains how to identify a cyber incident, mobilize your incident response team, coordinate with law enforcement and conduct an investigation.

View the first segment and the presentation materials.

On September 13, 2016, New York Governor Andrew Cuomo announced a proposed regulation that would require banks, insurance companies and other financial services institutions to establish and maintain a cybersecurity program designed to ensure the safety of New York’s financial services industry and to protect New York State from the threat of cyber attacks. 

In Part 3 of Lisa J. Sotto’s discussion at Bloomberg Law’s Second Annual Big Law Business Summit, she speaks on supply and demand in the privacy and cybersecurity fields. Lisa, partner and head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice group, points out that “demand very much outweighs supply.” To be a successful lawyer in this field, Lisa emphasizes the need for experience, recognizing that, “there is so much nuance, [and data privacy is] culturally based so you cannot just open a book and understand what to do.” In the next 10 years, Lisa hopes ...

As we previously reported, Lisa J. Sotto, partner and head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice group, spoke at Bloomberg Law’s Second Annual Big Law Business Summit on changes in the privacy and security legal landscape. In Part 2 of her discussion, Lisa speaks about the evolution of privacy laws over the years. The “hundreds of [privacy laws] at the federal and state level,” as well as data protection laws in countries all over the world, is a far cry from the landscape in 1999 when Lisa started the privacy practice at Hunton & Williams. To keep up ...

Last month, the People’s Republic of China’s Ministry of Transportation, Ministry of Industry and Information Technology and six other administrative departments jointly published the Interim Measures for the Administration of Operation and Services of E-hailing Taxis (the “Measures”). E-hailing is an increasingly popular business in China and has already become a compelling alternative to the traditional taxi. The Measures seek to regulate this emerging industry, and will come into effect on November 1, 2016. Below is a summary of the key requirements.

The Office of Management and Budget (“OMB”) recently issued updates to Circular A-130 covering the management of federal information resources. OMB revised Circular A-130 “to reflect changes in law and advances in technology, as well as to ensure consistency with Executive Orders, Presidential Directives, and other OMB policy.” The revised policies are intended to transform how privacy is addressed across the branches of the federal government.

Lisa J. Sotto, partner and head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice group, recently spoke at Bloomberg Law’s Second Annual Big Law Business Summit. In Part 1 of the panel discussion, Lisa describes the dramatic changes in the legal landscape of privacy over the last 10 to 15 years, discussing the emergence of privacy laws such as “the Gramm-Leach-Bliley Act for the financial sector, HIPAA for the health care sector and…of course, the local implementation of the European Data Protection Directive.” She then continues to note an ...

On July 26, 2016, the White House unveiled Presidential Policy Directive PPD-41 (“PPD-41”), Subject: United States Cyber Incident Coordination, which sets forth principles for federal responses to cyber incidents approved by the National Security Council (“NCS”). Coming on the heels of several high-profile federal breaches, including the Office of Personnel Management’s loss of security clearance information and the hack of over 700,000 IRS accounts, PPD-41 is a component of President Obama’s Cybersecurity National Action Plan. PPD-41 first focuses on incident response to cyber attacks on government assets, but also outlines federal incident responses to cyber attacks on certain critical infrastructure within the private sector.

On July 25, 2016, Lisa Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, was interviewed on KUCI 88.9 FM radio’s Privacy Piracy show. Lisa discussed the changing regulatory landscape, information security enforcement actions, the threat actors who attack companies’ data and how to manage the aftermath of a data breach. “There is no industry sector that is exempt [from being targeted],” Lisa says. She notes that, because “data can be sold for a monetary sum, data is now the equivalent of cash.”

Listen to the full interview.

On July 6, 2016, the European Parliament adopted the Directive on Security of Network and Information Systems (the “NIS Directive”), which will come into force in August 2016. EU Member States will have 21 months to transpose the NIS Directive into their national laws. The NIS Directive is part of the European Commission’s cybersecurity strategy for the European Union, and is designed to increase cooperation between EU Member States on cybersecurity issues.

