Anahita Thoms and Peter Jaffe of Freshfields Bruckhaus Deringer look at both cybersecurity requirements and breach notification rules, comparing U.S. laws with the key European Union laws. They focus on the requirements for data controllers because almost every company is a data controller, even if only because it handles its own employees’ data.
Joshua Gold of Anderson Kill P.C. writes: The landscape of insurance coverage for technology risk alters as fast as the risk itself—that is, constantly and dramatically. Today’s conventional wisdom can become obsolete in a heartbeat. Sound risk management will continue to require close monitoring of the situation, smart decision making and adaptability.
Joseph Nocera and Douglas B. Bloom of PwC discuss new regulatory developments, writing that these new rules will require organizations to enhance many aspects of their cybersecurity programs. However, the combination of incident reporting requirements from both FinCEN’s advisory and DFS’s Part 500 demands a level of convergence between financial fraud and cyber controls in the banking industry heretofore unseen.
Seth D. Rothman and Dennis S. Klein of Hughes Hubbard & Reed write: Imagine that your credit card information is stolen in a data breach. Do you have standing to sue the company where the data breach occurred? Most courts would say “no,” not unless the hackers misuse your information and you incur fraudulent charges. But if there is a substantial risk that this may happen and you take steps to prevent it, you may be able to recover your mitigation costs.
John Kennedy, Michelle DeBarge and Timothy Wright of Wiggin and Dana write: Responding to the growing recognition of “third-party risk,” regulators are sharpening their focus on how businesses manage third-party providers, to the point of mandating (or at least strongly encouraging) specific types of terms in contracts with parties that access or manage a company’s systems or data. Regulators are further extending their reach by mandating cybersecurity policy content and certain risk management practices for third-party provider arrangements.
Following the maxim that it’s better to light a candle than to curse the darkness, Kenneth N. Rashbaum of Barton LLP suggests practices for law firms to mitigate cybersecurity risks.