In Case You Missed It: The Federal Trade Commission has opened a public comment period to evaluate its Safeguards Rule (16. C.F.R. § 314.3). Under the Gramm-Leach-Bliley Act (GLBA), which regulates financial institutions, the FTC is empowered to promulgate regulations governing how financial institutions secure consumer information. The Safeguards Rule, as currently in force, does not have specific “how-to” requirements, but rather broad and flexible standards that financial institutions can use as guidelines in assessing risks to the data they maintain and in developing viable security plans. Through public comment, the FTC states that it seeks to better understand the Rule’s economic impact, conflict with state and other federal regulations, and the effect of the Rule on changes within the industry.
News of Note: The United States has a CISO. Retired Air Force General Gregory Touhill was appointed federal chief information security officer on September 9, the first person ever to have such a role. Creation of the position was announced by the White House earlier this year as part of its “Cybersecurity National Action Plan” (CNAP). According to the CNAP, Touhill’s role will be “to drive cybersecurity policy, planning, and implementation across the Federal Government.” Touhill recently held the post of Deputy Assistant Secretary for Cybersecurity and Communications at the Department of Homeland Security, and is no doubt uniquely suited for this first-of-its-kind role. Among Touhill’s priorities will be the development of a national cyber incident response plan. The appointment comes in the midst of increasing concern about the threat and scope of “cyberwar” and debates within the White House about how to manage issues relating to cybersecurity and cyberwarfare.
Practice Tip of the Week: Worried about a lawsuit stemming from a data breach? Know your team ahead of time. You might need an experienced litigator (especially one knowledgeable about consumer class actions); someone who can deal with law enforcement and federal and state regulators; and someone who can vet and review your policies and contracts. Developing relationships early by having a trusted lawyer help write and review your written information security policies and data breach response plans can save you time later and let you breathe easier.