On July 5, 2016, the Standing Committee of the National People’s Congress of the People’s Republic of China (the “Standing Committee”) published the full second draft of the Cybersecurity Law (the “second draft”). The publication of the second draft comes after the Standing Committee’s second reading of the draft on June 27, 2016. The public may comment on the second draft of the Cybersecurity Law until August 4, 2016.

On July 5, 2016, the European Commission announced the launch of a new public-private partnership (the “Partnership”) on cybersecurity, as part of its Digital Single Market and EU Cybersecurity strategies. In this context, the European Commission released several documents, including a Commission Decision establishing a contractual arrangement of the new Partnership for cybersecurity industrial research, and a Staff Working Document on the preparation activities for the Partnership.

On June 27, 2016, the Standing Committee of the National People’s Congress of the People's Republic of China held a second reading of the draft Cybersecurity Law (the “second draft”). The law is aimed at strengthening the protection and security of key information infrastructure and important data in China. As we previously reported, the first draft of the Cybersecurity Law was published for comment almost a year ago, but the National People’s Congress has not published the full second draft of the Cybersecurity Law to date.

On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and U.S. Department of Justice (“DOJ”) jointly issued final guidance on the Cybersecurity Information Sharing Act of 2015 (“CISA”). Enacted in December 2015, CISA includes a variety of measures designed to strengthen private and public sector cybersecurity. In particular, CISA provides protections from civil liability, regulatory action and disclosure under the Freedom of Information Act (“FOIA”) and other open government laws for “cyber threat indicators” (“CTI”) and “defensive measures” (“DM”) that are shared: (1) among businesses or (2) between businesses and the government through a DHS web portal. Congress passed CISA in order to increase the sharing of cybersecurity information among businesses and between businesses and the government, and to improve the quality and quantity of timely, actionable cybersecurity intelligence in the hands of the private sector and government information security professionals.

In a recent video segment, “What Do You Do with a Hacked Law Firm?”, from Mimesis Law’s Cy-Pher Executive Roundtable held in May, Lisa Sotto, chair of the firm’s Global Privacy and Cybersecurity practice, and other privacy professionals discussed the Federal Trade Commission’s jurisdiction in bringing enforcement actions against law firms in a breach event. “There’s no reason why law firms are exempt from [those actions],” says Sotto. However, if the information lost is financial information or trade secrets rather than personal information, “it’s not ...

In a recent video published by Mimesis Law, Lisa Sotto, chair of the firm’s Global Privacy and Cybersecurity practice, was interviewed during Mimesis Law’s Cy-Pher Executive Roundtable in New York. Sotto, along with several other privacy professionals, discussed the risks that law firms face in protecting their clients’ confidential information, as well as their own data. “[Law firms] are seeing multiple restrictions from clients imposing safeguards on [firms] with respect to their data,” explains Sotto. “Companies that work with law firms need to understand ...

On May 19, 2016, Hunton & Williams LLP and The Advisory Board Company hosted a webinar on How to Discuss Cybersecurity with Your C-Suite and Board of Directors. Hunton partner Matthew Jenkins moderated the session, and speakers included partner Paul Tiao, member of the firm’s Global Technology and Privacy practice, and The Advisory Board Company’s Chief Information Security Officer and Senior Research Director. Together, they provided insight and advice on how to have a productive conversation about security and risk with the most senior leaders in a health care ...

On May 17, 2016, the European Council adopted its position at first reading of the Network and Information Security Directive (the “NIS Directive”). The NIS Directive was proposed by the European Commission on February 7, 2013, as part of its cybersecurity strategy for the European Union, and is designed to increase cooperation between EU Member States on cybersecurity issues.

The NIS Directive will impose security obligations on “operators of essential services” in critical sectors and “digital service providers.” These operators will be required to take measures to manage cyber risks and report major security incidents.

