Category Archives: Cyber policy

U.S. Department of Homeland Security Launches First-Ever Cyber Safety Review Board

Earlier this week, the U.S. Department of Homeland Security (DHS) announced the establishment of the Cyber Safety Review Board (CSRB), as directed in President Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity. The CSRB is a public-private initiative that will bring together government and industry leaders to elevate U.S. cybersecurity.

The CSRB will review and assess significant cybersecurity events, so that government,… More

Biden Issues Memorandum Aimed at Improving Cybersecurity

On July 28, 2021, President Biden issued a Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.  The Memo recognizes that the protection of the nation’s critical infrastructure lies not only with government, i.e., at the federal, state, local, tribal, and territorial levels, but with critical infrastructure owners and operators.  In addition, the Memo states that cybersecurity threats to critical infrastructure, and the systems that control and operate it,… More

Cybersecurity and Infrastructure Security Agency Identifies Essential Critical Energy Infrastructure Workers During COVID-19 Response

On March 19, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued its Memorandum on Identification of Essential Critical Infrastructure Workers During COVID-19 Response (“Memo”).  The Memo identifies workers who conduct “a range of operations and services that are essential to continued critical infrastructure viability” and who support a wide-spectrum of industries such as medical and healthcare, telecommunications, information technology systems, defense, and energy.

As provided by the Homeland Security Act of 2002,… More

Countdown to CCPA: Foley Hoag Podcast Series Number 3

Companies that have already done the work to become GDPR-compliant are a step ahead, but all companies that collect California users’ personal information or just do business in California should check to see whether they are obligated to comply with the CCPA. Foley Hoag’s Privacy & Data Security practice group has more than a decade of experience and deep knowledge in domestic and international privacy law. Our CCPA team, with lawyers admitted to practice in California,… More

Watch – Best Practices: Terms of Service and Privacy Policies

Terms of service and privacy policies form the primary legal agreement between your organization and anyone who visits your website, downloads your app, or subscribes to your platform. These agreements are ubiquitous, yet often overlooked by start-ups and established companies alike. And with new privacy laws like GDPR and CCPA affecting businesses globally, understanding how these laws affect your policies and terms is crucial for doing business.

Foley Hoag attorneys Christopher Hart and Jessica Turko present a webinar discussing how companies can mitigate risk when drafting terms of service and privacy policies.… More

New Cayman Islands Data Protection Law, 2017 Coming into Effect

Investment advisers and managers of private investment funds organized in the Cayman Islands should take note that on September 30, 2019, the Data Protection Law, 2017 (the “DPL”), is set to come into effect.

In general terms, this will bring the Cayman Islands into line with many other countries who have recently enacted enhanced data privacy laws, including the European Union’s GDPR. The DPL is designed to protect individuals’ data and give them greater control over its use.… More

Beyond the Privacy Policy:  Toward Effective Data Governance

Shifting how businesses think about privacy.

Let’s stop thinking about privacy policies alone, and let’s start thinking about data governance plans.

For the ordinary business trying to generate revenue and minimize risk, having to think about data privacy can be both a nuisance and a headache.  Generally, it’s easy to want to think about privacy as something that can be dealt with using minimal resources—by updating a template privacy policy and posting it on a website,… More

Colin Zick and Chris Hart to Speak at MassTLC Policy and CyberMA Seminar

New Trends in Data Privacy: GDPR, CCPA and Beyond

Changes to data privacy laws and regulations continue to happen at a rapid clip. Join Foley Hoag’s Colin Zick and Chris Hart for a question and answer discussion about recent GDPR enforcement actions, the latest status on the California Consumer Privacy Act, recent changes to the Massachusetts data breach statute, and what other changes are in store nationally and internationally in the world of privacy and data security.… More

Is it weird not to have a privacy policy? (And other thoughts on privacy policy best practices.)

You probably are employed by an organization that has a website privacy policy. I am. That’s because most organizations process personal information through their websites in some way, such as through online forms that ask you to sign up for newsletters or marketing promotions.

