Policy Management

• Countdown to CCPA #2: GDPR Compliance Does Not Equal CCPA Compliance

  06/03/2019

  The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020. The Act grants “consumers” (any California resident regardless of whether there is a customer or any other relationship with the covered business) five new rights respecting their personal information.¹

• The Deadline Looms for New York Cybersecurity Regulations Vendor Compliance Requirements

  01/16/2019

  Financial institutions regulated by the New York Department of Financial Services (DFS)—referred to in this post as “Covered Entities”—should by now be well familiar with the department’s sweeping cybersecurity regulation, 23 NYCRR 500, that became effective on March 1, 2017. The regulation delves into a level of detail (e.g., multi-factor authentication and encryption requirements) and requires a level of senior level attention (e.g., annual attestation of compliance, signed by the Board of Directors or a Senior Officer) heretofore unseen in U.S. federal or state regulations.

• The EU’s Gift to Cybercriminals

  05/28/2018

  The torrent of news stories about cyberattacks and data breaches never seems to slow, but law-enforcement agencies have tallied some significant victories against online criminals. Websites spewing Islamic State propaganda have been sidelined, thanks to joint efforts by American and European authorities. So have sites on the “dark web” selling illegal drugs, hacking for hire, and other unsavory items and services.

• New Proposed DoD Cyber Guidance May Fuel Bid Protest Docket

  May 16, 2018

  Newly published draft DoD Guidance for Reviewing System Security Plans (SSP) and the “NIST SP 800-171 Security Requirements Not Yet Implemented” answer some questions but may also result in an increased protest docket due to ambiguous evaluation criteria.

• Déjà Vu All Over Again: SEC Provides Cybersecurity Guidance

  Feb. 26, 2018

  On February 21, 2018, the SEC issued an interpretive release regarding disclosure obligations relating to cybersecurity risks and incidents, which builds upon (and, some have lamented, largely repeats) guidance issued by the SEC staff in 2011.

• December 31, 2017 Deadline for Cybersecurity under DFARS 252.204-7012 Re-Interpreted

  Dec. 20, 2017

  Defense Acquisition Regulation Supplement (DFARS) 252.204-7012 requires defense contractors to protect the security of controlled unclassified information (specifically “covered defense information”) residing on or transiting contractor or subcontractor information systems by adopting adequate cybersecurity measures for each of 110 security requirements in 14 security families and to report security incidents, mitigate incidents, and preserve data for the Department of Defense (DoD).

• Three Birds with One Stone: New Russia, North Korea and Iran Sanctions

  Aug. 11, 2017

  On August 2, 2017, President Trump signed into law the Countering America’s Adversaries Through Sanctions Act (CAATSA), which strengthened U.S. sanctions on Russia, North Korea and Iran. CAATSA had been passed by overwhelming “veto-proof” majorities of Congress and President Trump signed the bill while expressing reservations concerning the limitations it placed on the President’s authority.

• Think You Don’t Need Cyber Insurance? This Recent Data Breach Class Action Ruling May Change Your Mind

  Aug. 9, 2017

  By now, most companies generally are aware that cyber attacks present substantial risks. Many unfortunately have first-hand experience as victims of an attack. But many companies still do not necessarily view cyber insurance as a “must-have” type of insurance, like general liability or property insurance

• In EternalPetya’s Wake, How Could Regulators Punish Victims?

  July 24, 2017

  The impact of EternalPetya’s rampage extends far beyond the immediate concerns of restarting and rebuilding information technology capabilities. Threats of criminal charges loom for some in Europe, while here in the U.S. regulators are ramping up investigations into why and how badly companies fell victim to this cyber campaign.

• Executive Order 13800 – Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

  May 24, 2017

  President Donald J. Trump signed Executive Order 13800 titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” on May 11, 2017. The cybersecurity order is divided into three sections: Section 1 – Cybersecurity of Federal Networks; Section 2 – Cybersecurity of Critical Infrastructure; and Section 3 – Cybersecurity for the Nation.

• DHS Proposes Cybersecurity Procurement Regulation to Safeguard CUI

  April 17, 2017

  In Federal Contractors Beware DHS Proposes Robust Cybersecurity Procurement Regulation to Safeguard Controlled Unclassified Information (CUI), Pillsbury lawyers discuss the proposed Department of Homeland Security (DHS) procurement regulation to safeguard CUI and its internal inconsistencies/ambiguities.