Recently, cybersecurity has become an agenda item for many health care boards and C-level executives. Security is a complex topic and often these senior leaders are poorly informed about the risks their organizations face and the measures needed to address them. Hunton & Williams LLP and The Advisory Board Company will host a webinar on How to Discuss Cybersecurity with Your C-Suite and Board of Directors on May 19, 2016, at 3:00 p.m. Join this webinar to gain insight and advice on how to have a productive conversation about security and risk with the most senior leaders in a health care ...

Recently, the Council of Institutional Investors (“CII”) issued a guide to shareholder engagement on cyber risk. The guide is intended to enable shareholders to ask appropriate questions of boards to gauge whether companies are taking proper steps to mitigate cyber risk. The guide poses the following five questions:

• How are the company’s cyber risks communicated to the board, by whom and with what frequency?
• Has the board evaluated and approved the company’s cybersecurity strategy?
• How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
• How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
• When did the board last discuss whether the company’s disclosure of cyber risk and cyber incident is consistent with SEC guidance?

In its third simulated test of the security of the power grid, the North American Reliability Corporation (“NERC”) reported general progress across the electric utility industry in defending against physical and cyber threats, while also identifying several areas for further improvement.

The NERC exercise, dubbed GridEx III, took place over two days in November 2015 and involved more than 4,400 individuals from 364 industry, law enforcement and government organizations across the United States, Canada and Mexico. The main objectives of the exercise were to test crisis response and recovery, improve communication, identify problem areas and engage senior-level leadership in the organizations involved.

On March 30 through April 1, 2016, the 2016 Nuclear Industry Summit meetings took place in Washington D.C. In the nuclear industry, the issue of cybersecurity has grown steadily in importance over the past decade. This has been most apparent in the increasing attention and effort paid to cyber-based threats under the biennial Nuclear Industry Summit and its international meetings.

Team helps companies devise legal strategies to enhance security and mitigate threat risk.

On April 4, 2016, Hunton & Williams LLP announced the formation of a Cyber and Physical Security Task Force to assist companies in minimizing the risks and consequences of a serious security incident. The task force is being led by global privacy and cybersecurity head Lisa Sotto, cybersecurity partner Paul Tiao, and energy partner Kevin Jones, and includes lawyers from a wide range of practice groups within the firm.

On March 18, 2016, a report was released by a joint team from the North American Electric Reliability Corporation’s Electricity Information Sharing Analysis Center and SANS Industrial Control Systems. According to the report, the cyber attack against a Ukrainian electric utility in December 2015 that caused 225,000 customers to lose power for several hours was based on months of undetected reconnaissance that gave the attackers a sophisticated understanding of the utility’s supervisory control and data acquisition networks.

Recently, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) published two guidance documents related to HIPAA compliance. To help mobile app developers understand HIPAA compliance obligations, OCR published guidance on the use of mobile health apps (the “Health App Guidance”). OCR also released a crosswalk (the “Crosswalk”) that maps the National Institute of Standards and Technology (“NIST”) Framework for Improving Critical Infrastructure Cybersecurity Framework (the “NIST Cybersecurity Framework”) to the HIPAA Security Rule.

On February 16, 2016, California Attorney General Kamala D. Harris released the California Data Breach Report 2012-2015 (the “Report”) which, among other things, provides (1) an overview of businesses’ responsibilities regarding protecting personal information and reporting data breaches and (2) a series of recommendations for businesses and state policy makers to follow to help safeguard personal information.

On February 16, 2016, the Department of Homeland Security (“DHS”), in collaboration with other federal agencies, released a series of documents outlining procedures for both federal and non-federal entities to share and disseminate cybersecurity information. These documents were released as directed by the Cybersecurity Act of 2015 (the “Act”), signed into law on December 18, 2015. The Act outlines a means by which the private sector may enjoy protection from civil liability when sharing certain cybersecurity information with the federal government and private entities. These documents represent the first steps by the executive branch to implement the Act.