What if your organization doesn’t process any personal information through its website? What if you run a B2B startup and just have an informational website that tells the public about what you do,… More

FERC and NERC Talk Grid Resilience and Cybersecurity

On March 22, 2019, Foley Hoag hosted the New England Electricity Restructuring Roundtable, organized by Raab Associates. The roundtable featured keynote addresses by Federal Energy Regulatory Commission (“FERC”) Commissioner Cheryl LaFleur—who recently announced she will be stepping down later this year—and North American Reliability Corporation (“NERC”) CEO and President James Robb. Both took turns addressing the most pressing issues in energy. … More

Partner Matt Miller Publishes Article on Minimizing Litigation Risk in Cybersecurity Audits

Data breaches have become an all-consuming topic of late. Stories about data theft dominate political headlines, boardroom discussions and family meetings around the dinner table. They, of course, have also been the subject of government investigations and private litigation.

The current environment is not unlike other moments in the recent past that seem to have captured the attention of Wall Street, K Street and Main Street, including the financial reporting scandals of the early 2000s.… More

Partner Colin Zick Discusses Why Law Firms Are Building State Privacy Practices as Enforcement Heats Up with Bloomberg Law

Partner Colin Zick speaks to Bloomberg Law about how big law firms are expanding their state-focused practices to help clients deal with heavy state fines for alleged privacy violations.

Companies are turning to state-centric practices “because they see the threats from individual state enforcers,” Zick said. They want expertise from former officials, like former Massachusetts Attorney General Martha Coakley, who know the proper approach to limit enforcement risks,… More

GDPR Creates Rugby Scrum

In a recent trip to Ireland, I was surprised to see two subjects that Ireland is known for — GDPR and rugby — coming into conflict.   As reported in the Sunday Business Post, World Rugby was lobbying the Irish government to create new data protection laws to address the interaction of anti-doping testing and the laws regarding transfer of data among and between different countries.  … More

China Expands Its Cybersecurity Regulations

As noted recently in the Wall Street Journal, “New cybersecurity rules will give Chinese authorities sweeping powers to inspect companies’ information technology and access proprietary information—steps that are likely to deepen concerns among foreign businesses about their China operations.”  These regulations were issued pursuant to the Cybersecurity Law of the People’s Republic of China, which came into force on June 1, 2017.… More

Senator Warner’s White Paper Gives Congress Options for Regulating Social Media and Technology Companies

Senator Mark Warner of Virginia has released a white paper outlining policy proposals for regulating social media and technology companies. The paper has gained significance in recent weeks as pressure builds on Congress to pass federal data privacy legislation. In the wake of Europe’s GDPR and California’s Consumer Privacy Act, industry groups, tech companies, and privacy activists alike have urged Congress to act.… More

California Amends its Consumer Privacy Act

On September 23, 2018, California Governor Jerry Brown signed into law SB-1121, a bill that makes several amendments to the Golden State’s landmark Consumer Privacy Act (“CCPA”). California enacted the CCPA in June after legislators reached a last-minute compromise with a group of privacy activists who would have put a more stringent data protection measure on the November ballot. Given the hasty enactment of the law,… More

California Passes New Data Privacy Law With National Implications

The California Consumer Privacy Act of 2018 (the “CCPA”) was signed into law on June 28, 2018. Although it is a state law, it has national and international ramifications. Here are some key aspects to be aware of.

1. Effective date

The law is slated to go into effect on January 1, 2020. However, the California State Legislature has the option of offering amendments to alter the law between now and its effective date,… More

GDPR: Q&A for Investment Advisers and Private Fund Managers

As many of you may already be aware, the European GDPR goes into effect during May 2018. Below are some frequently asked questions and answers about GDPR as a short guide to assist investment advisers and private fund managers with initial GDPR analysis.

What is GDPR?

It is the new General Data Protection Regulation (GDPR) adopted by the European Union that is intended to protect the “personal data” of natural persons in the European Union.… More

New SEC Guidance Addresses Disclosure Requirements for Breach Events

As the SEC has made clear on numerous occasions over the past year, cybersecurity will continue to be a major enforcement priority under the Commission’s new leadership.  As we have previously covered, one new area of potential enforcement activity that the SEC has warned about concerns the failure of public companies to make disclosures regarding material cyber events.  While the SEC had previously provided some guidance to publicly traded companies about when to disclose such events,… More

High Security: How to Minimize Marijuana Data Risks

As we’ve blogged in the past, the cannabis industry is particularly susceptible to cyberattacks. With threats like a federal crackdown and workplace drug testing, customers have a vested interest in keeping their information private. Unfortunately, the newly-legal cannabis industry has limited experience with data security. While traditional industries have the benefit of expertise and mature regulatory oversight to foster best cybersecurity practices,… More