• New Cybersecurity Regulations from the NY DFS: What Every Insured Should Know

  March 7, 2017

  The vaults of the world’s financial capital are getting stronger locks. On March 1, 2017, new “first-in-the-nation” cybersecurity regulations of the New York Department of Financial Services (DFS) went into effect to protect consumers and the financial system from cyber attacks.

• Sweeping New York Cyber Regulations Hit Financial Institutions March 1: Time to Look at Those Vendor Relationships

  Feb. 27, 2017

  Effective March 1, 2017, first-in-kind regulations issued by the New York Department of Financial Services will begin to affect a wide array of both depository and non-depository financial institutions. The new regulations will cascade certain requirements upon these financial institutions’ third-party service providers, requiring the financial institutions to take a close look at their vendor relationships.

• What To Know About The Updated Proposed New York State Department of Financial Services Cybersecurity Regulation

  Feb. 1, 2017

  Companies impacted by the cybersecurity regulation should be aware the revisions will not lessen the burdens or decrease the regulatory risks created by the new cybersecurity obligations. Some of the changes could make it more difficult for companies to demonstrate compliance and that they acted in a reasonable manner after a cybersecurity incident occurred.

• Cybersecurity Changes Are Rolling In With Waves of Legislation

  May 24, 2016

  Congress’ recent enactment of a wave of legislation to address ongoing cybersecurity threats, the Executive Branch’s recent adoption of new cybersecurity regulations, and other Federal initiatives that are underway and that will bring additional promised change requiring enhanced cybersecurity protections. What government contractors need to do to prepare for these changes.

• OFAC Rings in the New Year with More Details on its Cyber Sanctions Program

  Jan. 5, 2016

  On December 31, 2015, the Office of Foreign Assets Control (OFAC) issued regulations which codify and provide further details on the cybersecurity sanction program introduced on April 1, 2015 under Executive Order (E.O.) 13694. While the Obama administration still has yet to make its first designations under the new program, it will be one to watch in 2016 given the high profile and geo-political challenges of cybercrime.

• FTC Fines Can Add Salt to a Cybersecurity Wound

  Sept. 30, 2015

  Cyberattacks are on the rise—so much that we seem to hear about a high-profile hack more often than it probably rains in most parts of California. Although reputational damage from a cyberattack can be scarring, a recent U.S. Third Circuit Court decision provides a reminder that the pain can come in many forms.

• Under the Thumb: Regulatory Compliance When Outsourcing Cybersecurity Management

  Aug. 26, 2015

  Managed security services are often a natural “add-on” when outsourcing IT services given that data protection is integral to application development, software as a service, and cloud storage, among other services. One critical consideration to keep in mind prior to outsourcing your cybersecurity is that you cannot outsource your regulatory responsibilities

• EU Cybersecurity Regulations – The Costs of Financial Market Infrastructure Resiliency

  Jan. 20, 2015

  Cyber threats have emerged as a growing systemic risk particularly to the financial sector in which Financial Market Infrastructures are increasingly under attack from a wide range of players, at greater frequency and growing levels of sophistication. This post summarizes what regulators are doing in the Europe to address these threats and describes some of the actions companies everywhere can take to minimize their exposure.

• Remain Vigilant: Managing Cybersecurity Risks in Third-Party Outsourcing Relationships

  March 4, 2014

  Managing third-party suppliers presents significant compliance challenges that often span an organization, raising legal, insurance, human resources and technology concerns, to name just a few. Corporations will continue to wrestle with these risks in the year ahead, but the convergence of external threats, abundance of valuable corporate data and the current regulatory environment has highlighted the importance of corporate cybersecurity practices.

• National Cybersecurity Framework Released – Has Your Organization Considered the Implications?

  Feb. 19, 2014

  On February 12, 2014, the National Institute of Standards and Technology released the final version of its Framework for Improving Critical Infrastructure Cybersecurity and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity. The most significant change from previous working versions is the removal of a separate privacy appendix criticized as being overly prescriptive and costly to implement in favor of a more general set of recommended privacy practices that should be “considered” by companies.