On February 9, 2016, President Obama signed an Executive Order establishing a permanent Federal Privacy Council (“Privacy Council”) that will serve as the principal interagency support structure to improve the privacy practices of government agencies and entities working on their behalf. The Privacy Council is charged with building on existing interagency efforts to protect privacy and provide expertise and assistance to government agencies, expand the skill and career development opportunities of agency privacy professionals, improve the management of agency privacy programs, and promote collaboration between and among agency privacy professionals.

On December 30, 2015, the Department of Defense (“DoD”) issued a second interim rule (80 F. R. 81472) that extends the deadline by which federal contractors must implement the new cybersecurity requirements previously issued by the agency.  This extension pushes back the compliance deadline to December 31, 2017.

On December 16, 2015, leaders in the U.S. House of Representatives and Senate released a $1.1 trillion omnibus spending bill that contained cybersecurity information sharing language that is based on a compromise between the Cybersecurity Information Sharing Act, which passed in the Senate in October, and two cybersecurity information sharing bills that passed in the House earlier this year. Specifically, the omnibus spending bill included Division N, the Cybersecurity Act of 2015 (the "Act"). 

On December 7, 2015, European negotiators reached an agreement on the draft text of the Network and Information Security Directive (the “NIS Directive”), the first pan-EU rules on cybersecurity. The NIS Directive was first proposed by the European Commission on February 7, 2013, as part of its cybersecurity strategy for the European Union and aims to ensure a uniform level of cybersecurity across the EU.

Hunton & Williams LLP’s Aaron Simpson, partner in the firm’s Global Privacy and Cybersecurity practice, and Adam Solomon, associate, co-authored an article in Pratt’s Privacy & Cybersecurity Law Report entitled Dealmakers Ignore Cyber Risks At Their Own Peril.

On October 27, 2015, the U.S. Senate passed S.754 - Cybersecurity Information Sharing Act of 2015 (“CISA”) by a vote of 74 to 21. CISA is intended to facilitate and encourage the sharing of Internet traffic information between and among companies and the federal government to prevent cyber attacks, by giving companies legal immunity from antitrust and privacy lawsuits. CISA comes in the wake of numerous recent, high-profile cyber attacks.

When novelist William Gibson said, “[t]he future is already here, it’s just not very evenly distributed,” he may have had innovation like blockchain technology in mind. In the near future, blockchain may become the new architecture of a reinvented global financial services infrastructure. The technology – a distributed, consensus-driven ledger that enables and records encrypted digital asset transfers without the need of a confirming third party – is revolutionary to global financial services, whose core functions include the trusted intermediary role (e.g., payment processor, broker, dealer, custodian).

On September 22, 2015, the Securities and Exchange Commission (“SEC”) announced a settlement order (the “Order”) with an investment adviser for failing to establish cybersecurity policies and procedures, and published an investor alert (the “Alert”) entitled Identity Theft, Data Breaches, and Your Investment Accounts.

On September 15, 2015, the Office of Compliance, Inspections and Examinations (“OCIE”) at the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert outlining its latest cybersecurity examination priorities for SEC-registered broker-dealers and investment advisers.

On August 26, 2015, the U.S. Department of Defense (“DoD”) published an interim rule entitled Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013–D018) (the “Interim Rule”), that streamlines the obligations for contractors to report network penetrations and establishes DoD requirements for contracting with cloud computing service providers. The Interim Rule amends the information security contracting framework set forth in the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement section 941 of the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2013 and section 1632 of the NDAA for FY 2015, both of which impose cyber incident reporting obligations on contractors.

On July 16, 2015, the Federal Energy Regulatory Commission (“FERC”) issued a new Notice of Proposed Rulemaking (“NOPR”) addressing the critical infrastructure protection (“CIP”) reliability standards. The NOPR proposes to accept with limited modifications seven updated CIP cybersecurity standards. The NOPR also proposes that new requirements be added to the CIP standards to protect supply chain vendors against evolving malware threats and addresses risks to utility communications networks.

On July 6, 2015, the Standing Committee of the National People’s Congress of the People’s Republic of China published a draft of the country’s proposed Network Security Law (the “Draft Cybersecurity Law”). A public comment period on the Draft Cybersecurity Law is now open until August 5, 2015.