General Data Protection Regulation: What It Means For US Healthcare/Life Science Companies (Part Two)

This is the second post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part One and Part Three

New General Features of the GDPR

Some of the GDPR general features may be of particular interest for companies in the healthcare/life science sectors.… More

General Data Protection Regulation: What It Means For US Healthcare/Life Science Companies (Part One)

This is the first post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part Two and Part Three)

The clock is ticking: on May 25, 2018, in less than a year from now, the General Data Protection Regulation (“the GDPR”) will apply in all Member States of the European Union (“EU”) and will replace the Directive 95/46/CE (“the Directive”).… More

Webinar on September 13: Privacy and Data Security for the Generalist In-House Counsel

Privacy and data security have rocketed to the top of the list of concerns for all corporate boards. Whether you are a technology company, a biotech, or a traditional widget maker, your company has confidential information about its products, customers and employees. And that information has to be protected as a matter of law, both by statute and under contracts with your customers and suppliers.… More

Can Procurement Law Slow Down Data Breach Response? A Closer Look.

What happens when state and local governments respond to significant data breaches?  They often turn to the private sector for breach response capabilities in order to mitigate damages.  Speed is the name of the game, and state and local governments often move with alacrity to save face.

But what about procurement laws?

The rush to hire sophisticated private entities to support data breach response efforts is in tension with statutory competitive bidding mandates. … More

Top U.S. Cyber Official Resigns

Christopher Painter, the State Department’s “Coordinator for Cyber Issues” stepped down on July 28, 2017. Described as the Department’s “weary soldier in America’s cyber war,” Painter traveled the globe advancing U.S. interests in cyberspace. His efforts included coordinating diplomacy in cyber security matters and launching “cyber dialogues” with foreign powers. The aim of those dialogues: reducing cyber threats ranging from D-DOS attacks to the theft of intellectual property.… More

New Duties for Lawyers? The ABA Weighs In on Cybersecurity.

Recently, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477, which aims to provide guidance and clarity to lawyers as they consider what level of security to give communications with clients.  (I was recently interviewed by Massachusetts Lawyers Weekly on this topic, and you can read the full article here; please note that the article is behind a paywall.)

The bottom line?  … More

Data Security Under Commissioner Ohlhausen: What You Need to Know

The Federal Trade Commission (FTC) has been a critically important regulator of cybersecurity practices in the US, using its authority under Section 5 of the FTC Act to bring enforcement actions against companies for failing to protect their consumers’ private data. This past January, Trump appointed Republican Maureen Ohlhausen as the Commission’s new acting chairwoman. Here’s what you need to know about her approach to data security.… More

HHS to Launch Cybersecurity Center

The Department of Health and Human Services (HHS) will soon launch a healthcare focused cybersecurity initiative modeled on the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC).  Christopher Wlaschin, Chief Information Security Officer at HHS, announced this development at the 2017 ACT-IAC Health IT-Mobile Forum on April 20.  According to Wlaschin, the new center, to be called the Health Cybersecurity and Communications Integration Center (HCCIC) would seek to reduce the extensive “noise” in the health care industry about cyber threats and to analyze and “deliver best practices and the two or three things that a small provider,… More

CyberOhio Initiative – An Update from the Ohio AGO

We recently posted on the Ohio Attorney General’s CyberOhio initiative and forecasted that the Ohio Attorney General might be the first of many Attorneys General to join forces with industry in the struggle to protect consumer information.  Ohio Deputy General Counsel Craig Rapp, Director of CyberOhio, contacted our blog not only to agree with our prediction, but also to shed more light on what is transpiring in his state. … More

Is Computer Security Broken?

The Economist certainly thinks computer security is broken (and it’s hard to argue the contrary).  In its April 8 edition, The Economist’s cover story proclaims, “Why computers will never be safe.”  While that’s good news for some of us (at least in the short run), for most of us it’s a daunting proposition.  So how to address the problem?  Do we need more regulation, as The Economist suggests? … More

Trump Meets Xi: Will They Talk Cybersecurity?

President Trump has repeatedly claimed that his predecessor was weak on China. But at least with respect to cybersecurity, the facts don’t support that charge. In 2015, “following all-night negotiations,” Robert Silvers writes, the United States convinced China to sign on to a joint commitment against “cyber enabled theft of intellectual property.” Ever since, China’s hacking of U.S. companies has dropped off dramatically. Next month,… More