On July 9, 2015, the National Telecommunications and Information Administration (“NTIA”) announced the launch of its first cybersecurity multistakeholder process, in which representatives from across the security and technology industries will meet in September to discuss vulnerability research disclosure.

On June 29, 2015, Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, was profiled in a Crain’s New York Business article entitled Lawyer Goes Into the Breach. The feature highlights the Hunton & Williams privacy team and the tireless work they do for their clients. Here is an excerpt from the article:

“Ms. Sotto came to her corner of the financial world a decade ago, after years working as an environmental lawyer. Spearheading Superfund cases was rewarding, but she was intrigued by the then-nascent field of mopping up messes for ...

Hunton & Williams LLP partners Lisa J. Sotto, Scott H. Kimpel and Matthew P. Bosher recently published an article in Westlaw Journal’s Securities Litigation & Regulation entitled SEC Cybersecurity Investigations: A How-to Guide. The article details the U.S. Securities and Exchange Commission’s (“SEC’s”) role in cybersecurity regulation and enforcement, and offers best practice tips for navigating the investigative process. In the article, the authors note that the threat of an SEC enforcement investigation must be considered an integral part of cybersecurity ...

Hunton & Williams LLP’s Global Privacy and Cybersecurity practice group has written a portfolio for Bloomberg BNA on information security and data breach issues in the United States and globally. Cybersecurity and Data Breach offers a broad overview of relevant legal requirements in the United States, European Union and select countries around the world. The portfolio includes practical guidance and advice on managing a data security breach, from managing an investigation and conducting remediation to providing notification to affected individuals, regulators, consumer reporting agencies, employees, boards of directors and the public. It also provides details on proactive cyber readiness activities such as preparing an Incident Response Plan, conducting tabletop exercises, and developing a vendor and employee management program. Cybersecurity and Data Breach is available at Bloomberg BNA’s Privacy & Data Security Law Resource Center and also at Bloomberg Law.

After a number of high-profile data breaches, corporate cybersecurity is facing increased scrutiny and attention from consumers, the government and the public. In a webinar, entitled Cyber Insurance: Addressing Your Risks and Liabilities, hosted by Hunton & Williams LLP and CT, Hunton & Williams partners Lon A. Berk and Lisa J. Sotto provide a background into the current cyber threats and educate companies and their counsel on how to take full advantage of their existing insurance programs and specialized cyber insurance products to effectively and proactively address cyber ...

Last week, the Cybersecurity Unit of the U.S. Department of Justice (the “Justice Department”) released a guidance document, entitled Best Practices for Victim Response and Reporting of Cyber Incidents (“Guidance”), discussing best practices for cyber incident response preparedness based on lessons learned by federal prosecutors while handling cyber investigations and prosecutions. The Guidance is intended to assist organizations with preparing to respond to a cyber incident, and emphasizes that that the best time to plan a cyber response strategy is before an incident occurs. The Justice Department drafted the Guidance with smaller, less-experienced organizations in mind, but also believes that larger organizations may benefit from its summary of best practices.

The House of Representatives passed two complimentary bills related to cybersecurity, the “Protecting Cyber Networks Act” (H.R. 1560) and the “National Cybersecurity Protection Advancement Act of 2015” (H.R. 1731). These bills provide, among other things, liability protection for (1) the use of monitoring and defensive measures to protect information systems, and (2) the sharing of cybersecurity threat information amongst non-federal entities and with the federal government. With the Senate having just recently overcome disagreement on sex trafficking legislation and the Attorney General nomination, that body is now expected to consider similar information sharing legislation entitled the “Cybersecurity Information Sharing Act” (S. 754) in the coming weeks. Assuming S. 754 also is passed by the Senate, the two Chambers of Congress will convene a Conference Committee to draft a single piece of legislation which will be then voted on by the House and Senate, before heading to the President’s desk. The White House has not committed to signing any resulting legislation, but has signaled some positive support.

From Wall Street to Main Street to Hollywood, steering clear of a data breach is challenging in a world where it is no longer a question of if but rather a matter of when your company will be hit. Hunton & Williams’ Chair of the Global Privacy and Cybersecurity practice Lisa Sotto speaks in depth with associate Brittany Bacon about three groups of attackers, how they are infiltrating IT systems, what they are looking for, and how you can prepare. Today, Sotto says, cybersecurity is a legal issue, a risk issue and a governance issue, and one that matters to shareholders, boards of directors ...

As reported in Bloomberg BNA, on April 1, 2015, the White House announced that President Obama has signed a new executive order providing the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, the ability to impose sanctions on individuals and entities that engage in certain cyber-enabled activities. The signed executive order, entitled Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (the “Executive Order”), focuses on blocking the property or interests in property located in the United States of persons engaging in cyber-enabled activities that cause a significant threat to the national security, foreign policy, economic health or financial stability of the U.S. (collectively, the “Significant Threat”).

On March 13, 2015, the U.S. Department of Commerce Internet Policy Task Force (“IPTF”) issued a request for public comment regarding cybersecurity issues affecting the digital economy. The IPTF’s request invites all stakeholders interested in cybersecurity to “identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers.” For each issue identified, the IPTF’s request for comment asks interested parties to opine on a series of questions, including (1) why the issue is suited to a multistakeholder process and (2) why a multistakeholder process would benefit the digital ecosystem.

On March 3, 2015, Steven Barnes, the host of the new Penn Law podcast series, Case in Point: Great Minds on Law and Life, interviewed Lisa Sotto, partner and chair of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, and Anita Allen, professor of law and philosophy at the University of Pennsylvania Law School and vice provost for faculty on trends in privacy and cybersecurity, discussing what we mean when we talk about our right to privacy.

On March 2, 2015, HuffPost Live interviewed four cybersecurity experts in response to a top financial regulator’s warning of an “Armageddon-type cyber event” that could eventually affect the U.S. economy. Lisa Sotto, partner and chair of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, was featured, describing the threat as legitimate and stressing that hackers are becoming more creative, sophisticated and motivated. She also emphasized that cybersecurity is a high-level governance issue for companies, not an IT matter.

On February 12, 2015, the Office of the Privacy Commissioner of Canada released a research report entitled Privacy and Cyber Security - Emphasizing privacy protection in cyber security activities (the “Report”). The Report explores the interconnected relationship among cybersecurity, privacy and data protection, including common interests and challenges.

On February 13, 2015, at the White House’s Cybersecurity and Consumer Protection Summit at Stanford University, President Obama signed an executive order promoting private sector cybersecurity information sharing (“Executive Order”). Building on the current cybersecurity information sharing efforts of Information Sharing and Analysis Centers and groups such as the National Cyber-Forensics and Training Alliance, the new Executive Order emphasizes the need for private companies, non-profit organizations and government agencies to share information about cyber threats, vulnerabilities and incidents. Its purpose is to facilitate private-private and public-private cybersecurity information sharing while (1) protecting the privacy and civil liberties of individuals; (2) protecting business confidentiality; (3) safeguarding shared information; and (4) protecting the government’s ability to detect, investigate, prevent and respond to cyber threats.

On February 3, 2015, the Securities and Exchange Commission (“SEC”) released a Risk Alert, entitled Cybersecurity Examination Sweep Summary, summarizing observations from the recent round of cybersecurity examinations of registered broker-dealers and investment advisers under the Cybersecurity Examination Initiative. Conducted by the SEC Office of Compliance Inspections and Examinations (“OCIE”) from 2013 through April 2014, the examinations inspected the cybersecurity practices of 57 registered broker-dealers and 49 registered investment advisers through interviews and document reviews. The examinations evaluated the institutions’ practices in key areas such as risk management, cybersecurity governance, network security, information protection, vendor management and incident detection.

On January 13, 2015, President Obama announced legislative proposals and administration efforts with respect to cybersecurity, including a specific proposal for a national data breach notification standard. Aside from the national data breach notification standard, the President’s other proposals are designed to (1) encourage the private sector to increase the sharing of information related to cyber threats with the federal government and (2) modernize law enforcement to effectively prosecute illegal conduct related to cybersecurity.

On January 6, 2015, Federal Trade Commission Chairwoman Edith Ramirez gave the opening remarks on “Privacy and the IoT: Navigating Policy Issues” at the 2015 International Consumer Electronics Show (“International CES”) in Las Vegas, Nevada. She addressed the key challenges the Internet of Things (“IoT”) poses to consumer privacy and how companies can find appropriate solutions that build consumer trust.

On January 12, 2015, President Obama announced at the Federal Trade Commission several new initiatives on data security and consumer privacy as part of a weeklong focus on privacy and cybersecurity. He noted that on January 13 at the Department of Homeland Security, he would address how to improve protections against cyber attacks, and on January 14, he would address how more Americans can have access to faster and cheaper broadband Internet. He stated that the announcements he is making this week are “sneak previews” of the proposals he will make in next week’s State of the Union address.

In a flurry of activity on cybersecurity in the waning days of the 113th Congress, Congress unexpectedly approved, largely without debate and by voice vote, four cybersecurity bills that: (1) clarify the role of the Department of Homeland Security (“DHS”) in private-sector information sharing, (2) codify the National Institute of Standards and Technology’s (“NIST”) cybersecurity framework, (3) reform oversight of federal information systems, and (4) enhance the cybersecurity workforce. The President is expected to sign all four bills. The approved legislation is somewhat limited as it largely codifies agency activity already underway. With many observers expecting little legislative activity on cybersecurity before the end of the year, however, that Congress has passed and sent major cybersecurity legislation to the White House for the first time in 12 years may signal Congress’ intent to address systems protection issues more thoroughly in the next Congress.

On December 10, 2014, the New York State Department of Financial Services (the “Department”) announced that it issued an industry guidance letter to all Department-regulated banking institutions that formally introduces the Department’s new cybersecurity preparedness assessment process. The letter announces the Department’s plans to expand its information technology examination procedures to increase focus on cybersecurity, which will become a regular, ongoing part of the Department’s bank examination process.

On December 5, 2014, the National Institute of Standards and Technology (“NIST”) released an update on the implementation of the Framework for Improving Critical Infrastructure Cybersecurity (“Framework”). NIST issued the Framework earlier this year in February 2014 at the direction of President Obama’s February 2013 Critical Infrastructure Executive Order. The update is based on feedback NIST received in October at the 6th Cybersecurity Framework Workshop as well as from responses to an August Request for Information.

Hunton & Williams Insurance Litigation & Counseling partner Lon Berk reports:

As the demand for cyber insurance has skyrocketed, so too has the cost. One broker estimates that sales in 2014 will double from the $1 billion premium collected in 2013. Much of the increase in demand and cost has been the result of the widely publicized hacks of the point-of-sale systems at large retailers, and the primary emphasis of most cyber policies is to address liability arising from such events. New payment technologies, however, will change the need for this type of cyber insurance. American Express recently announced a token service; Apple incorporated ApplePay into its new iPhones; and a group of retailers, the Merchant Customer Exchange, is working on the release of a new payment technology as well. These technologies, although different in detail, eliminate the need for merchants to collect unencrypted payment card information from customers, significantly reducing the risk created by point-of-sale malware.

On November 3, 2014, the Federal Financial Institutions Examination Council (“FFIEC”), on behalf of its members, released a report entitled FFIEC Cybersecurity Assessment General Observations (the “Report”) that contains observations from recent cybersecurity assessments conducted at over 500 community financial institutions as part of the FFIEC cybersecurity examination work program. The Report summarizes themes from the assessments and provides suggested questions for chief executive officers and boards of directors to ask when assessing their institutions’ cybersecurity preparedness. In light of the assessments, the FFIEC announced that its members will review and update current FFIEC cybersecurity guidance.